Hi list,
I just opened the issue https://github.com/certtools/intelmq/issues/1829 for tracking the support for these optional Shadowserver feeds.
Contributions are welcome.
kind regards Sebastian
On 3/23/21 9:17 AM, Mika Silander wrote:
Hi Sebastian,
True. It also seems ShadowServer recently started publishing some new reports tagged "special" related to Hafnium and vulnerable Exchange servers. It is not easy to keep up with new feeds.
I'd be happy to contribute with pull requests but our own project is top on the priority list so contributions have to wait still for a while :-). I'll send the list of feeds in a private message.
Br, Mika
----- Original Message ----- From: "Sebastian Wagner" wagner@cert.at To: "Mika Silander" mika.silander@csc.fi, "intelmq-dev" intelmq-dev@lists.cert.at Sent: Tuesday, 23 March, 2021 10:06:40 Subject: Re: [IntelMQ-dev] ShadowServer feeds vs. ShadowServer parser bot
Good Morning,
I wasn't even aware of that feed. IntelMQ will always be running after Shadowserver as we don't know of feeds in advance either (and the data examples for the feeds given on Shadowservers website are often not complete).
If you can pass me on one example file (I can anonymize it myself as well) I can extend the Shadowserver parser for this new feed. We are also happily accepting pull requests :)
kind regards Sebastian
On 3/23/21 8:05 AM, Mika Silander wrote:
Hi.
After trying to match current ShadowServer feeds to their internal intelmq identifiers, I got stuck with a few that I cannot find a corresponding internal mapping for in intelmq/bots/parsers/shadowserver/config.py (intelmq 2.3.1). One example is the Click-Fraud Report (https://www.shadowserver.org/what-we-do/network-reporting/click-fraud-report...). Correct me if I'm wrong in assuming all ShadowServer feeds are perhaps not (yet?) supported by the ShadowServer parser bot.
Are there plans for extending the parser bot in question? Don't take me wrong, this is no criticism, the bot does a fine job. I would just like to know what the situation is and then be able to decide how to continue with our own project.
Cheers, Mika _______________________________________________ IntelMQ-dev mailing list https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://intelmq.readthedocs.io/