Hello there, I'm trying to develop a simple pipeline with three bots. test-file-collector---> test-message-parser---> test-tcp-output I would like to put or change the IP runtime parameter of the TCP output bot "test-tcp-output" depends on Message that I get from file-collector in the runtime. What is the best method to do this in intelmq? Thank you for your help. Majid
On 05 Jul 2018, at 14:56, Salehi Ghamsari, Majid majid.salehi.ghamsari@fokus.fraunhofer.de wrote:
Hello there,
I'm trying to develop a simple pipeline with three bots.
test-file-collector---> test-message-parser---> test-tcp-output I would like to put or change the IP runtime parameter of the TCP output bot “test-tcp-output” depends on Message that I get from file-collector in the runtime.
What is the best method to do this in intelmq?
Please read the fine documentation at https://github.com/certtools/intelmq/blob/develop/docs/User-Guide.md#configu... and if something is missing there , please let us know and we can add it to the documentation.
Thanks, a.
Thank you for your help.
Majid
Intelmq-dev mailing list Intelmq-dev@lists.cert.at https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
-- // L. Aaron Kaplan kaplan@cert.at - T: +43 1 5056416 78 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - http://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg
Hi,
On 2018-07-05 14:56, Salehi Ghamsari, Majid wrote:
I would like to put or change the IP runtime parameter of the TCP output bot “test-tcp-output” depends on Message that I get from file-collector in the runtime.
What is the best method to do this in intelmq?
Is the IP part of the message or is a mapping needed?
Are the IPs fixed and is the number of them small? Then you can use filters and different output bots, the explicit way.
Sebastian
Dear Sebastian,
Is the IP part of the message or is it a mapping needed?
test-file-collector (192.0.2.0-192.0.2.255) ----------> test-message-expert (192.0.2.10) ---> test-tcp-output No, the idea is that the expert bot makes ip range correlation with interface (REST GET) from extern server. example 192.0.2.10 = Get_IP4RANGE_FROM_SEVER ("192.0.2.0-192.0.2.255") I would like to set the IP runtime parameter (192.0.2.10) of the TCP-output bot "test-tcp-output". I honestly did not understand how to implement this with filters.
Regards Majid
From: Sebastian Wagner [mailto:wagner@cert.at] Sent: Donnerstag, 5. Juli 2018 16:10 To: Salehi Ghamsari, Majid majid.salehi.ghamsari@fokus.fraunhofer.de; intelmq-dev@lists.cert.at Subject: Re: [Intelmq-dev] changing bot runtime parameter
Hi, On 2018-07-05 14:56, Salehi Ghamsari, Majid wrote:
I would like to put or change the IP runtime parameter of the TCP output bot "test-tcp-output" depends on Message that I get from file-collector in the runtime. What is the best method to do this in intelmq?
Is the IP part of the message or is a mapping needed?
Are the IPs fixed and is the number of them small? Then you can use filters and different output bots, the explicit way.
Sebastian
--
// Sebastian Wagner wagner@cert.atmailto:wagner@cert.at - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
Hi,
On 2018-07-10 11:48, Salehi Ghamsari, Majid wrote:
Is the IP part of the message or is it a mapping needed?
test-file-collector (192.0.2.0-192.0.2.255) ----------> test-message-expert (192.0.2.10) ---> test-tcp-output No, the idea is that the expert bot makes ip range correlation with interface (REST GET) from extern server. example 192.0.2.10 = Get_IP4RANGE_FROM_SEVER ("192.0.2.0-192.0.2.255")
To make sure I understood it correctly: There is an expert that sends the 'source.ip' field to an external server. It returns an IP where the data should be sent to with the TCP output. The mapping is done entirely by the external server, not in IntelMQ. In this case:
I would like to set the IP runtime parameter (192.0.2.10) of the TCP-output bot "test-tcp-output". I honestly did not understand how to implement this with filters.
No it's currently not. If the mapping would have been applied by using filters inside IntelMQ it be easier. But I recently implemented something similar for the file output bot, see https://github.com/certtools/intelmq/blob/maintenance/docs/Bots.md#filename-... So it could also be done for the tcp output in a similar way.
Do you plan to use the tcp collector/output mechanism to exchange data between the melicertes instances?
Sebastian