<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
<p>Why don't you save the decoded value in <span lang="EN-US">"msg[data]"
(whatever that is) in the first place?<br>
</span></p>
<div class="moz-cite-prefix">On 10/19/22 10:59 AM, Guillaume GRANJON
DE LEPINEY via IntelMQ-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:GVXPR10MB5909423D810B4775453B1A7E8C2B9@GVXPR10MB5909.EURPRD10.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">I must have misspoken.
What I want to do is that I have base64 encoded data in my
msg.data and I want to modify my source.url in the modify
expert to have XXXX={msg[data]} in decoded version.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Today when I do this on
the modify expert, it gives me:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">XXXX=YmFzZTY0ZGF0YQ==<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">while I would like:<o:p></o:p></span></p>
<p class="MsoNormal">XXXX=base64data<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">All this without
modifying the rest of my configuration, I know I could add a
temporary field in harmonization.conf that contains my
decrypted data, but I don't find it very clean.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="mso-fareast-language:FR">Guillaume<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="mso-fareast-language:FR">De :</span></b><span
style="mso-fareast-language:FR"> Mika Silander
<a class="moz-txt-link-rfc2396E" href="mailto:mika.silander@csc.fi"><mika.silander@csc.fi></a>
<br>
<b>Envoyé :</b> mercredi 19 octobre 2022 10:53<br>
<b>À :</b> <a class="moz-txt-link-abbreviated" href="mailto:intelmq-users@lists.cert.at">intelmq-users@lists.cert.at</a><br>
<b>Cc :</b> Guillaume GRANJON DE LEPINEY
<a class="moz-txt-link-rfc2396E" href="mailto:ggranjon@excellium-services.be"><ggranjon@excellium-services.be></a><br>
<b>Objet :</b> Re: [IntelMQ-users] Modify expert get the
value of data<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" style="width:100.0%" width="100%"
cellspacing="0" cellpadding="0" border="0" align="left">
<tbody>
<tr>
<td style="background:#A6A6A6;padding:5.25pt 1.5pt 5.25pt
1.5pt"><br>
</td>
<td style="width:100.0%;background:#EAEAEA;padding:5.25pt
3.75pt 5.25pt 11.25pt" width="100%">
<div>
<p class="MsoNormal"
style="mso-element:frame;mso-element-frame-hspace:2.25pt;mso-element-wrap:around;mso-element-anchor-vertical:paragraph;mso-element-anchor-horizontal:column;mso-height-rule:exactly"><span
style="font-size:9.0pt;font-family:"Segoe
UI",sans-serif;color:#212121">You don't often
get email from
<a href="mailto:mika.silander@csc.fi"
moz-do-not-send="true">mika.silander@csc.fi</a>.
<a
href="https://aka.ms/LearnAboutSenderIdentification"
moz-do-not-send="true">
Learn why this is important</a><o:p></o:p></span></p>
</div>
</td>
<td style="width:56.25pt;background:#EAEAEA;padding:5.25pt
3.75pt 5.25pt 3.75pt;align:left" width="75">
<br>
</td>
</tr>
</tbody>
</table>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Hi
Guillaume,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> Not
entirely sure as to why you need to decode parts of
your Modify expert's configurations, but in
intelmq/lib/utils.py you have the base64_encode and
base64_decode functions that may be of use to you.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Testing
and experimenting what decoded and encoded data looks
like can also be achieved on the command line, e.g.
(on Ubuntu with the base64 executable provided by the
coreutils package):<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">echo
"a text sample" | base64 | base64 -d -<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">gives
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">a
text sample<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> I
hope this helps.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Br,
Mika<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div class="MsoNormal" style="text-align:center"
align="center"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">
<hr id="zwchr" width="100%" size="2" align="center">
</span></div>
<div>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">From:
</span></b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">"Guillaume
GRANJON DE LEPINEY via IntelMQ-users" <<a
href="mailto:intelmq-users@lists.cert.at"
moz-do-not-send="true">intelmq-users@lists.cert.at</a>><br>
<b>To: </b>"<a
href="mailto:intelmq-users@lists.cert.at"
moz-do-not-send="true">intelmq-users@lists.cert.at</a>"
<<a href="mailto:intelmq-users@lists.cert.at"
moz-do-not-send="true">intelmq-users@lists.cert.at</a>><br>
<b>Sent: </b>Wednesday, 19 October, 2022 11:28:31<br>
<b>Subject: </b>[IntelMQ-users] Modify expert get the
value of data<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:FR"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Hello,</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">This may be a silly question, but I can't
find the answer.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Is it possible to get the decoded value
(not base 64) of my data in a configuration file of
the bot intelmq.bots.experts.modify.expert?</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">I would like to do something like that
with the decoded value:</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"><img
style="width:10.7187in;height:2.0729in"
id="Image_x0020_1"
src="cid:part6.A4F24296.3B097612@sebix.at" class=""
width="1029" height="199" border="0"></span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Regards,</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">
</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="color:black">Guillaume
GRANJON de LÉPINEY</span></b><span
style="color:black"> |
<a href="mailto:ggranjon@excellium-services.be"
target="_blank" moz-do-not-send="true"><span
style="color:#0563C1">ggranjon@excellium-services.be</span></a>
| PGP Key ID:
<a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpgp.circl.lu%2Fpks%2Flookup%3Fsearch%3D0xE2FD5ED1%26fingerprint%3Don%26op%3Dindex&data=05%7C01%7Cggranjon%40excellium-services.be%7Ca3ea354bfbba4c917b8508dab1af53c0%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C638017663871879706%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nxpQCH7aMResUacA8%2BXVVLi9u%2B%2B8xbz5KcsKa9ZR%2BjI%3D&reserved=0"
target="_blank" moz-do-not-send="true">
<span style="color:#0563C1">0xE2FD5ED1</span></a><br>
<b>CERT-XLM</b> | <a
href="mailto:cert@excellium-services.com"
target="_blank" moz-do-not-send="true"><span
style="color:#0563C1">cert@excellium-services.com</span></a>
| PGP Key ID:
<a
href="https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpgp.circl.lu%2Fpks%2Flookup%3Fop%3Dvindex%26fingerprint%3Don%26search%3D0x67B311E5D74E5AC0&data=05%7C01%7Cggranjon%40excellium-services.be%7Ca3ea354bfbba4c917b8508dab1af53c0%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C638017663871879706%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=AbZwJGETGujbrPGAdr4X86B%2Fdbaxw9LZHshHzDWWH1I%3D&reserved=0"
target="_blank" moz-do-not-send="true">
<span style="color:#0563C1">0xD74E5AC0</span></a> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Excellium Services Belgium N.V. | Orion
Bldg, Belgicastraat 13, B-1930 Zaventem, Belgium<br>
Mobile: +32 4 71 98 57 65</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Emergency: +352 262 039 64 708 |
</span><span style="color:black"><a
href="mailto:emergency@excellium-services.com"
target="_blank" moz-do-not-send="true"><span
style="color:#0563C1" lang="EN-US">emergency@excellium-services.com</span></a></span><span
style="color:black" lang="EN-US"> | PGP Key ID:
</span><span style="color:black"><a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexcellium-services.com%2Fassets%2FEMERGENCY_PKEY.asc&data=05%7C01%7Cggranjon%40excellium-services.be%7Ca3ea354bfbba4c917b8508dab1af53c0%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C638017663871879706%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zc5o7E0M2056ZkfmXQOhjFbvc2ryBMeRTuzKcnZLLdg%3D&reserved=0"
target="_blank" moz-do-not-send="true"><span
style="color:#0563C1" lang="EN-US">0x42662EFE</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"><a
href="https://excellium-services.com/en/CERT-XLM/"
target="_blank" moz-do-not-send="true"><span
style="color:#0563C1">https://excellium-services.com/en/CERT-XLM/</span></a></span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"><a
href="https://www.trusted-introducer.org/directory/teams/cert-xlm.html"
target="_blank" moz-do-not-send="true"><span
style="color:#0563C1">https://www.trusted-introducer.org/directory/teams/cert-xlm.html</span></a></span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"><a
href="https://www.first.org/members/teams/cert-xlm"
target="_blank" moz-do-not-send="true"><span
style="color:#0563C1">https://www.first.org/members/teams/cert-xlm</span></a></span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:FR">This
email is confidential and may contain legally
privileged information. If you are not the intended
recipient, you should not copy, distribute, disclose
or use the information it contains, please e-mail the
sender immediately and delete this message from your
system. Note: e-mails are susceptible to corruption,
interception and unauthorised amendment; we do not
accept liability for any such changes, or for their
consequences. You should be aware that we may monitor
your e-mails and their content. Excellium Services SA.
<br>
-- <br>
List settings:<br>
<a
href="https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users"
moz-do-not-send="true">https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users</a><br>
IntelMQ Documentation: <a
href="https://intelmq.readthedocs.io/"
moz-do-not-send="true">https://intelmq.readthedocs.io/</a><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
This email is confidential and may contain legally privileged
information. If you are not the intended recipient, you should not
copy, distribute, disclose or use the information it contains,
please e-mail the sender immediately and delete this message from
your system. Note: e-mails are susceptible to corruption,
interception and unauthorised amendment; we do not accept
liability for any such changes, or for their consequences. You
should be aware that we may monitor your e-mails and their
content. Excellium Services SA.
<br>
</blockquote>
<br>
<p><br>
</p>
<pre class="moz-signature" cols="72">Institute for Common Good Technology
gemeinnütziger Kulturverein - nonprofit cultural society
<a class="moz-txt-link-freetext" href="https://sebix.at/">https://sebix.at/</a>
ZVR 1510673578</pre>
</body>
</html>