[IntelMQ-dev] ShadowServer feeds vs. ShadowServer parser bot

Mika Silander mika.silander at csc.fi
Tue Mar 23 09:17:38 CET 2021


Hi Sebastian,

 True. It also seems ShadowServer recently started publishing some new reports tagged "special" related to Hafnium and vulnerable Exchange servers. It is not easy to keep up with new feeds.

 I'd be happy to contribute with pull requests but our own project is top on the priority list so contributions have to wait still for a while :-). I'll send the list of feeds in a private message.

Br, Mika

----- Original Message -----
From: "Sebastian Wagner" <wagner at cert.at>
To: "Mika Silander" <mika.silander at csc.fi>, "intelmq-dev" <intelmq-dev at lists.cert.at>
Sent: Tuesday, 23 March, 2021 10:06:40
Subject: Re: [IntelMQ-dev] ShadowServer feeds vs. ShadowServer parser bot

Good Morning,

I wasn't even aware of that feed. IntelMQ will always be running after
Shadowserver as we don't know of feeds in advance either (and the data
examples for the feeds given on Shadowservers website are often not
complete).

If you can pass me on one example file (I can anonymize it myself as
well) I can extend the Shadowserver parser for this new feed. We are
also happily accepting pull requests :)

kind regards
Sebastian

On 3/23/21 8:05 AM, Mika Silander wrote:
> Hi.
>
>  After trying to match current ShadowServer feeds to their internal intelmq identifiers, I got stuck with a few that I cannot find a corresponding internal mapping for in intelmq/bots/parsers/shadowserver/config.py (intelmq 2.3.1). One example is the Click-Fraud Report (https://www.shadowserver.org/what-we-do/network-reporting/click-fraud-report/). Correct me if I'm wrong in assuming all ShadowServer feeds are perhaps not (yet?) supported by the ShadowServer parser bot. 
>
>  Are there plans for extending the parser bot in question? Don't take me wrong, this is no criticism, the bot does a fine job. I would just like to know what the situation is and then be able to decide how to continue with our own project.
>
> Cheers, Mika
> _______________________________________________
> IntelMQ-dev mailing list
> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
> https://intelmq.readthedocs.io/

-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg


More information about the IntelMQ-dev mailing list