- IntelMQ-users

IntelMQ Docker Image (beta)
by Sebastian Waldbauer 15 Jan '21

15 Jan '21

====== IntelMQ Docker Image *(beta)* ====== *CAUTION* Please do not use this image in production yet! ===== Introduction ===== We are constantly trying to make the installation of IntelMQ easier for a wider user-base. Therefore we are currently working on an IntelMQ container[^1]. Because of the early stage, input from you is highly appreciated. We are currently targeting Docker Engine 18.x and higher. [^1] https://www.docker.com/resources/what-container ===== Current implementation ===== TL;DR: The image is a beta test, docker containers runs isolated, worth to test! *ATTENTION* The image provided is not fully Docker compliant. We are releasing the image to collect feedback and gather information for future improvements. The container should be considered as a beta version. There will likely be breaking changes in future versions of the container. The image is available on Dockerhub[^4]. You can find documentation on how to install and run the container in the IntelMQ documentation [^doc] The container comes preinstalled with IntelMQ Manager[^3], which will be the only way to control the IntelMQ installation in the container. You can't use `intelmqctl` outside the container to control IntelMQ in the container. At the moment, the image is shipped with the development version of IntelMQ[^2] and the last stable version 2.2.1 IntelMQ Manager[^3]. This means that the new IntelMQ API is //not// yet part of the Docker image. You can check the current included versions by using ```docker inspect --format '{{ index .Config.Labels "org.label-schema.vcs-ref"}}' certat/intelmq-full:1.0``` Build steps and deployment information is provided in IntelMQ Docker[^5] Repository. [^2] https://github.com/certtools/intelmq/ [^3] https://github.com/certtools/intelmq-manager [^4] https://hub.docker.com/repository/docker/certat/intelmq-full/general [^5] https://github.com/certat/intelmq-docker [^doc]: https://intelmq.readthedocs.io/en/latest/user/installation.html -- // Sebastian Waldbauer <waldbauer(a)cert.at> - T: +43 1 5056416 7202 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

2 1

IntelMQ 2.2.3 Christmas release
by Sebastian Wagner 23 Dec '20

23 Dec '20

Merry Christmas, dear community :) More or less last minute I decided to do a bugfix release before the holidays *really* start, because we already collected some fixed in the last weeks/months. There a no spectacular changes in this minor release, but the upcoming 2.3.0 will have some major changes for the IntelMQ Manager backend / the new IntelMQ API and the deprecation of Python 3.5. Installation documentation: https://github.com/certtools/intelmq/blob/2.2.3/docs/INSTALL.md Upgrade documentation: https://github.com/certtools/intelmq/blob/2.2.3/docs/UPGRADING.md The deb/rpm packages will be available in the repositories in the next few hours. The NEWS: ### Harmonization A bug in the taxonomy expert did set the Taxonomy for the type `scanning` to `information gathering` whereas for the type `sniffing` and `social-engineering`, the taxonomy was correctly set to `information-gathering`. This inconsistency for the taxonomy `information-gathering` is now fixed, but the data eventually needs to fixed in data output (databases) as well. There are still some inconsistencies in the naming of the classification taxonomies and types, more fixes will come in version 3.0.0. See [issue #1409](https://github.com/certtools/intelmq/issues/1409). ### Postgres databases The following statements optionally update existing data. Please check if you did use these feed names and eventually adapt them for your setup! ```SQL UPDATE events SET "classification.taxonomy" = 'information-gathering' WHERE "classification.taxonomy" = 'information gathering'; ``` The full CHANGELOG: ### Documentation - Bots/Sieve expert: Add information about parenthesis in if-expressions (#1681, PR#1687 by Birger Schacht). ### Harmonization - See NEWS.md for information on a fixed bug in the taxonomy expert. ### Bots #### Collectors - `intelmq.bots.rt.collector_rt`: Log the size of the downloaded file in bytes on debug logging level. #### Parsers - `intelmq.bots.parsers.cymru.parser_cap_program`: - Add support for protocols 47 (GRE) and 59 (IPv6-NoNxt). - Add support for field `additional_asns` in optional information column. - `intelmq.bots.parsers.microsoft.parser_ctip`: - Fix mapping of `DestinationIpInfo.DestinationIpConnectionType` field (contained a typo). - Explicitly ignore field `DestinationIpInfo.DestinationIpv4Int` as the data is already in another field. - `intelmq.bots.parsers.generic.parser_csv`: - Ignore line having spaces or tabs only or comment having leading tabs or spaces (PR#1669 by Brajneesh). - Data fields containing `-` are now ignored and do not raise an exception anymore (#1651, PR#74 by Sebastian Waldbauer). #### Experts - `intelmq.bots.experts.taxonomy.expert`: Map type `scanner` to `information-gathering` instead of `information gathering`. See NEWS file for more information. ### Tests - Travis: Deactivate tests with optional requirements on Python 3.5, as the build fails because of abusix/querycontacts version conflicts on dnspython. ### Known issues - Bots started with IntelMQ-Manager stop when the webserver is restarted. (#952). - Corrupt dump files when interrupted during writing (#870). -- // Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

1 0

rpm Packages for CentOS8
by Sebastian Wagner 10 Dec '20

10 Dec '20

Dear community, I finally managed to build the IntelMQ packages for CentOS 8. The separation into multiple repositories and modules caused some headaches. You can find the updated installation instructions at https://intelmq.readthedocs.io/en/latest/user/installation.html Please report any feedback or bugs here or at https://github.com/certtools/intelmq/issues best regards Sebastian -- // Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

1 0

IntelMQ 3.0, leaving CERT.at and the future of IntelMQ
by L. Aaron Kaplan 15 Nov '20

15 Nov '20

Dear incident handling automation tools list, dear IntelMQ folks, First of all, after extensive feedback from many of you, we do have a high level requirements document for IntelMQ 3.0. It's here: https://github.com/certtools/intelmq/blob/version-3.0-ideas/docs/architectu… This shall serve as a high level blueprint for IntelMQ 3.0 developments. Sebastian is working on prioritising individual items for CERT.at and then we will create individual GitHub issues and people (mostly at CERT.at) will be hacking away at it. Looking forward to this release. I'll be guiding this release however, I won't be working at CERT.at anymore starting on the 15th of Nov. Which brings me to an important conclusion: I thought long about it what we should do when core people leave CERT.at (as in my case, or... maybe Sebastian will leave one day or get run over by the famous bus which always seems to run over every team member according to manager's expectations ;-) ) In any case, the most solid approach seems to remember what IntelMQ actually is - a **community project**. It started as one, it is one , it will be one. In the last years, CERT.at did a lot of the heavy lifting and also a lot of the decisions on IntelMQ's future. However, with a couple of hundred (600?) installations worldwide, it would be wise to create an **advisory board/architecture board** for the future developments. I would envision a small-ish group of 4-8 people who take the responsibility of guiding the project for the next ~5 years. This means: - staying on top of current developments - coordinating with the other group members - coming up with a strategy and procedures (for example, compare with PEP, maybe a lightweight PEP approach is enough) etc. - ultimately, guiding the project It's work, for sure. You should have some passion for the project of course. I sent out a couple of invite requests to individuals but also would be interested to hear from you, if you would like to participate in such an effort. Hence, IntelMQ will become its own entity. And that's good, healthy and ensures a maximum benefit for many users. If you would like to be on that board, please send me an email. I'll guide it initially and get everything started. All the best, Aaron Kaplan (private email address for the future: aaron(a)lo-res.org) PS: we already have one or two companies offering development support for IntelMQ, I would like that they can thrive in this project as well - on a friendly basis. In the long run, this will make the project stronger. -- // L. Aaron Kaplan <kaplan(a)cert.at> - T: +43 1 5056416 78 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - http://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

