Hi,

On 2018-07-10 11:48, Salehi Ghamsari, Majid wrote:

> Is the IP part of the message or is it a mapping needed?
test-file-collector (192.0.2.0-192.0.2.255) ----------> test-message-expert (192.0.2.10) ---> test-tcp-output
No, the idea is that the expert bot makes ip range correlation with interface (REST GET) from extern server.
example
192.0.2.10 = Get_IP4RANGE_FROM_SEVER ("192.0.2.0-192.0.2.255")

To make sure I understood it correctly:
There is an expert that sends the 'source.ip' field to an external server. It returns an IP where the data should be sent to with the TCP output. The mapping is done entirely by the external server, not in IntelMQ. In this case:

I would like to set the IP runtime parameter (192.0.2.10) of the TCP-output bot "test-tcp-output".
I honestly did not understand how to implement this with filters.

No it's currently not. If the mapping would have been applied by using filters inside IntelMQ it be easier. But I recently implemented something similar for the file output bot, see https://github.com/certtools/intelmq/blob/maintenance/docs/Bots.md#filename-formatting
So it could also be done for the tcp output in a similar way.

Do you plan to use the tcp collector/output mechanism to exchange data between the melicertes instances?

Sebastian

-- 
// Sebastian Wagner <wagner@cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg