[Intelmq-users] IntelMQ
UCC-CERT
info at ug-cert.ug
Wed Feb 19 11:18:37 CET 2020
Dear Aaron,
See below the pipeline.conf
{
"Mail-Attachment-Fetcher-Collector": {
"destination-queues": [
"ShadowServer-Parser-queue"
]
},
"Mail-URL-Fetcher-Collector": {
"destination-queues": [
"ShadowServer-Parser-queue"
]
},
"ShadowServer-Parser": {
"source-queue": "ShadowServer-Parser-queue",
"destination-queues": [
"deduplicator-expert-queue"
]
},
"cymru-whois-expert": {
"source-queue": "cymru-whois-expert-queue",
"destination-queues": [
"file-output-queue"
]
},
"deduplicator-expert": {
"source-queue": "deduplicator-expert-queue",
"destination-queues": [
"taxonomy-expert-queue"
]
},
"feodo-tracker-browse-collector": {
"destination-queues": [
"feodo-tracker-browse-parser-queue"
]
},
"feodo-tracker-browse-parser": {
"source-queue": "feodo-tracker-browse-parser-queue",
"destination-queues": [
"deduplicator-expert-queue"
]
},
"file-output": {
"source-queue": "file-output-queue"
},
"gethostbyname-1-expert": {
"source-queue": "gethostbyname-1-expert-queue",
"destination-queues": [
Thannks
Vincent M
-----Original Message-----
From: L. Aaron Kaplan [mailto:kaplan at cert.at]
Sent: Tuesday, February 18, 2020 8:11 PM
To: UCC-CERT <info at ug-cert.ug>
Cc: intelmq-users at lists.cert.at; UCC CERT <cert at ucc.co.ug>
Subject: Re: [Intelmq-users] IntelMQ
Dear UCC-CERT, dear Vincent,
thanks :)
So, could you please also post the pipeline.conf file?
I have the gut feeling that either the parser is not running (you can see
this in the manager) or that it's not connected to the collector.
All the best,
Aaron.
> On 18.02.2020, at 18:03, UCC-CERT <info at ug-cert.ug> wrote:
>
> Dear Experts,
> We currently have a mail box which contains only shadow server feeds
attachment files in a zipped form. The IntelMQ is able to read the emails
but cannot extract and forward them to the shadow server parser.
>
> We need your assistance .
>
> See details below
>
> Configuration From Runtime.conf
> ----------------------------------------------------------------------
> --------------------------------
> "Mail-Attachment-Fetcher-Collector": {
> "parameters": {
> "extract_files": "True",
> "attach_regex": "[A-Za-z:0-9\\.\\_ \\[\\]\\-]",
> "folder": "INBOX",
> "mail_host": "imap.xxxx.xxx",
> "mail_password": "xxxxxxxxxx",
> "mail_ssl": true,
> "mail_user": "johndoe",
> "name": "Via IMAP",
> "provider": "ShadowServer",
> "rate_limit": 86400,
> "subject_regex": "[A-Za-z:0-9 \\[\\]\\-]"
> },
> "name": "Mail Attachment Fetcher",
> "group": "Collector",
> "module": "intelmq.bots.collectors.mail.collector_mail_attach",
> "description": "Monitor IMAP mailboxes and retrieve mail
attachments",
> "enabled": true,
> "run_mode": "continuous"
>
>
> Below are the logs
> tail -n 1000 Mail-Attachment-Fetcher-Collector.log
> 2020-02-18 18:31:12,672 - Mail-Attachment-Fetcher-Collector - INFO - Email
report read.
> 2020-02-18 18:31:19,310 - Mail-Attachment-Fetcher-Collector - INFO - Email
report read.
> 2020-02-18 18:31:25,574 - Mail-Attachment-Fetcher-Collector - INFO - Email
report read.
> 2020-02-18 18:31:31,816 - Mail-Attachment-Fetcher-Collector - INFO - Email
report read.
>
> Should you need any further information, please do not hesitate to contact
me.
>
> Thanks
>
> Regards,
>
> Vincent M
> UG-CERT
>
> --
> Listen-Einstellungen:
> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users
--
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78 // CERT Austria -
https://www.cert.at/ // Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
More information about the Intelmq-users
mailing list