Dear friends of IntelMQ,
just wondering: are their tutorial out there to get a beginner
to have IntelMQ running and doing something useful?
Possible steps to cover:
* Get a first feed in, using a public feed
* Setup a simble "botnet",
e.g. one that filters for my country, ASN or network range
* Do a simple output task, e.g. like creating a DNS RPZ file (once)
Not covering installation, but first setup
Maybe setup with IntelMQ Manager or without.
Can be textual or otherwise.
Background of the question: For new users or development setups, it is needed
to get an up-to-date, working IntelMQ setup. Doing a few searches on the
internet I did not see a tutorial for this and the current documentation is
geared towards being a comprensive reference.
Saw
https://github.com/certtools/intelmq/issues/256 Request for a Video Tutorial
Just to saw: For me videos do not work best and they probably are a lot of
work compared to a classic text and screenshot based tutorial.
So is anything already out there? :)
Regards,
Bernhard
--
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Dear community,
Version 2.1.2, a bugfix release, is out which contains various bugfixes.
Install documentation:
https://github.com/certtools/intelmq/blob/2.1.2/docs/INSTALL.md
Upgrade documentation:
https://github.com/certtools/intelmq/blob/2.1.2/docs/UPGRADING.md
The full changelog:
### Core
- `__init__`: Resolve absolute path for `STATE_FILE_PATH` variable
(resolves `..`).
- `intelmq.lib.utils`:
- log: Do not raise an exception if logging to neither file nor syslog
is requested.
- logging StreamHandler: Colorize all warning and error messages red.
- logging FileHandler: Strip all shell colorizations from the messages
(#1436).
- `intelmq.lib.message`:
- `Message.to_json`: Set `sort_keys=True` to get reproducible results.
- `drop_privileges`: Handle situations where the user or group
`intelmq` does not exist.
- `intelmq.lib.pipeline`:
- `Amqp._send` and `Amqp._acknowledge`: Log traceback in debug mode in
case of errors and necessary re-connections.
- `Amqp._acknowledge`: Reset delivery tag if acknowledge was successful.
### Bots
#### Collectors
- `intelmq.bots.collectors.misp.collector`:
- Add compatibility with current pymisp versions and versions released
after January 2020 (PR #1468).
#### Parsers
- `intelmq.bots.parsers.shadowserver.config`: Add some missing fields
for the feed `accessible-rdp` (#1463).
- `intelmq.bots.parsers.shadowserver.parser`:
- Feed-detection based on file names: The prefixed date is optional now.
- Feed-detection based on file names: Re-detect feed for every report
received (#1493).
#### Experts
- `intelmq.bots.experts.national_cert_contact_certat`: Handle empty
responses by server (#1467).
- `intelmq.bots.experts.maxmind_geoip`: The script `update-geoip-data`
now requires a license key as second parameter because of upstream
changes (#1484)).
#### Outputs
- `intelmq.bots.outputs.restapi.output`: Fix logging of response body if
response status code was not ok.
### Documentation
- Remove some hardcoded `/opt/intelmq/` paths from code comments and
program outputs.
### Packaging
- debian/rules: Only replace `/opt/intelmq/` with LSB-paths in some
certain files, not the whole tree, avoiding wrong replacements.
- debian/rules and debian/intelmq.install: Do install the examples
configuration directly instead of working around the abandoned examples
directory.
### Tests
- `lib/test_utils`: Skip some tests on Python 3.4 because
`contextlib.redirect_stdout` and `contextlib.redirect_sterr` are not
supported on this version.
- Travis: Stop running tests with all optional dependencies on Python
3.4, as more and more libraries are dropping support for it. Tests on
the core and code without non-optional requirements are not affected.
- `tests.bots.parsers.html_table`: Make tests independent of current year.
### Tools
- `intelmqctl upgrade-config`: Fix missing substitution in error message
"State file %r is not writable.".
### Known issues
- bots trapped in endless loop if decoding of raw message fails (#1494)
- intelmqctl status of processes: need to check bot id too (#1492)
- MongoDB authentication: compatibility on different MongoDB and pymongo
versions (#1439)
- ctl: shell colorizations are logged (#1436)
- http stream collector: retry on regular connection problems? (#1435)
- tests: capture logging with context manager (#1342)
- Bots started with IntelMQ-Manager stop when the webserver is
restarted. (#952)
- n6 parser: mapping is modified within each run (#905)
- reverse DNS: Only first record is used (#877)
- Corrupt dump files when interrupted during writing (#870)
--
// Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
Dear IntelMQ users,
Sebix mentioned something that might be relevant for everyone using IntelMQ (or actually maxmind for the matter).
(quote) "MaxMind has always been committed to an individual’s right to privacy on the internet. We welcome the burgeoning privacy regulations, such as GDPR and CCPA, for the benefit they can provide to internet citizens. However, these new legislative measures place restrictions that impact our ability to continue distributing our GeoLite2 databases on a public page under the Creative Commons Attribution-ShareAlike 4.0 International License."
Maxmind has decided to change the download mechanism of the maxmind GeoLite 2 database. You now need to be registered and need a license key.
Since I know that many IntelMQ users rely on maxmind for geolocation, you might want to register there and get a new license key and make sure it can be used for the most recent database version.
More info at https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-us…
All the best and a happy 2020!
Aaron.
--
// L. Aaron Kaplan <kaplan(a)cert.at> - T: +43 1 5056416 78
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg