- IntelMQ-users

reverse_dns-expert exception InvalidValue
by Tomislav Protega 02 Jul '18

02 Jul '18

Hi, here's another exception I ran into. If Reverse DNS expert bot runs into IP address which doesn't have DNS PTR record in fqdn form, then it gives exception. In attachment are logs. Example: There are cases when DNS gives two records for PTR. $ nslookup 5.157.80.221 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: 221.80.157.5.in-addr.arpa name = 5.157.80.221. 221.80.157.5.in-addr.arpa name = aliancys.peopleinc.nl. -------------------------------------------------------- $ nslookup 121.201.38.118 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: 118.38.201.121.in-addr.arpa name = 121.201.38.118. Regards, -- Tomislav

2 1

Question on Intelmq
by LIMITHA THOMAS 28 Jun '18

28 Jun '18

Hi , Can I integrate Intelmq with Sumologic to feed in data ? If yes , how do I do it? Thanks and regards, Limitha

2 1

intelmq 1.0.5 released
by Sebastian Wagner 22 Jun '18

22 Jun '18

Dear community, I just released the next maintenance release 1.0.5 for the 1.0.x series and it could be the last one. I will also release a RC for 1.1.0 very soon. The pre-build deb and rpm packages will be available soon (in some hours). Installation instructions: https://github.com/certtools/intelmq/blob/1.0.5/docs/INSTALL.md Upgrade instructions: https://github.com/certtools/intelmq/blob/1.0.5/docs/UPGRADING.md This is the changelog: # Core - `lib/message`: `Report()` can now create a Report instance from Event instances (#1225). - `lib/bot`: * The first word in the log line `Processed ... messages since last logging.` is now adaptible and set to `Forwarded` in the existing filtering bots (#1237). * Kills oneself again after proper shutdown if the bot is XMPP collector or output (#970). Previously these two bots needed two stop commands to get actually stopped. - `lib/utils`: log: set the name of the `py.warnings` logger to the bot name (#1184). # Bots ## Collectors - `bots.collectors.mail.collector_mail_url`: handle empty downloaded reports (#988). - `bots.collectos.file.collector_file`: handle empty files (#1244). ## Parsers - Shadowserver parser: * SSL FREAK: Remove optional column `device_serial` and add several new ones. * Fixed HTTP URL parsing for multiple feeds (#1243). - Spamhaus CERT parser: * add support for `smtpauth`, `l_spamlink`, `pop`, `imap`, `rdp`, `smb`, `iotscan`, `proxyget`, `iotmicrosoftds`, `automatedtest`, `ioturl`, `iotmirai`, `iotcmd`, `iotlogin` and `iotuser` (#1254). * fix `extra.destination.local_port` -> `extra.source.local_port`. ## Experts - `bots.experts.filter`: Pre-compile regex at bot initialization. # Tests - Ensure that the bots did process all messages (#291). # Tools - `intelmqctl`: * `intelmqctl run` has a new parameter `-l` `--loglevel` to overwrite the log level for the run (#1075). * `intelmqctl run [bot-id] mesage send` can now send report messages (#1077). - `intelmqdump`: * has now command completion for bot names, actions and queue names in interacive console. * automatically converts messages from events to reports if the queue the message is being restored to is the source queue of a parser (#1225). * is now capable to read messages in dumps that are dictionaries as opposed to serialized dicts as strings and does not convert them in the show command (#1256). * truncated messages are no longer used/saved to the file after being shown (#1255). * now again denies recovery of dumps if the corresponding bot is running. The check was broken (#1258). * now sorts the dump by the time of the dump. Previously, the list was in random order (#1020). # Known issues no known issues Sebastian -- // Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

1 0

IntelMQ 1.0.5 release schedule
by Chris Horsley 14 Jun '18

14 Jun '18

Hi, There's currently a few very nice features and bots in the develop branch we'd like to use, and we're trying to work out our local upgrade schedule. Is there any current ballpark date anticipated for the official 1.0.5 release? Many thanks, Chris ----- Chris Horsley CSIRT Foundry http://csirtfoundry.com chris.horsley(a)csirtfoundry.com +61 402 646 653 Skype: chrishorsley

2 2

New OS versions as build targets for native packages
by Sebastian Wagner 07 May '18

07 May '18

Hi all, Some of the recent changes of the build targets for deb/rpm packages: New targets: * Ubuntu 18.04 * Fedora 27 * openSUSE Leap 15.0 Removed targets: * Ubuntu 17.04/17.10 * Fedora 25 * openSUSE 42.2 So this is the full list of supported OSs for native packages currently: * CentOS 7 * RHEL 7 * Debian 8 and 9 * Fedora 26, 27, 28 and Rawhide * openSUSE Leap 42.3, 15.0 and Tumbleweed * Ubuntu 16.04, 17.10 and 18.04 The unstable repository additionally has: * Debian Testing * Fedora Rawhide Docs are here: https://github.com/certtools/intelmq/blob/maintenance/docs/INSTALL.md#nativ… Please let me know your feedback any time! Sebastian -- // Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

1 0

intelmq-manager release 1.0.0 & 1.0.1
by Sebastian Wagner 23 Apr '18

23 Apr '18

Dear community, I just released a new stable release 1.0.0 and maintenance release 1.0.1 of intelmq-manager. Thanks to Edvard Reijthar, the project is very active again and many changes can be expected for the next versions too! Version 1.0.0 fixes some bugs and adds an interface for `intelmqctl check`. 1.0.1 fixes the version number in the code (shown in the about page). Installation instructions: https://github.com/certtools/intelmq-manager/blob/1.0.1/docs/INSTALL.md The version is compatible with intelmq >= 1.0.3 Combined changelog: ### Backend * Set content type correctly for JSON data in configuration loading (#112) * Fix version number. ### Pages * All pages are now deliverd by php, reducing the amount of duplicate code drastically. #### Landing page * Added a new block for the new check page, changed the formatting a bit. #### Configuration * Fixed handling of special parameter `run_mode` (#150) * Intelmqctl controller may be set via an env variable `INTELMQ_MANGER_CONTROLER_CMD` #### Check * Added, showing the output of `intelmqctl check` (#118). ### Documentation * Note on header Content-Security-Policy (#113) * Note on security considerations in Readme to avoid misunderstandings * Remove compatibility warning from README ### Third-party libraries * reverted update jQuery to 3.2.1 * reverted update metisMenu to 2.7.0 ### Licenses * Licenses of used and included software is now inventarized and properly declared in LICENSES/ (#134) ### Packaging * fix packaging of positions.conf file for deb-packages (#133). ### Known issues * Missing CSRF protection (#111). * Missing copyright notices (#140). * Graph jumps around on "Add edge" bug component (#148). * new runtime parameters with _ not possible (#153). * wrong error message for new bots with existing ID (#152). Sebastian -- // Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

1 0

intelmq release 1.0.4
by Sebastian Wagner 20 Apr '18

20 Apr '18

Dear community, I just released a new maintenance release 1.0.4 of intelmq. It only fixes bugs in the 1.0.x series and may be the last version of the 1.0.x series. Installation instructions: https://github.com/certtools/intelmq/blob/1.0.4/docs/INSTALL.md Upgrade instructions: https://github.com/certtools/intelmq/blob/1.0.4/docs/UPGRADING.md The changes are: - make code style compatible to pycodestyle 2.4.0 - fixed permissions of some files (they were executable but shouldn't be) ### Core - lib/harmonization: * FQDN validation now handles None correctly (raised an Exception). * Fixed several sanitize() methods, the generic sanitation method were called by is_valid, not the sanitize methods (#1219). ### Harmonization ### Bots * Use the new pypi website at https://pypi.org/ everywhere. #### Parsers - Shadowserver parser: * The fields `url` and `http_url` now handle HTTP URL paths and HTTP requests for all feeds (#1204). * The conversion function `validate_fqdn` now handles empty strings correctly. * Feed 'drone (hadoop)': * Correct validation of field `cc_dns`, will now only be added as `destination.fqdn` if correct FQDN, otherwise ignored. Previously this field could be saved in extra containing an IP address. * Adding more mappings for added columns. * A lot of newly added fields and fixed conversions. * Add newly added columns of `Ssl-Scan` feed to parser - Spamhaus CERT parser: * fix parsing and classification for bot names 'openrelay', 'iotrdp', 'sshauth', 'telnetauth', 'iotcmd', 'iotuser', 'wpscanner', 'w_wplogin', 'iotscan' see the NEWS file - Postgresql section - for all changes. - CleanMX phishing parser: handle FQDNs in IP column (#1162). #### Experts - `bots.experts.ripencc_abuse_contact`: Add existing parameter `mode` to BOTS file. ### Tools - intelmqctl check: Fixed and extended message for 'run_mode' check. - `intelmqctl start` botnet. When using `--type json`, no non-json information about wrong bots are output because that would confuse eg. intelmq-manager ### Tests - lib/bot: No dumps will be written during tests (#934). - lib/test: Expand regular expression on python version to match pre-releases (debian testing). ### Packaging * Static data is now included in source tarballs, development files are excluded Sebastian -- // Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

