Re: [Intelmq-users] IntelMQ

Hi,

From the provided logs I can see that the message has the following fields:

* extra.email_from  * extra.email_message_id  * extra.email_subject  * feed.accuracy  * feed.name  * feed.provider  * raw, contains a zip file  * time.observation

So we can follow from this: Wile the mails are correctly fetched and the attachments are correctly identified, the attachments are not extracted and are still in ZIP file format. It should be text/csv.

So I tried to reproduced this in a local setup and it turns out that the handling of the (deprecated) parameter `attach_unzip` is currently broken. And this Warning in your logs is directly related to it:

shadowserver-mail-Collector: The parameter 'attach_unzip' is deprecated and will be removed in version 4.0. Use 'extract_files' instead.

The affected code is the part handling the value of that deprecated parameter:

--- lib.py.old  2020-02-20 12:20:19.356103494 +0100 +++ lib.py      2020-02-20 12:20:26.360150384 +0100 @@ -18,7 +18,7 @@              raise ValueError('Could not import imbox. Please install it.')            if getattr(self.parameters, 'attach_unzip', None) and not self.extract_files: -            self.parameters.extract_files = True +            self.extract_files = True              self.logger.warning("The parameter 'attach_unzip' is deprecated and will "                                  "be removed in version 4.0. Use 'extract_files' instead.")

I will fix the bug in the IntelMQ code today, but for you I recommend to set the parameter `extract_files` to `true` (just a rename).

For the output of intelmqctl check: You can follow it's output (executing `intelmqctl upgrade-config`, and then once again)

best regards Sebastian

On 2/20/20 11:42 AM, info wrote:

Hi,

Yes I did restart the bots and also  loaded new emails for the bots to process.

Below is the output after issuing the command intelmqctl check

Reading configuration files.

Checking defaults configuration.

Checking runtime configuration.

Checking runtime and pipeline configuration.

Checking harmonization configuration.

Checking for bots.

No state file found. Please call 'intelmqctl upgrade-config'.

No issues found.​

Regards,

Bwogi Emmanuel

*From:* Sebastian Wagner [mailto:wagner@cert.at] *Sent:* Thursday, 20 February 2020 13:30 *To:* info info@ug-cert.ug; intelmq-users@lists.cert.at *Cc:* 'UCC CERT' cert@ucc.co.ug *Subject:* Re: [Intelmq-users] IntelMQ

Hi,

On 2/20/20 11:22 AM, info wrote:

We have corrected the parameter as you advised in the previous
email however we are still getting the same error with the
shadowserver parser. Have attached the error in a notepad file.

Did you reload or restart the bot afterwards? Did the collector re-fetch the mails and did the parser process these new messages?

Sebastian

-- // Sebastian Wagner wagner@cert.at mailto:wagner@cert.at - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg