Dear UCC-CERT, dear Vincent,
thanks :)
So, could you please also post the pipeline.conf file? I have the gut feeling that either the parser is not running (you can see this in the manager) or that it's not connected to the collector.
All the best, Aaron.
On 18.02.2020, at 18:03, UCC-CERT info@ug-cert.ug wrote:
Dear Experts, We currently have a mail box which contains only shadow server feeds attachment files in a zipped form. The IntelMQ is able to read the emails but cannot extract and forward them to the shadow server parser.
We need your assistance .
See details below
Configuration From Runtime.conf
"Mail-Attachment-Fetcher-Collector": { "parameters": { "extract_files": "True", "attach_regex": "[A-Za-z:0-9\.\_ \[\]\-]", "folder": "INBOX", "mail_host": "imap.xxxx.xxx", "mail_password": "xxxxxxxxxx", "mail_ssl": true, "mail_user": "johndoe", "name": "Via IMAP", "provider": "ShadowServer", "rate_limit": 86400, "subject_regex": "[A-Za-z:0-9 \[\]\-]" }, "name": "Mail Attachment Fetcher", "group": "Collector", "module": "intelmq.bots.collectors.mail.collector_mail_attach", "description": "Monitor IMAP mailboxes and retrieve mail attachments", "enabled": true, "run_mode": "continuous"
Below are the logs tail -n 1000 Mail-Attachment-Fetcher-Collector.log 2020-02-18 18:31:12,672 - Mail-Attachment-Fetcher-Collector - INFO - Email report read. 2020-02-18 18:31:19,310 - Mail-Attachment-Fetcher-Collector - INFO - Email report read. 2020-02-18 18:31:25,574 - Mail-Attachment-Fetcher-Collector - INFO - Email report read. 2020-02-18 18:31:31,816 - Mail-Attachment-Fetcher-Collector - INFO - Email report read.
Should you need any further information, please do not hesitate to contact me.
Thanks
Regards,
Vincent M UG-CERT
-- Listen-Einstellungen: https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users
-- // L. Aaron Kaplan kaplan@cert.at - T: +43 1 5056416 78 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - http://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg