<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"Préformaté HTML Car";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}
span.PrformatHTMLCar
{mso-style-name:"Préformaté HTML Car";
mso-style-priority:99;
mso-style-link:"Préformaté HTML";
font-family:Consolas;
mso-fareast-language:EN-US;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="FR" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">I'll do that if you don't see any other solution.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thank you,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="mso-fareast-language:FR">Guillaume<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="mso-fareast-language:FR">De :</span></b><span style="mso-fareast-language:FR"> IntelMQ-users <intelmq-users-bounces@lists.cert.at>
<b>De la part de</b> Sebix<br>
<b>Envoyé :</b> mercredi 19 octobre 2022 11:02<br>
<b>À :</b> Guillaume GRANJON DE LEPINEY <ggranjon@excellium-services.be>; Mika Silander <mika.silander@csc.fi>; intelmq-users@lists.cert.at<br>
<b>Objet :</b> Re: [IntelMQ-users] Modify expert get the value of data<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Why don't you save the decoded value in <span lang="EN-US">"msg[data]" (whatever that is) in the first place?</span><o:p></o:p></p>
<div>
<p class="MsoNormal">On 10/19/22 10:59 AM, Guillaume GRANJON DE LEPINEY via IntelMQ-users wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">I must have misspoken. What I want to do is that I have base64 encoded data in my msg.data and I want to modify my source.url in the modify expert to have XXXX={msg[data]} in decoded version.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Today when I do this on the modify expert, it gives me:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">XXXX=YmFzZTY0ZGF0YQ==</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">while I would like:</span><o:p></o:p></p>
<p class="MsoNormal">XXXX=base64data<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">All this without modifying the rest of my configuration, I know I could add a temporary field in harmonization.conf that contains my decrypted data, but I don't find it very clean.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="mso-fareast-language:FR">Guillaume</span><o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="mso-fareast-language:FR">De :</span></b><span style="mso-fareast-language:FR"> Mika Silander
<a href="mailto:mika.silander@csc.fi"><mika.silander@csc.fi></a> <br>
<b>Envoyé :</b> mercredi 19 octobre 2022 10:53<br>
<b>À :</b> <a href="mailto:intelmq-users@lists.cert.at">intelmq-users@lists.cert.at</a><br>
<b>Cc :</b> Guillaume GRANJON DE LEPINEY <a href="mailto:ggranjon@excellium-services.be">
<ggranjon@excellium-services.be></a><br>
<b>Objet :</b> Re: [IntelMQ-users] Modify expert get the value of data</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" align="left" width="100%" style="width:100.0%">
<tbody>
<tr>
<td style="background:#A6A6A6;padding:5.25pt 1.5pt 5.25pt 1.5pt"></td>
<td width="100%" style="width:100.0%;background:#EAEAEA;padding:5.25pt 3.75pt 5.25pt 11.25pt">
<div>
<p class="MsoNormal" style="mso-element:frame;mso-element-frame-hspace:2.25pt;mso-element-wrap:around;mso-element-anchor-vertical:paragraph;mso-element-anchor-horizontal:column;mso-height-rule:exactly">
<span style="font-size:9.0pt;color:black">You don't often get email from <a href="mailto:mika.silander@csc.fi">
mika.silander@csc.fi</a>. <a href="https://aka.ms/LearnAboutSenderIdentification">
Learn why this is important</a></span><o:p></o:p></p>
</div>
</td>
<td width="75" style="width:56.25pt;background:#EAEAEA;padding:5.25pt 3.75pt 5.25pt 3.75pt;align:left">
</td>
</tr>
</tbody>
</table>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Hi Guillaume,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> Not entirely sure as to why you need to decode parts of your Modify expert's configurations, but in intelmq/lib/utils.py you have the base64_encode and base64_decode
functions that may be of use to you.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Testing and experimenting what decoded and encoded data looks like can also be achieved on the command line, e.g. (on Ubuntu with the base64 executable provided by
the coreutils package):</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">echo "a text sample" | base64 | base64 -d -</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">gives
</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">a text sample</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> I hope this helps.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Br, Mika</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><o:p></o:p></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">
<hr size="2" width="100%" align="center">
</span></div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">From:
</span></b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">"Guillaume GRANJON DE LEPINEY via IntelMQ-users" <<a href="mailto:intelmq-users@lists.cert.at">intelmq-users@lists.cert.at</a>><br>
<b>To: </b>"<a href="mailto:intelmq-users@lists.cert.at">intelmq-users@lists.cert.at</a>" <<a href="mailto:intelmq-users@lists.cert.at">intelmq-users@lists.cert.at</a>><br>
<b>Sent: </b>Wednesday, 19 October, 2022 11:28:31<br>
<b>Subject: </b>[IntelMQ-users] Modify expert get the value of data</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:FR"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:black">Hello,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">This may be a silly question, but I can't find the answer.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">Is it possible to get the decoded value (not base 64) of my data in a configuration file of the bot intelmq.bots.experts.modify.expert?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">I would like to do something like that with the decoded value:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black"><img border="0" width="1029" height="199" style="width:10.7187in;height:2.0729in" id="Image_x0020_1" src="cid:image001.png@01D8E3AA.547DB6A0"></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">Regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">
</span><o:p></o:p></p>
<p class="MsoNormal"><b><span style="color:black">Guillaume GRANJON de LÉPINEY</span></b><span style="color:black"> |
<a href="mailto:ggranjon@excellium-services.be" target="_blank"><span style="color:#0563C1">ggranjon@excellium-services.be</span></a> | PGP Key ID:
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpgp.circl.lu%2Fpks%2Flookup%3Fsearch%3D0xE2FD5ED1%26fingerprint%3Don%26op%3Dindex&data=05%7C01%7Cggranjon%40excellium-services.be%7Cb1490556632646d6bb8a08dab1b09ac0%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C638017669309432554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=TeEwmsGp6XblM%2F1WUQG856%2FY5AQG3J4nB%2B8gth16lKI%3D&reserved=0" target="_blank">
<span style="color:#0563C1">0xE2FD5ED1</span></a><br>
<b>CERT-XLM</b> | <a href="mailto:cert@excellium-services.com" target="_blank"><span style="color:#0563C1">cert@excellium-services.com</span></a> | PGP Key ID:
<a href="https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpgp.circl.lu%2Fpks%2Flookup%3Fop%3Dvindex%26fingerprint%3Don%26search%3D0x67B311E5D74E5AC0&data=05%7C01%7Cggranjon%40excellium-services.be%7Cb1490556632646d6bb8a08dab1b09ac0%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C638017669309432554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=teUgYIUijtzk%2BEN7FmSSCQxeemg0cXAr8lCcyIxFqus%3D&reserved=0" target="_blank">
<span style="color:#0563C1">0xD74E5AC0</span></a> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">Excellium Services Belgium N.V. | Orion Bldg, Belgicastraat 13, B-1930 Zaventem, Belgium<br>
Mobile: +32 4 71 98 57 65</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black">Emergency: +352 262 039 64 708 |
</span><span style="color:black"><a href="mailto:emergency@excellium-services.com" target="_blank"><span lang="EN-US" style="color:#0563C1">emergency@excellium-services.com</span></a></span><span lang="EN-US" style="color:black"> | PGP Key ID:
</span><span style="color:black"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexcellium-services.com%2Fassets%2FEMERGENCY_PKEY.asc&data=05%7C01%7Cggranjon%40excellium-services.be%7Cb1490556632646d6bb8a08dab1b09ac0%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C638017669309432554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=9esSXyO3PWvuSYusC6WLFOq6mz40jJAdEEO2rneroSg%3D&reserved=0" target="_blank"><span lang="EN-US" style="color:#0563C1">0x42662EFE</span></a></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black"><a href="https://excellium-services.com/en/CERT-XLM/" target="_blank"><span style="color:#0563C1">https://excellium-services.com/en/CERT-XLM/</span></a></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black"><a href="https://www.trusted-introducer.org/directory/teams/cert-xlm.html" target="_blank"><span style="color:#0563C1">https://www.trusted-introducer.org/directory/teams/cert-xlm.html</span></a></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black"><a href="https://www.first.org/members/teams/cert-xlm" target="_blank"><span style="color:#0563C1">https://www.first.org/members/teams/cert-xlm</span></a></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:FR">This email is confidential and may contain legally privileged information. If you are not the intended recipient, you should not copy, distribute,
disclose or use the information it contains, please e-mail the sender immediately and delete this message from your system. Note: e-mails are susceptible to corruption, interception and unauthorised amendment; we do not accept liability for any such changes,
or for their consequences. You should be aware that we may monitor your e-mails and their content. Excellium Services SA.
<br>
-- <br>
List settings:<br>
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cert.at%2Fcgi-bin%2Fmailman%2Flistinfo%2Fintelmq-users&data=05%7C01%7Cggranjon%40excellium-services.be%7Cb1490556632646d6bb8a08dab1b09ac0%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C638017669309432554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=n8IFckzzbMHSHrFL%2B6niaPPABjgmL7ne6BqIRoJGBT0%3D&reserved=0">https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users</a><br>
IntelMQ Documentation: <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fintelmq.readthedocs.io%2F&data=05%7C01%7Cggranjon%40excellium-services.be%7Cb1490556632646d6bb8a08dab1b09ac0%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C638017669309432554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=OrFymDkgCwbPO9wVgixERZVwg85y5ogXdXG5eljWHKg%3D&reserved=0">
https://intelmq.readthedocs.io/</a></span><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><span style="mso-fareast-language:FR">This email is confidential and may contain legally privileged information. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please
e-mail the sender immediately and delete this message from your system. Note: e-mails are susceptible to corruption, interception and unauthorised amendment; we do not accept liability for any such changes, or for their consequences. You should be aware that
we may monitor your e-mails and their content. Excellium Services SA. <o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal"><span style="mso-fareast-language:FR"><o:p> </o:p></span></p>
<p><o:p> </o:p></p>
<pre>Institute for Common Good Technology<o:p></o:p></pre>
<pre>gemeinnütziger Kulturverein - nonprofit cultural society<o:p></o:p></pre>
<pre><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsebix.at%2F&data=05%7C01%7Cggranjon%40excellium-services.be%7Cb1490556632646d6bb8a08dab1b09ac0%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C638017669309432554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=E8MUf9NfZvGEWfrOQ5L0JqFLN92VfNJFpxUCS%2Fcg%2FyI%3D&reserved=0">https://sebix.at/</a><o:p></o:p></pre>
<pre>ZVR 1510673578<o:p></o:p></pre>
</div>
This email is confidential and may contain legally privileged information. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please e-mail the sender immediately and delete this message from
your system. Note: e-mails are susceptible to corruption, interception and unauthorised amendment; we do not accept liability for any such changes, or for their consequences. You should be aware that we may monitor your e-mails and their content. Excellium
Services SA.
</body>
</html>