[IntelMQ-dev] Feed handling bug in shadowserver parser bot?

Mon Sep 5 11:16:18 CEST 2022

Hi Sebastian,

 I tried to find info about this problem from the intelmq repo in github but was unlucky with the search criteria. It could be a similar problem, but if it was fixed in 2.1.2, it is as if a variant of it has sneaked in into 3.0.2. I'll try to debug.

Br, Mika

----- Original Message -----
From: "Sebix" <sebix at sebix.at>
To: "Mika Silander" <mika.silander at csc.fi>, "intelmq-dev" <intelmq-dev at lists.cert.at>
Sent: Monday, 5 September, 2022 10:58:08
Subject: Re: [IntelMQ-dev] Feed handling bug in shadowserver parser bot?

Hi,

There *was* a bug similar to this, but I fixed that one two years ago in
2.1.2. Just for reference:
https://github.com/certtools/intelmq/issues/1493
https://github.com/certtools/intelmq/commit/ac9e442f522e9bc5fcfe1cb5591d7b636630be17

The shadowserver parsers detects the feed based on the reported file
name, as passed on by the collector. I'd clarify if
- the field `extra.file_name` of the mail collector's outgoing report is
correct
- the shadowserver parser correctly determines the feed from it. The
shadowserver parser logs (in debug level) "Detected report's file name
..." for every incoming report. That's the first thing I'd check.

Sebastian

On 9/5/22 9:48 AM, Mika Silander wrote:
> Hi,
>
>  Currently the parameters section for the parser bot in runtime.yaml is just:
>
>   parameters:
>     destination_queues:
>       _default: [fc-set-event-constant-expert-queue]
>     overwrite: true
>   run_mode: continuous
>
> Br, Mika
>
>
> ----- Original Message -----
> From: "Sebix" <sebix at sebix.at>
> To: "Mika Silander" <mika.silander at csc.fi>, "intelmq-dev" <intelmq-dev at lists.cert.at>
> Sent: Monday, 5 September, 2022 10:43:56
> Subject: Re: [IntelMQ-dev] Feed handling bug in shadowserver parser bot?
>
> Can you please show the configuration (parameters) of your shadowserver
> parser?
>
> On 9/5/22 9:42 AM, Mika Silander wrote:
>> Hi,
>>
>>  We've been running intelmq in a production-like setup for some time now and occasionally we see the Shadowserver Parser bot behave in a way that looks odd. We push reports to it via the mail attachment collector bot. At times, the parser bot ends up treating all reports as being of the type Vulnerable ISAKMP. We don't know what triggers this behaviour but so far we've seen this when the parser parses Sandbox URL and Open TFTP reports, both filling the log (debug level) with notifications of "missing keys" or "optional keys not found" because the parser assumes the feed to be Vulnerable ISAKMP. And before this occurs, the parser has been running for a good while.
>>
>>  We've picked up the the problematic Sandbox URL and Open TFTP reports above and made unit test cases of these - all tests are correctly parsed, the feed name is deduced correctly and the tests are successful, so the parser handles these correctly if these are the first reports parsed. Therefore, our assumption is that this problem occurs only when the parser has been running for a longer time and some state information about the feed type does not get cleared between parsing incoming reports.
>>
>>  Anyone else experiencing similar problems? This is a tricky one to debug so I decided to ask on the list first.
>>
>> Br, Mika
>>
>> P.S: Our setup is intelmq 3.0.2 on an Ubuntu 20.04 LTS  
>> _______________________________________________
>> IntelMQ-dev mailing list
>> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
>> https://intelmq.readthedocs.io/

-- 
Institute for Common Good Technology
gemeinnütziger Kulturverein - nonprofit cultural society
https://sebix.at/
ZVR 1510673578