<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;
      charset=windows-1252">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Hi,</p>
    On 2018-07-10 11:48, Salehi Ghamsari, Majid wrote:<br>
    <blockquote type="cite"
      cite="mid:66b452ef36ee47f590ca1e0618a404cc@fokus.fraunhofer.de">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin-top:0cm;
        margin-right:0cm;
        margin-bottom:8.0pt;
        margin-left:0cm;
        line-height:105%;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;
        color:black;
        mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        line-height:105%;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;
        color:black;
        mso-fareast-language:EN-US;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0cm;
        margin-bottom:.0001pt;
        line-height:normal;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;
        mso-fareast-language:DE;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:"Courier New";
        mso-fareast-language:DE;}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.EmailStyle21
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span lang="EN">> Is the IP part of the
            message or is it a mapping needed?<br>
            test-file-collector (192.0.2.0-192.0.2.255) ---------->
            test-message-expert (192.0.2.10) ---> test-tcp-output<br>
            No, the idea is that the expert bot makes ip range
            correlation with interface (REST GET) from extern server.<br>
            example<br>
            192.0.2.10 = Get_IP4RANGE_FROM_SEVER
            ("192.0.2.0-192.0.2.255")<br>
          </span></p>
      </div>
    </blockquote>
    <br>
    To make sure I understood it correctly:<br>
    There is an expert that sends the 'source.ip' field to an external
    server. It returns an IP where the data should be sent to with the
    TCP output. The mapping is done entirely by the external server, not
    in IntelMQ. In this case:<br>
    <br>
    <blockquote type="cite"
      cite="mid:66b452ef36ee47f590ca1e0618a404cc@fokus.fraunhofer.de">
      <div class="WordSection1">
        <p class="MsoNormal"><span lang="EN">
            I would like to set the IP runtime parameter (192.0.2.10) of
            the TCP-output bot "test-tcp-output".<br>
            I honestly did not understand how to implement this with
            filters.</span></p>
      </div>
    </blockquote>
    No it's currently not. If the mapping would have been applied by
    using filters inside IntelMQ it be easier. But I recently
    implemented something similar for the file output bot, see
<a class="moz-txt-link-freetext" href="https://github.com/certtools/intelmq/blob/maintenance/docs/Bots.md#filename-formatting">https://github.com/certtools/intelmq/blob/maintenance/docs/Bots.md#filename-formatting</a><br>
    So it could also be done for the tcp output in a similar way.<br>
    <br>
    Do you plan to use the tcp collector/output mechanism to exchange
    data between the melicertes instances?<br>
    <br>
    Sebastian<br>
    <br>
    <pre class="moz-signature" cols="72">-- 
// Sebastian Wagner <a class="moz-txt-link-rfc2396E" href="mailto:wagner@cert.at"><wagner@cert.at></a> - T: +43 1 5056416 7201
// CERT Austria - <a class="moz-txt-link-freetext" href="https://www.cert.at/">https://www.cert.at/</a>
// Eine Initiative der nic.at GmbH - <a class="moz-txt-link-freetext" href="https://www.nic.at/">https://www.nic.at/</a>
// Firmenbuchnummer 172568b, LG Salzburg</pre>
  </body>
</html>