Dear community,
Given the vast amount of changes, additions and new features, it's time
to mark a new feature release! Thanks to all the contributors who
participate in this community project! IntelMQ gained a lot of new bots
and features in the last months.
Install documentation:
https://github.com/certtools/intelmq/blob/2.1.0/docs/INSTALL.md
Upgrade documentation:
https://github.com/certtools/intelmq/blob/2.1.0/docs/UPGRADING.md
Full changelog:
### Core
- `intelmq.lib.harmonization`:
- Use correct parent classes.
- Add `DateTime.convert` as interface for all existing conversion
functions.
- add `DateTime.convert_from_format`.
- add `DateTime.convert_from_format_midnight`.
- add `DateTime.convert_fuzzy`.
- `intelmq.lib.pipeline`:
- Redis: Use single connection client if calling bot is not
multithreaded. Gives a small speed advantage.
- Require the bot instance as parameter for all pipeline classes.
- New internal variable `_has_message` to keep the state of the pipeline.
- Split receive and acknowledge into public-facing and private methods.
- Add `reject_message` method to the Pipeline class for explicit
requeue of messages.
- AMQP:
- Make exchange configurable.
- If exchange is set, the queues are not declared, the queue name is
for routing used by exchanges.
- `intelmq.lib.bot`:
- Log message after successful bot initialization, no log message
anymore for ready pipeline.
- Use existing current message if receive is called and the current
message still exists.
- Fix handling of received messaged after a sighup that happend during
a blocking receving connection using explicit rejection (#1438).
- New method `_parse_common_parameters` called before `init` to parse
commonly used argument. Currently supported: `extract_files`.
- `intelmq.lib.test`:
- Fix the tests broker by providing the testing pipeline.
- `intelmq.lib.utils`:
- `unzip`:
- new parameter `return_names` to optionally return the file names.
- support for zip
- new parameters `try_zip`, `try_gzip` and `try_tar` to control
which compressions are tried.
- rewritten to an iterative approach
- add `file_name_from_response` to extract a file name from a Response
object for downloaded files.
- `intelmq.lib.upgrades`: Added `v210_deprecations` for deprecated
parameters.
### Harmonization
- Add extra to reports.
### Bots
#### Collectors
- `intelmq.bots.collectors.http.collector_http`:
- More extensive usage of `intelmq.lib.utils.unzip`.
- Save the file names in the report if files have been extracted form
an archive.
- `intelmq.bots.collectors.rt.collector_rt`:
- Save ticket information/metadata in the extra fields of the report.
- Support for RT 3.8 and RT 4.4.
- New parameters `extract_attachment` and `extract_download` for
generic archive extraction and consistency. The parameter
`unzip_attachment` is deprecated.
- `intelmq.bots.collectors.mail.*`: Save email information/metadata in
the extra fields of the report. See the bots documentation for a
complete list of provided data.
- `intelmq.bots.collectors.mail.collector_mail_attach`: Check for
existence/validity of the `attach_regex` parameter.
- Use the lib's `unzip` function for uncompressing attachments and use
the .
- `intelmq.bots.collectors.mail.collector_mail_url`: Save the file
name of the downloaded file as `extra.file_name`.
- `intelmq.bots.collectors.amqp.collector_amqp`: New collector to
collect data from (remote) AMQP servers, for bot IntelMQ as well as
external data.
- use default SSL context for client purposes, fixes compatibility
with python < 3.6 if TLS is used.
#### Parsers
- `intelmq.bot.parsers.html_table.parser`:
* New parameter "html_parser".
* Use time conversion functions directly from
`intelmq.lib.harmonization.DateTime.convert`.
- Limit lxml dependency on 3.4 to < 4.4.0 (incompatibility).
- `intelmq.bots.parsers.netlab_360.parser`: Add support for hajime scanners.
- `intelmq.bots.parsers.hibp.parser_callback`: A new parser to parse
data retrieved from a HIBP Enterprise Subscription.
- `intelmq.bots.parsers.shadowserver.parser`:
- Ability to detect the feed base on the reports's field
`extra.file_name`, so the parameter `feedname` is no longer required and
one configured parser can parse any feed (#1442).
#### Experts
- Add geohash expert.
- `intelmq.bot.experts.generic_db_lookup.expert`
- new optional parameter `engine` with `postgresql` (default) and
`sqlite` (new) as possible values.
#### Outputs
- Add `intelmq.bots.outputs.touch.output`.
- `intelmq.bot.outputs.postgresql.output`:
- deprecated in favor of `intelmq.bot.outputs.sql.output`
- Compatibility shim will be available in the 2.x series.
- `intelmq.bot.outputs.sql.output` added generic SQL output bot.
Comparted to
- new optional parameter `engine` with `postgresql` (default) and
`sqlite` (new) as possible values.
- `intelmq.bots.outputs.stomp.output`: New parameters
`message_hierarchical_output`, `message_jsondict_as_string`,
`message_with_type`, `single_key`.
### Documentation
- Feeds:
- Add ViriBack feed.
- Add Have I Been Pwned Enterprise Callback.
- `intelmq.tests.bots.outputs.amqptopic.test_output`: Added.
- Move the documentation of most bots from separate README files to the
central Bots.md and feeds.yaml files.
### Tests
- Travis:
- Use UTC timezone.
- Tests for `utils.unzip`.
- Add a new asset: Zip archive with two files, same as with tar.gz archive.
- Added tests for the Mail Attachment & Mail URL collectors.
- Ignore logging-tests on Python 3.7 temporarily (#1342).
### Tools
- intelmqctl:
- Use green and red text color for some interactive output to indicate
obvious errors or the absence of them.
- intelmqdump:
- New edit action `v` to modify a message saved in the dump (#1284).
### Contrib
* malware name mapping:
* Add support for MISP treat actors data, see it's README for more
information.
* And handle empty synonyms in misp's galxies data.
* Move apply-Script to the new EventDB directory
* EventDB: Scripts for applying malware name mapping and domain suffixes
to an EventDB.
### Known issues
- MongoDB authentication: compatibility on different MongoDB and pymongo
versions (#1439)
- ctl: shell colorizations are logged (#1436)
- http stream collector: retry on regular connection problems? (#1435)
- tests: capture logging with context manager (#1342)
- Bots started with IntelMQ-Manager stop when the webserver is
restarted. (#952)
- n6 parser: mapping is modified within each run (#905)
- reverse DNS: Only first record is used (#877)
- Corrupt dump files when interrupted during writing (#870)
--
// Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
Dear community,
The new 2.1.0 version of the intelmq manager improves the error
reporting in the frontend and allows to connect collectors to experts
and experts to parsers.
Thanks to Edvard for his work on this tool!
Installation instructions:
https://github.com/certtools/intelmq-manager/blob/2.0.0/docs/INSTALL.md
Full changelog:
### Backend
- Fix mispelling of the environmental variable
`INTELMQ_MANGER_CONTROLER_CMD` to `INTELMQ_MANGER_CONTROLLER_CMD` (you
might be required to add the double 'l' to your nginx/apache server
configuration)
- When displaying a command to be replicated by debugging user, the
string "sudo -u {webserver user}" string is prepended so that linux user
do not have to bother with sudoing himself on the commonly used user
"www-data" – which often can't be sudoed to (no bash provided due to
good security measures). (Used in monitor and error reporting.)
### Frontend
- Error reporting
- Click will enlarge the dialog that contains much more useful info,
notably the very command that failed so that it can be easily reproduced.
- Error messages are shuffled only when minimized, not when maximized.
That would disturb the user trying to read the details.
- Invalid Syntax Error message removed. Till now, all error messages
generated the string that JSON received is invalid – that wasn't needed,
we knew it's invalid because it contained string message.
- Double click does not close log window anymore since it would
interfere with the user trying to select whole text by mouse.
- Escape minimizes the reporting.
- For common seen errors, a tip is displayed (preferable with a link
to the Github manual).
### Pages
#### Configuration
- Node group Collector now may connect to Expert and Expert can connect
to Parser, however you receive a warning that it is not very common.
--
// Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
Dear community,
Today I released version 2.0.2 of intelmq with a bunch of bugfixes, see
the changelog below. A feature release is coming soon too.
Install documentation:
https://github.com/certtools/intelmq/blob/2.0.2/docs/INSTALL.md
Upgrade documentation:
https://github.com/certtools/intelmq/blob/2.0.2/docs/UPGRADING.md
As always: read the NEWS file, upgrade according to the documentation
and have fun! If you get any errors, please report them here or in the
bug tracker.
Sebastian
Full changelog:
### Core
- `intelmq.lib.bot.CollectorBot`: Support the deprecated parameter
`feed` until version 2.2 as the documentation was not properly updated
(#1445).
- `intelmq.lib.bot.Bot`:
- `_dump_message`: Wait for up to 60 seconds instead of 50 if the dump
file is locked (the log message was said 60, but the code was for only 50).
- `intelmq.lib.upgrades.v202_fixes`
- Migration of deprecated parameter `feed` for Collectors.
- Ripe expert parameter `query_ripe_stat_ip` was not correctly
configured in `v110_deprecations`, now use `query_ripe_stat_asn` as
default if it does not exist.
- `intelmq.lib.upgrades.v110_deprecations`: Fix upgrade of ripe expert
configuration.
- `intelmq.lib.bot_debugger`:
- Fix handling of empty messages generated by parser when user wanted
to show the result by "--show-sent" flag.
- Fix handling of sent messages for bots using the `path_permissive`
paramter (#1453).
- `intelmq.lib.pipeline.Amqp`:
- use default SSL context for client purposes, fixes compatibility
with python < 3.6 if TLS is used.
- Reconnect once on sending messages if disconnect detected.
### Bots
#### Collectors
- `intelmq.bots.collectors.api.collector_api`:
- Handle non-existing IO loop in shutdown.
- Close socket on shutdown, fixes reloading.
- Marked as non-threadable.
- `intelmq.bots.collectors.rt.collector_rt`: Check for matching URLs if
no `attachment_regex` is given.
- `intelmq.bots.collectors.stomp.collector_stomp`: Handle disconnects by
actively reconnecting.
#### Parsers
- `intelmq.bots.cymru.parser_cap_program`: Fix parsing of the new
`$certname_$date.txt` report format (#1443):
- Support protocol ICMP.
- Fix error message for unsupported protocols.
- Support fields `destination_port_numbers`, `port`.
- Support for all proxy types without ports.
- Use Country Code of AS as `source.geolocation.cc`.
- Support for 'scanner' and 'spam' categories.
- Handle bogus lines with missing separator.
- Fix bug preventing use of old format after using the new format.
- Handle postfix ` (total_count:..)` for destination port numbers.
#### Experts
- `intelmq.bots.experts.cymru_whois.expert`: Add optional parameter
`overwrite`, current behavior was `True`, default if not given is `True`
now, will change to `False` in 3.0.0 (#1452, #1455).
- `intelmq.bots.experts.modify.expert`: Add optional parameter
`overwrite`, current behavior was `True`, default if not given is `True`
now, will change to `False` in 3.0.0 (#1452, #1455).
- `intelmq.bots.experts.reverse_dns.expert`: Add optional parameter
`overwrite`, current behavior was `True`, default if not given is `True`
now, will change to `False` in 3.0.0 (#1452, #1455).
#### Outputs
- `intelmq.bots.outputs.amqptopic.output`: use default SSL context for
client purposes, fixes compatibility with python < 3.6 if TLS is used.
### Packaging
- Rules:
- Exclude intelmqsetup tool in packages
- Include update-rfiprisk-data in packages
### Tests
- Tests for `intelmq.lib.upgrades.v202_fixes`.
- Tests for `intelmq.lib.upgrades.v110_deprecations`.
- Extended tests for `intelmq.bots.parser.cymru.parser_cap_program`.
### Tools
- intelmqctl:
- More and more precise logging messages for botnet starting and
restarting, enable and disable.
- No error message for disabled bots on botnet reload.
- Fix `upgrade-conf` is state file is empty or not existing.
- Use arpgarse's `store_true` action for flags instead of `store_const`.
- If the loading of the defaults configuration failed, a variable
definition was missing and causing an exception (#1456).
### Contrib
- Check MK Statistics Cronjob:
- Use `statistics_*` parameters.
- Make file executable
- Handle None values in `*.temporary.*` keys and treat them as 0.
- systemd:
- Add `PIDFile` parameter to service file.
### Known issues
- MongoDB authentication: compatibility on different MongoDB and pymongo
versions (#1439)
- ctl: shell colorizations are logged (#1436)
- http stream collector: retry on regular connection problems? (#1435)
- tests: capture logging with context manager (#1342)
- Bots started with IntelMQ-Manager stop when the webserver is
restarted. (#952)
- n6 parser: mapping is modified within each run (#905)
- reverse DNS: Only first record is used (#877)
- Corrupt dump files when interrupted during writing (#870)
--
// Sebastian Wagner <wagner(a)cert.at> - T: +43 1 50564167201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg