Dear list,
in pull request #944 (netlab 360 enh [0]) by navtej an issue came up
which can't be solved trivially:
The feed Netlab 360 DGA[1] - which is already included in intelmq -
provides a validity time frame for each domain. Most of those (~90%) end
in 2030 while the start date is the current day at 00:00.
So both start and end time are artificial. And the source claims the
event is valid in the future, which is a very odd. And does it actually
make sense to forward this kind of information?
Also, we can't really handle this time information using the current
harmonization.
One idea would be to set time.source to time.observation if the
time.source is in the future. So time.source <= time.observation does
always apply.
What do you think?
Sebastian
[0]: https://github.com/certtools/intelmq/pull/944
[1]: http://data.netlab.360.com/feeds/dga/dga.txt - attention, quite
big! The domains at the beginning have a very near end date.
--
// Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
= Intelmq-dev-news 05-2016
Issue 5/2016
== Topics ==
# Summary of IHAP meeting in April
# Status update Intevation
# Status update CERT.at
# Status update misc
== May 2016 ==
Dear Intelmq-dev mailing list readers,
this is the second issue of intelmq developer news.
We hope it's useful.
TL;DR and important changes
-----------------------------
The syntax of intelmqcli was changed to a new format:
intelmqctl {start,stop} bot_id.
This breaks compatibilty with existing scripts.
If you put intelmqctl into some script, please adapt it. Also
please be sure to check out the latest version of the intelmq-manager
in case you use it.
Lots of open issues. Progress with intelmqcli (to connect postgresql to the RT ticket system).
/ TL;DR
=== How to contribute to this newsletter? ===
-> contact Aaron, Dustin for future input
=== Summary of IHAP meeting in April ===
In April the IHAP Meeting took place in Vienna.
* A Hacksession the night before the meeting was used by Raphael and Aaron in
order to bridge MISP and IntelMQ.
* Connections between Abusehelper and IntelMQ are on some CERTs wish list.
XMPP is a good start. Unfortunately the XMPP Bot upstream was not fit for
production.
=== Status report Intevation ===
* Still working on the KontaktDB, we appreciate the discussions that started
on IHAP Meeting.
We received a Pull Request from Cert.at and are currently reviewing it.
* We have Scripts to import Data into the KontaktDB.
Nevertheless there is some work left.
* Demonstrated installation from packages on Ubuntu 14.04 on IHAP-Meeting.
We propose to host the **signed** packages on our public apt-repositories.
* Working on a tool similar to intelmqcli, intended to process events from
the eventdb. Instead of using RT they are sent by e-mail.
The tool has the working title "event-processor" and can be found here
(https://github.com/Intevation/event-processor)
* We did not start with support for IODEF or X-ARF yet.
=== Status report CERT.at developments ===
* we moved to python3 only. Intelmq dropped python2 support
(https://github.com/certtools/intelmq/commit/2cbb42f1458a7e90539a443ec5e50ee…).
This does not apply yet to the certat repo (github.com/certat/intelmq), which
still supports python2.7 but only for the intelmqcli tool.
* New active contributor: pedro m. reis! Welcome and thanks for working so
hard on the Bitsight collector
(https://github.com/certtools/intelmq/pull/493)
* intelmqcli tool now supports a lot of new flags:
https://github.com/certat/intelmq/issues/52 This was necessary for CERT.at
since we use intelmqcli via cron job to connect to the (postgresql) eventDB ,
pull out all of the new data and use RT (ticket system) to send stuff out.
Added flags --quiet --batch. Now intelmqcli sends via cronjob.
These flags now allow CERT.at to run intelmq in full auto-mode! intelmqcli is
started via cron and sends out all events to all ISPs.
=== Requests ===
* Intevation searches for testers for the packages.
* We'd like to have some nice graphs in the intelmq-manager: events/sec , parse-failures/sec, etc.
* implementation of whitelisting of events (filter out events based on whitelists). See
https://github.com/certtools/intelmq/issues/426
* A good CSS design for the web page
=== Community ===
* RIPE abuse-c contacts can be done locally. RIPE might be able to export
abuse-c infos publicly (fingers crossed).
* more command line options for intelmqcli (see the
https://github.com/certat/intelmq repo)
* Aaron gave a presentation at the ENISA workshop "CSIRTs in Europe", 11th of May.
Slides will be shared on the ENISA page.
==== intelmq.org ====
The website intelmq.org is now online, but we would like to have more content and a proper
design.
Do you want to contribute to intelmq, but you are not a programmer? This is
your chance!
Current ToDos:
* Create Website Content: How-Tos / Installation Instructions, Success
Stories
** How-Tos / Instructions: If you are using a special feature of IntelMQ, for
instance an expert bot, try to find some time to write down a short article
how you managed to get it to work and why you are using it.
* Website Design
== Wishlist ==
* **we need more test-cases!!!**
* a specific config logic for ASNs: do this and that (for example sett ttl =
1 month) if event is in ASN xyz. Or "ignore" if event is in ASN xyz. This
should support some kind of more-specific-less-specific inheritance,
similarly to Apache directory settings. The most specific setting wins. The
order could be: country code -> ASN -> netblock -> ip (/32). Open questions:
what's more relevant if both domains and numbers (ASN, IPs, net blocks) exist
in an event?