1 0

IntelMQ Tutorial and a new documentation page
by Sebastian Wagner 09 Nov '20

09 Nov '20

Dear community, I have two news items for you, both related to documentation: First, there is an IntelMQ Tutorial, which guides through various features and tools of IntelMQ. Lesson one introduces the architecture, concepts and terminology of the project. Lessons two and three delve hands-on into working with IntelMQ. Starting with installation and basic usage & configuration they go on to tackle progressively more advanced topics like using advanced features or changing the message queue software to be used. Solutions and explanations are offered for all tasks. In the last lesson you'll learn how to use intelmq-tools, a third-party software which makes customization of your IntelMQ instance much easier. We think that this kind of interactive online documentation is especially important nowadays when conferences and workshops cannot take place in real life. As for all other IntelMQ components, we welcome any contributions and feedback to the tutorial. -> https://github.com/certtools/intelmq-tutorial Second, we have a new IntelMQ Documentation page: We completely revised the way IntelMQ's documentation is presented: Instead of single files in the source-code repository, the best place to read the documentation is now intelmq.readthedocs.io. All pages are generated using Sphinx, the de facto standard tool for documentation. It features a better reading experience and a significantly improved navigation. Furthermore, the new page offers an integrated search as well as module index covering the complete code documentation If you find any bugs or have improvements, please let us know! -> https://intelmq.readthedocs.io/ best regards Sebastian -- // Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

2 1

IntelMQ release 2.2.2
by Sebastian Wagner 28 Oct '20

28 Oct '20

Dear community, It's again long overdue for a new release and here it is finally. Since August we collected quite a few bugfixes - Thanks to all contributors! IntelMQ Installation documentation: https://github.com/certtools/intelmq/blob/2.2.2/docs/INSTALL.md IntelMQ Upgrade documentation: https://github.com/certtools/intelmq/blob/2.2.2/docs/UPGRADING.md *News for IntelMQ 2.2.2* ### Bots #### Cymru Whois Lookup The cache key calculation has been fixed. It previously led to duplicate keys for different IP addresses and therefore wrong results in rare cases. The cache key calculation is intentionally not backwards-compatible. Therefore, this bot may take longer processing events than usual after applying this update. More details can be found in [issue #1592](https://github.com/certtools/intelmq/issues/1592). ### Harmonization #### Shadowserver Feed/Parser The feed "Blacklisted-IP" has been renamed by ShadowServer to "Blocklist". In IntelMQ, the old name can still be used in IntelMQ until version 3.0. *Changes for IntelMQ 2.2.2* ### Core - `intelmq.lib.upgrades`: - Add upgrade function for renamed Shadowserver feed name "Blacklisted-IP"/"Blocklist". ### Bots #### Parsers - `intelmq.bots.parsers.shadowserver`: - Rename "Blacklisted-IP" feed to "Blocklist", old name is still valid until IntelMQ version 3.0 (PR#1588 by Thomas Hungenberg). - Added support for the feeds `Accessible Radmin` and `CAIDA IP Spoofer` (PR#1600 by sinus-x). - `intelmq.bots.parsers.anubisnetworks.parser`: Fix parsing error where `dst.ip` was not equal to `comm.http.host`. - `intelmq/bots/parsers/danger_rulez/parser`: correctly skip malformed rows by defining variables before referencing (PR#1601 by Tomas Bellus). - `intelmq.bots.parsers.misp.parser: Fix MISP Event URL (#1619, PR#1618 by Nedfire23). - `intelmq.bots.parsers.microsoft.parser_ctip`: - Add support for `DestinationIpInfo.*` and `Signatures.Sha256` fields, used by the `ctip-c2` feed (PR#1623 by Mikk Margus Möll). - Use `extra.payload.text` for the feed's field `Payload` if the content cannot be decoded (PR#1610 by Giedrius Ramas). #### Experts - `intelmq.bots.experts.cymru_whois`: - Fix cache key calculation which previously led to duplicate keys and therefore wrong results in rare cases. The cache key calculation is intentionally not backwards-compatible (#1592, PR#1606). - The bot now caches and logs (as level INFO) empty responses from Cymru (PR#1606). ### Documentation - README: - Add Core Infrastructure Initiative Best Practices Badge. - Bots: - Generic CSV Parser: Add note on escaping backslashes (#1579). - Remove section of non-existing "Copy Extra" Bot. - Explain taxonomy expert. - Add documentation on n6 parser. - Gethostbyname expert: Add documentation how errors are treated. - Feeds: - Fixed bot modules of Calidog CertStream feed. - Add information on Microsoft CTIP C2 feed. ### Packaging - In Debian packages, `intelmqctl check` and `intelmqctl upgrade-config` are executed in the postinst step (#1551, PR#1624 by Birger Schacht). ### Tests - `intelmq.tests.lib.test_pipeline`: Skip `TestAmqp.test_acknowledge` on Travis with Python 3.8. - `intelmq.tests.bots.outputs.elasticsearch.test_output`: Refresh index `intelmq` manually to fix random test failures (#1593, PR#1595 by Zach Stone). ### Tools - `intelmqctl check`: - For disabled bots which do not have any pipeline connections, do not raise an error, but only warning. - Fix check on source/destination queues for bots as well the orphaned queues. ### Contrib - Bash completion scripts: Check both `/opt/intelmq/` as well as LSB-paths (`/etc/intelmq/` and `/var/log/intelmq/`) for loading bot information (#1561, PR#1628 by Birger Schacht). ### Known issues - Bots started with IntelMQ-Manager stop when the webserver is restarted. (#952). - Corrupt dump files when interrupted during writing (#870). -- // Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

1 0

Do you use the XMPP Bots?
by Sebastian Wagner 06 Oct '20

06 Oct '20

Dear community, We have a simple question: Are you using the XMPP Collector or Output? Please respond to me directly or the list, thanks. And if you are, I'm also interested in what are you using it for. This question came up as my colleague noticed that the bot is using a deprecated library for XMPP communication (sleekxmpp), see https://github.com/certtools/intelmq/issues/1614 In case the bot is needed, some effort needs to be put into the code, in order to make it compatible with the successor library. best regards Sebastian -- // Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

1 0

MISP feed output bot usage
by Marius Urkis 04 Sep '20

04 Sep '20

Hello IntelMQ users, Trying to figure out how to use MISP feed output bot, could someone advise. MISP creates new event once per period (per hour, or per day), and that makes MISP doing correlation between these events created previously. And actually that results correlation table grows exponentially. Am I doing something wrong on IntelMQ side or MISP? At IntelMQ I configure bot to make one event per day (actually containing ~1500 events in resulting json file). At the MISP side I have MISP feed format feed. Best regards -- Marius Urkis

3 2

IntelMQ & IntelMQ Manager releases 2.2.1
by Sebastian Wagner 30 Jul '20

30 Jul '20

Dear community, Today we have again a twin release 2.2.1 for both IntelMQ as well as IntelMQ Manager. This IntelMQ Manager version requires IntelMQ >= 2.2.1. There are currently issues with the signature in the package repositories for Debian/Ubuntu. I hope to get them resolved soon. IntelMQ Installation documentation: https://github.com/certtools/intelmq/blob/2.2.1/docs/INSTALL.md IntelMQ Upgrade documentation: https://github.com/certtools/intelmq/blob/2.2.1/docs/UPGRADING.md IntelMQ Manager Installation instructions: https://github.com/certtools/intelmq-manager/blob/2.2.1/docs/INSTALL.md *The changelog for IntelMQ Manager:* ### Backend - Fix loading paths from `intelmqctl` executable (PR #205 by Einar Felipe Lanfranco). ### Documentation - User Guide: - Add section on configuration paths. - Add section on named queues / paths. - Readme: - Update screenshots (#201, PR#207 by Mladen Markovic). ### Known issues * Graph jumps around on "Add edge" (#148). * wrong error message for new bots with existing ID (#152). * Monitor page: Automatic log refresh reset log page to first one (#190). *The News for IntelMQ:* ### Requirements #### MaxMind GeoIP Expert Bot The current python library versions of geoip (version 4) and maxminddb (version 2) no longer support Python 3.5. Keep older versions of these libraries if you are using this Python version. ### Configuration #### Abuse.ch URLHaus The current documented value for the `column` parameter was: ```json ['time.source', 'source.url', 'status', 'extra.urlhaus.threat_type', 'source.fqdn', 'source.ip', 'source.asn', 'source.geolocation.cc'] ``` Better is: ```json ['time.source', 'source.url', 'status', 'classification.type|__IGNORE__', 'source.fqdn|__IGNORE__', 'source.ip', 'source.asn', 'source.geolocation.cc'] ``` *And the changelog for IntelMQ:* ### Core - `intelmq.lib.upgrades`: - Add upgrade function for changed configuration of the feed "Abuse.ch URLHaus" (#1571, PR#1572 by Filip Pokorný). - Add upgrade function for removal of *HPHosts Hosts file* feed and `intelmq.bots.parsers.hphosts` parser (#1559). - `intelmq.lib.harmonization`: - For IP Addresses, explicitly reject IPv6 addresses with scope ID (due to changed behavior in Python 3.9, #1550). ### Development - Ignore line length (E501) in code-style checks altogether. ### Bots #### Collectors - `intelmq.bots.collectors.misp`: Fix access to actual MISP object (PR#1548 by Tomas Bellus @tomas321) - `intelmq.bots.collectors.stomp`: Remove empty `client.pem` file. #### Parsers - `intelmq.bots.parsers.shadowserver.config`: - Add support for Accessible-CoAP feed (PR #1555 by Thomas Hungenberg). - Add support for Accessible-ARD feed (PR #1584 by Tomas Bellus @tomas321). - `intelmq.bots.parser.anubisnetworks.parser`: Ignore "TestSinkholingLoss" events, these are not intended to be sent out at all. - `intelmq.bots.parsers.generic.parser_csv`: Allow values of type dictionary for parameter `type_translation`. - `intelmq.bots.parsers.hphosts`: Removed, feed is unavailable (#1559). - `intelmq.bots.parsers.cymru.parser_cap_program`: Add support for comment "username" for "scanner" category. - `intelmq.bots.parsers.malwareurl.parser`: Check for valid FQDN and IP address in URL and IP address columns (PR#1585 by Marius Urkis). #### Experts - `intelmq.bots.experts.maxmind_geoip`: On Python < 3.6, require maxminddb < 2, as that version does no longer support Python 3.5. #### Outputs - `intelmq.bot.outputs.udp`: Fix error handling on sending, had a bug itself. ### Documentation - Feeds: - Update documentation of feed "Abuse.ch URLHaus" (#1571, PR#1572 by Filip Pokorný). - Bots: - Overhaul of all bots' description fields (#1570). - User-Guide: - Overhaul pipeline configuration section and explain named queues better (#1577). ### Tests - `intelmq.tests.bots.experts.cymru`: Adapt `test_empty_result`, remove `test_unicode_as_name` and `test_country_question_mark` (#1576). ### Tools - `intelmq.bin.intelmq_gen_docs`: Format parameters of types lists with double quotes around values to produce conform JSON, ready to copy and paste the value into the IntelMQ Manager's bot parameter form. - `intelmq.bin.intelmqctl`: - `debug`: In JSON mode, use dictionaries instead of lists. - `debug`: Add `PATH` to the paths shown. - `check`: Show `$PATH` environment variable if executable cannot be found. ### Contrib - `malware_name_mapping`: Change MISP Threat Actors URL to new URL (branch master -> main) in download script. ### Known issues - Bots started with IntelMQ-Manager stop when the webserver is restarted. (#952). - Corrupt dump files when interrupted during writing (#870). - Bash completion scripts search in wrong directory in packages (#1561). - Cymru Expert: Wrong Cache-Key Calculation (#1592). -- // Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

1 0

2.2.0 Packages are now available in the repositories
by Sebastian Wagner 24 Jun '20

24 Jun '20

Hi, The packages for the 2.2.0 versions of IntelMQ and IntelMQ Manager are now available in the repositories, you can use the package management of your operating system to update your IntelMQ instance. Any feedback on the packages is as always appreciated. I also updated and cleaned up the supported operating systems / version by removing those which are End of Life and added a few new versions. I am still struggling with CentOS 8. best regards Sebastian -- // Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

IntelMQ-users