1 0

IntelMQ 1.0.3 released
by Sebastian Wagner 05 Feb '18

05 Feb '18

Dear community I have just release a new bugfix release of IntelMQ. Installation instructions: https://github.com/certtools/intelmq/blob/1.0.3/docs/INSTALL.md Upgrade instructions: https://github.com/certtools/intelmq/blob/1.0.3/docs/UPGRADING.md The released is published on PyPI, Github and the OpenBuildService (for rpm/deb packages). If you installed intelmq with a package manager, the new released will be installed automatically. Full changelog: ### Contrib * logrotate: use sudo for postrotate script * cron-jobs: use the scripts in the bots' directories and link them (#1056, #1142) ### Core - `lib.harmonization`: Handle idna encoding error in FQDN sanitation (#1175, #1176). - `lib.bot`: - Bots stop when redis gives the error "OOM command not allowed when used memory > 'maxmemory'." (#1138). - warnings of bots are catched by the logger (#1074, #1113). - Fixed exitcodes 0 for graceful shutdowns . - better handling of problems with pipeline and especially it's initialization (#1178). - All parsers using `ParserBot`'s methods now log the sum of successfully parsed and failed lines at the end of each run (#1161). ### Harmonization - Rule for harmonization keys is enforced (#1104, #1141). - New allowed values for `classification.type`: `tor` & `leak` (see n6 parser below ). ### Bots #### Collectors - `bots.collectors.mail.collector_mail_attach`: Support attachment file parsing for imbox versions newer than 0.9.5 (#1134). - `bots.outputs.smtp.output`: Fix STARTTLS, threw an exception (#1152, #1153). #### Parsers - All CSV parsers ignore NULL-bytes now, because the csv-library cannot handle it (#967, #1114). - `bots.experts.modify` default ruleset: changed conficker rule to catch more spellings. - `bots.parsers.shadowserver.parser`: Add Accessible Cisco Smart Install (#1122). - `bots.parsers.cleanmx.parser`: Handle new columns `first` and `last`, rewritten for XML feed. See NEWS.md for upgrade instructions (#1131, #1136, #1163). - `bots.parsers.n6.parser`: Fix classification mappings. See NEWS file for changes values (#738, #1127). ### Documentation - `Release.md` add release procedure documentation - `Bots.md`: fix example configuration for modify expert ### Tools - intelmqctl now exits with exit codes > 0 when errors happened or the operation was not successful. Also, the status operation exits with 1, if bots are stopped, but enabled. (#977, #1143) - `intelmctl check` checks for valid `run_mode` in runtime configuration (#1140). ### Tests - `tests.lib.test_pipeline`: Redis tests clear all queues before and after tests (#1086). - Repaired debian package build on travis (#1169). - Warnings are not allowed by default, an allowed count can be specified (#1129). - `tests.bots.experts.cymru_whois/abusix`: Skipped on travis because of ongoing problems. ### Packaging * cron jobs: fix paths of executables ### Known issues - `bots.collectors/outputs.xmpp` must be killed two times (#970). - When running bots with `intelmqctl run [bot-id]` the log level is always INFO (#1075). - `intelmqctl run [bot-id] message send [msg]` does only support Events, not Reports (#1077). - `python3 setup.py sdist` does not include static files in the resulting tarballs (#1146). - `bots.parsers.cleanmx.parser`: The cleanMX feed may have FQDNs as IPs in rare cases, such lines are dumped (#1162). Sebastian -- // Sebastian Wagner <wagner(a)cert.at> - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg

1 0

New Bots Development Workflow
by Leandro Velasco 18 Jan '18

18 Jan '18

Hello everybody, I have not much experience with intelmq nor python packages managments so while while implementing a couple of new bots, I have experienced the following issues: 1- According to the documentation the best way to proceed is to clone the repo and install intelmq via “pip3 install -e .”. The issue here is that it needs to be done from root, otherwise the install fails. However once it is installed the user intelmq cannot see the intelmq installation (pip3 list) since it is only installed for root. 2- If I Install from pip3 directly (not using a local repo) intelmq works just fine but then, new bot creation fails since according to the documentation new bots needs to be generated reinstalling intelmq. Trying to manually generate the binaries for the bots is not recommended according to previous emails (in the archive). 3- Using virtual env allowed me to install intelmq as recommended for developers (“pip3 install -e .”.) and new bots are generated appropriately . However, some issues appear with the pipeline connection and nowhere in the documentation it is suggested. My question then is, what is the recommended and verified way of implementing new bots for intelmq? Starting from the installation of intelmq to testing the new bots. My environment: VM with Ubuntu 16.04 Thanks in advance for your time! Best regards, Leandro Velasco --- Rijnland 4c 1948 RL Beverwijk Leandro.Velasco(a)dearbytes.nl<mailto:Leandro.Velasco@dearbytes.nl> www.dearbytes.nl<http://www.dearbytes.nl>

2 1

elasticsearch parsing exception
by Tomislav Protega 06 Jan '18

06 Jan '18

Hi, recently I came up into elasticsearch parsing exception. Dump is attached below. It only happens when it processes data from Blueliv Crimeserver and Shadowserver-Open-XDMCP collectors. Not so far ago my elasticsearch output bot didn't throw that exception. Currently I'm using intelmq 1.0.2 and intelmq-manager 0.3.1, all installed from .deb package and python client elasticsearch 6.0.0. Anyone experienced the same? Thanks for the efforts. Regards, -- Tomislav

3 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

IntelMQ-users