[IntelMQ-users] IntelMQ 2.3.2

Sebastian Wagner wagner at cert.at
Tue Apr 27 14:57:46 CEST 2021


Dear community,

April is nearing it's end and it's time to release a bunch of bugfixes.
Please find below the list of changes. Thanks to all contributors for
the issues reported and pull requests!

The new version is already available on GitHub, PyPI, the deb+rpm
repositories and DockerHub.

Installation documentation:
https://intelmq.readthedocs.io/en/maintenance/user/installation.html
Upgrade documentation:
https://intelmq.readthedocs.io/en/maintenance/user/upgrade.html

### Core
- `intelmq.lib.harmonization`:
  - `TLP` type: accept value "yellow" for TLP level AMBER.

### Bots
#### Collectors
- `intelmq.bots.collectors.shadowserver.collector_reports_api`:
  - Handle timeouts by logging the error and continuing to next report
(PR#1852 by Marius Karotkis and Sebastian Wagner, fixes #1823).

#### Parsers
- `intelmq.bots.parsers.shadowserver.config`:
  - Parse and harmonize field `end_time` as date in Feeds
"Drone-Brute-Force" and "Amplification-DDoS-Victim" (PR#1833 by Mikk
Margus Möll).
  - Add conversion function `convert_date_utc` which assumes UTC and
sanitizes the data to datetime (by Sebastian Wagner, fixes #1848).
- `intelmq.bots.parsers.shadowserver.parser_json`:
  - Use the overwrite parameter for optionally overwriting the
"feed.name" field (by Sebastian Wagner).
- `intelmq.bots.parsers.microsoft.parser_ctip`:
  - Handle fields `timestamp`, `timestamp_utc`, `source_ip`,
`source_port`, `destination_ip`, `destination_port`, `computer_name`,
`bot_id`, `asn`, `geo` in `Payload` of CTIP Azure format (PR#1841,
PR#1851 and PR#1879 by Sebastian Wagner).
- `intelmq.bots.parsers.shodan.parser`:
  - Added support for unique keys and verified vulns (PR#1835 by Mikk
Margus Möll).
- `intelmq.bots.parsers.cymru.parser_cap_program`:
  - Fix parsing in whitespace edge case in comments (PR#1870 by Alex
Kaplan, fixes #1862).

#### Experts
- `intelmq.bots.experts.modify`:
  - Add a new rule to the example configuration to change the type of
malicious-code events to `c2server` if the malware name indicates c2
(PR#1854 by Sebastian Wagner).
- `intelmq.bots.experts.gethostbyname.expert`:
  - Fix handling of parameter `gaierrors_to_ignore` with value `None`
(PR#1890 by Sebastian Wagner, fixes #1886).

#### Outputs
- `intelmq.bots.outputs.elasticsearch`: Fix log message on required
elasticsearch library message (by Sebastian Wagner).

### Documentation
- `dev/data-harmonization`: Fix taxonomy name "information gathering"
should be "information-gathering" (by Sebastian Wagner).

### Tests
- `intelmq.tests.bots.parsers.microsoft.test_parser_ctip_azure`:
  - Add test case for TLP level "YELLOW".

### Known issues
- ParserBot: erroneous raw line recovery in error handling (#1850).

-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 676 898 298 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-users/attachments/20210427/6d04dc86/attachment.sig>


More information about the IntelMQ-users mailing list