* block based processing: for example block based team cymru lookups
* parallelisation: We need to revisit this topic
== Important Discussions ==
In case you missed something, here are the headlines of some discussion we
consider interesting / important.
=== Mailing Lists ===
* [Intelmq-dev] Packaging Strategy for Bots with dependencies
* [Intelmq-dev] Discussion on intelmq output / transformation architecture
* [Intelmq-dev] Output format to syslog/splunk (PR#503)
== Communication ==
Chat: irc #intelmq on freenode or webchat:
[[https://webchat.freenode.net/?channels=intelmq]]
Follow on twitter: @intelmqorg
Weekly Conference Call every Tuesday: Dial in via the known conference bridge number. It is
[[https://en.wikipedia.org/wiki/Telephone_number_mapping|ENUM]] enabled. Ask
Aaron or Dustin for the number if you want to participate.
Reminder... we now also have an intelmq-users(a)lists.cert.at mailing list.
This is intended for users of the system.
Feel free to join (even if you are on the -dev list)
Best regards,
a.
> Begin forwarded message:
>
> From: Sebastian Wagner <wagner(a)cert.at>
> Subject: [Intelmq-users] openbl.org down -> bot removal
> Date: 26 June 2017 at 17:37:10 GMT+2
> To: intelmq-users(a)lists.cert.at
>
> Hi,
>
> OpenBL.org shut down their services at end of May. I removed the OpenBL
> parser now.
>
> Sebastian
>
> https://github.com/certtools/intelmq/issues/1018
> https://github.com/certtools/intelmq/commit/d677112a02a016d097c224866e78524…
>
> --
> // Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201
> // CERT Austria - https://www.cert.at/
> // Eine Initiative der nic.at GmbH - https://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
>
>
> --
> Listen-Einstellungen:
> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users
--
// L. Aaron Kaplan <kaplan(a)cert.at> - T: +43 1 5056416 78
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
Dear community,
We now have a pretty stable codebase and I think we should take this
chance to finally release our first stable version 1.0 and implement
upcoming bigger changes afterwards for 1.1
My plan for the next days would be:
* to merge PR #974[1] which fixes our last feature request #743[2] for 1.0
* work on PR #853[3]
* release a beta version
Then we can work on the remaining bugs, and afterwards release the first
RC which should then be thoroughly tested.
This process also implies some changes to the workflow concerning e.g.
the branches and packages. I will inform you later about these
(basically it is described in #650[4]).
Sebastian
[1]: https://github.com/certtools/intelmq/pull/974
[2]: https://github.com/certtools/intelmq/issues/743
[3]: https://github.com/certtools/intelmq/pull/853
[4]: https://github.com/certtools/intelmq/issues/650
P.S.: If you have experience with CentOS, the intelmq-manager needs your
help!
--
// Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
Hi all,
next to the destination IP and port, malware sinkhole feeds commonly also
include information on the destination 'host'. This value is usually taken
from the 'Host:' header of the HTTP request sent to the sinkhole by the
infected client. The corresponding columns in the feeds are usually called
'dsthost', 'http_host' (e.g. Shadowserver HTTP-Sinkhole-Drone) or 'cc_dns'
(Shadowserver Botnet-Drone). The name 'cc_dns' is probably misleading.
In most cases, the value of the destination host field in the feeds is a FQDN -
but depending on how the malware sets up the "Host:" header in the HTTP requests,
it may also be FQDN:Port, an IP address or IP:Port (or just some crap).
Some malware families perform a DNS lookup for the (DGA based) C2 domain first
and then only use the IP address in the HTTP requests instead of the domain name.
I noticed that the IntelMQ parsers for the Shadowserver feeds simply try to
map the value of 'http_host' to 'destination.fqdn', e.g.
https://github.com/certtools/intelmq/blob/master/intelmq/bots/parsers/shado…
Line 295: ('destination.fqdn', 'http_host'),
The scripts we currently use for generating notifications to network owners
use the following logic (pseudo code here) to extract the destination host information:
if (feed.dstip is a valid ip) {
destination.ip = dstip
}
else {
discard event # destination IP is required
}
dsthost = feed.http_host
dsthost =~ s/:[0-9]+$// # remove potential port information (we already have this information in dstport)
if (dsthost is a fqdn) {
destination.fqdn = dsthost
}
else {
do nothing # dsthost is either an IP (which we already have in destination.ip) or useless data
}
I'd like to suggest using a similar logic in the InteMQ parsers for the Shadowserver
(an other malware sinkhole) feeds to not miss destination.fqdn information which comes
in the form FQDN:Port - instead of writing the information to an extras field which is
most probably not used by the output generators or even dropping the complete event.
- Thomas
CERT-Bund Incident Response & Malware Analysis Team
Dear contributors,
As the intelmq project gains momentum more and more users are using the
software. Also, not all users are developers anymore. To address the
users need of support/assistance/help we created a new mailinglist
intelmq-users.
Please subscribe here:
https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users
The archive is public.
I also hope that with this step the Github Issues are only used for
bugreports and not questions.
best wishes,
Sebastian
--
// Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg