Dear Community
Please I need help to configure the SMTP bots of Intelmq to send CSV file as describe in the description. I check the MIME and I is not the blocking point. The Information needed to be sent in CSV is either in the ATT00001 file and contrary to all the Intelmq mail I do receive mine is not .txt.
Can someone please help me to solve this issue?
This is an example of the file sent after the configuration:
[cid:image001.png@01D77335.33F95C40]
Cordialement / Best Regards,
Kossi DOH
Analyste Cyber Securite
CYBER DEFENSE AFRICA S.A.S.
Mobile: +228 70 54 93 26
https://cert.tg
This information is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Unauthorised use of this information by a person or entity other than the intended recipient is prohibited by law. If you received this by mistake, please immediately contact the sender by email or phone and delete this information from any computer. Thank you.
Hello everyone,
I wonder if there is a simple way to use a Deduplicator bot on an optional field. Indeed, I noticed when I apply the deduplicator on an optional field that the null value must be entered in the redis because all messages (except the first one) that do not contain the field are dropped.
Is there a workaround please?
I could work around this problem by adding two Sieve bots at the exit of the precedent bot that would jump the Deduplicator bot if the message doesn't have the field, but I don't find that to be optimal. Thus, I am open to any proposal that could help me.
Regards,
Guillaume GRANJON de LÉPINEY | ggranjon(a)excellium-services.be<mailto:ggranjon@excellium-services.be> | PGP Key ID: 0xE2FD5ED1<https://pgp.circl.lu/pks/lookup?search=0xE2FD5ED1&fingerprint=on&op=index>
CERT-XLM Incident Handler @ excellium-services.com<https://excellium-services.com/>
CERT-XLM | cert(a)excellium-services.com<mailto:cert@excellium-services.com> | PGP Key ID: 0xD74E5AC0<http://pgp.circl.lu/pks/lookup?op=vindex&fingerprint=on&search=0x67B311E5D7…>
Excellium Services Belgium N.V. | Orion Bldg, Belgicastraat 13, B-1930 Zaventem, Belgium
Mobile: +32 4 71 98 57 65
Emergency: +352 262 039 64 708 | emergency(a)excellium-services.com<mailto:emergency@excellium-services.com> | PGP Key ID: 0x42662EFE<https://excellium-services.com/assets/EMERGENCY_PKEY.asc>
This email is confidential and may contain legally privileged information. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please e-mail the sender immediately and delete this message from your system. Note: e-mails are susceptible to corruption, interception and unauthorised amendment; we do not accept liability for any such changes, or for their consequences. You should be aware that we may monitor your e-mails and their content. Excellium Services SA.
Dear community,
The time has come and IntelMQ 3.0 is final! We, as community, made loads
of changes, smaller and bigger ones, and I really think that IntelMQ
became more user-friendly, developer-friendly and feature-rich at the
same time!
There are some major changes in this release, especially the in the
field of the configuration and Internal Data format (previously:
"harmonization"). For the configuration-part, the upgrade part should be
automatic with `intelmqctl upgrade-config` as usual. For the Data
format, carefully look at your bot configurations (filters, sieve, etc.)
to update them. Adaptions in systems connected to IntelMQ, especially
also databases might be necessary as well. The NEWS.md file give a
summary of what has changed:
https://github.com/certtools/intelmq/blob/maintenance/NEWS.md#user-content-…
We don't recommend to upgrade existing production instance of IntelMQ
yet. We of course did testing, including the end-to-end tests, and have
detailed release notes. But for critical systems, a delayed upgrade
makes sense ;)
Therefore the stable deb/rpm repositories don't contain the 3.0 release
yet! Even though an upgrade of production systems is not yet
recommended, extensive usage and testing of the new releases are very
much welcome and required to get the necessary feedback for the next
(maintenance) releases.
The releases are available via git, PyPI, Docker and the *unstable*
deb/rpm repositories.
Installation documentation:
https://intelmq.readthedocs.io/en/maintenance/user/installation.html
Upgrade documentation:
https://intelmq.readthedocs.io/en/maintenance/user/upgrade.html
IntelMQ API documentation:
https://intelmq.readthedocs.io/en/maintenance/user/intelmq-api.html
IntelMQ Manager documentation:
https://intelmq.readthedocs.io/en/maintenance/user/intelmq-manager.html
NEWS/release notes of IntelMQ (Core):
https://github.com/certtools/intelmq/blob/maintenance/NEWS.md#user-content-…
Full Changelog of IntelMQ (Core):
https://github.com/certtools/intelmq/blob/maintenance/CHANGELOG.md#300-2021…
On a high level, these are the major changes compared to version 2.3.x
(2.3.3 was released 2021-05-31):
In the core and Docker:
* Configuration rewrite including parameter loading and handling
(IEP01), plus the required adoption of the API and Manager, by
Birger Schacht (CERT.at).
* Classification sync with RSIT, by Sebastian Wagner (CERT.at).
* Removal of the BOTS file, by Sebastian Waldbauer (CERT.at).
* Creation and maintenance of the Docker images by Sebastian Waldbauer
(CERT.at).
* Creation of Docker-instructions for development setups by Einar
Lanfranco and Jeremias Pretto (CERT-UNLP cert.unlp.edu.ar).
New and majorly enhanced bots:
* Added |intelmq.bots.collectors.fireeye|: A bot that collects
indicators from Fireeye MAS appliances (PR#1745 by Christopher
Schappelwein).
* |intelmq.bots.collectors.api.collector_api|: Added UNIX socket
capability (PR#1987 by Mikk Margus Möll, fixes #1986).
* Added |intelmq.bots.parsers.fireeye|: A bot that parses hashes and
URLs from Fireeye MAS indicators (PR#1745 by Christopher Schappelwein).
* Added |intelmq.bots.experts.http.expert_status|: A bot that fetches
the HTTP Status for a given URI and adds it to the message (PR#1789
by Birger Schacht, fixes #1047 partly).
* Added |intelmq.bots.experts.http.expert_content|: A bot that fetches
an HTTP resource and checks if it contains a specific string
(PR#1811 by Birger Schacht).
* Added |intelmq.bots.experts.lookyloo.expert|: A bot that sends
requests to a lookyloo instance & adds |screenshot_url| to the event
(PR#1844 by Sebastian Waldbauer, fixes #1048).
* Added |intelmq.bots.experts.rdap.expert|: A bot that checks the RDAP
protocol for an abuse contact for a given domain (PR#1881 by
Sebastian Waldbauer and Sebastian Wagner).
* |intelmq.bots.experts.sieve.expert|: Major refactoring and lot's of
new functionality New operators for working with various types
(lists, sets, booleans, float, int), generic rule negation and
nesting (PR#1895 by Mikk Margus Möll).
* Added |intelmq.bots.experts.uwhoisd|: A bot that fetches the whois
entry from a uwhois-instance (PR#1918 by Raphaël Vinot).
* Added |intelmq.bots.experts.aggregate|: A bot that aggregate events
based upon given fields & a timespan. (PR#1959 by Sebastian Waldbauer)
* Added |intelmq.bots.experts.tuency|: A bot that queries the IntelMQ
API of a tuency instance (PR#1857 by Sebastian Wagner, fixes #1856).
* Added |intelmq.bots.outputs.templated_smtp| (PR#1901 by Karl-Johan
Karlsson).
On the documentation front, these are the most important changes
* License and copyright information was added to all the bots (by
Birger Schacht).
* Added documentation on the EventDB (PR#1955 by Birger Schacht,
PR#1985 by Sebastian Wagner).
* Added TimescaleDB for time-series documentation (PR#1990 by
Sebastian Waldbauer).
* n6 interoperability documentation: Adding more graphs and
illustrations (PR#1991 by Sebastian Wagner).
* Added documentation on abuse-contact look-ups (PR#2021 by Sebastian
Waldbauer and Sebastian Wagner).
And not to forget all the smaller changes and additions.
Thanks to (in random order)
Raphaël Vinot (circl.lu)
Bernhard Reiter (intevation.de)
Sebastian Wagner (CERT.AT)
Filip Pokorný (CSIRT.CZ)
Guillaume GRANJON de LÉPINEY (CERT XLM excellium-services.com)
Mikk Margus Möll (CERT.ee)
Alex Kaplan
Thomas Hungenberg (CERT-BUND.DE)
Einar Lanfranco (CERT-UNLP cert.unlp.edu.ar)
Christopher Schappelwein (milCERT, BMLV.gv.at)
Marcos Gonzalez (CSIRT-RD cncs.gob.do/csirt-rd/)
Marius Karotkis (NRDCS.LT)
Sebastian Waldbauer (CERT.AT)
Jeremias Pretto (CERT-UNLP cert.unlp.edu.ar)
Karl-Johan Karlsson (Linköping University LIU.SE)
Birger Schacht (CERT.AT)
... and all the contributors of previous releases and as well to all
reporters, supporters, etc!
best regards
Sebastian
--
// Sebastian Wagner <wagner(a)cert.at> - T: +43 676 898 298 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg