[Intelmq-dev] changing bot runtime parameter

[Sebastian Wagner]

Hi,

On 2018-07-10 11:48, Salehi Ghamsari, Majid wrote:
>
> > Is the IP part of the message or is it a mapping needed?
> test-file-collector (192.0.2.0-192.0.2.255) ---------->
> test-message-expert (192.0.2.10) ---> test-tcp-output
> No, the idea is that the expert bot makes ip range correlation with
> interface (REST GET) from extern server.
> example
> 192.0.2.10 = Get_IP4RANGE_FROM_SEVER ("192.0.2.0-192.0.2.255")
>

To make sure I understood it correctly:
There is an expert that sends the 'source.ip' field to an external
server. It returns an IP where the data should be sent to with the TCP
output. The mapping is done entirely by the external server, not in
IntelMQ. In this case:

> I would like to set the IP runtime parameter (192.0.2.10) of the
> TCP-output bot "test-tcp-output".
> I honestly did not understand how to implement this with filters.
>
No it's currently not. If the mapping would have been applied by using
filters inside IntelMQ it be easier. But I recently implemented
something similar for the file output bot, see
https://github.com/certtools/intelmq/blob/maintenance/docs/Bots.md#filename-formatting
So it could also be done for the tcp output in a similar way.

Do you plan to use the tcp collector/output mechanism to exchange data
between the melicertes instances?

Sebastian

-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20180711/868e1ee5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20180711/868e1ee5/attachment.sig>