[IntelMQ-users] Modify expert get the value of data

Guillaume GRANJON DE LEPINEY ggranjon at excellium-services.be
Wed Oct 19 10:59:32 CEST 2022


I must have misspoken. What I want to do is that I have base64 encoded data in my msg.data and I want to modify my source.url in the modify expert to have XXXX={msg[data]} in decoded version.

Today when I do this on the modify expert, it gives me:
XXXX=YmFzZTY0ZGF0YQ==

while I would like:
XXXX=base64data


All this without modifying the rest of my configuration, I know I could add a temporary field in harmonization.conf that contains my decrypted data, but I don't find it very clean.

Regards,
Guillaume

De : Mika Silander <mika.silander at csc.fi>
Envoyé : mercredi 19 octobre 2022 10:53
À : intelmq-users at lists.cert.at
Cc : Guillaume GRANJON DE LEPINEY <ggranjon at excellium-services.be>
Objet : Re: [IntelMQ-users] Modify expert get the value of data

You don't often get email from mika.silander at csc.fi<mailto:mika.silander at csc.fi>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Hi Guillaume,

 Not entirely sure as to why you need to decode parts of your Modify expert's configurations, but in intelmq/lib/utils.py you have the base64_encode and base64_decode functions that may be of use to you.
Testing and experimenting what decoded and encoded data looks like can also be achieved on the command line, e.g. (on Ubuntu with the base64 executable provided by the coreutils package):

echo "a text sample" | base64 | base64 -d -

gives

a text sample

 I hope this helps.

Br, Mika

________________________________
From: "Guillaume GRANJON DE LEPINEY via IntelMQ-users" <intelmq-users at lists.cert.at<mailto:intelmq-users at lists.cert.at>>
To: "intelmq-users at lists.cert.at<mailto:intelmq-users at lists.cert.at>" <intelmq-users at lists.cert.at<mailto:intelmq-users at lists.cert.at>>
Sent: Wednesday, 19 October, 2022 11:28:31
Subject: [IntelMQ-users] Modify expert get the value of data

Hello,

This may be a silly question, but I can't find the answer.
Is it possible to get the decoded value (not base 64) of my data in a configuration file of the bot intelmq.bots.experts.modify.expert?

I would like to do something like that with the decoded value:
[cid:image001.png at 01D8E3A9.3D8A94A0]

Regards,

Guillaume GRANJON de LÉPINEY | ggranjon at excellium-services.be<mailto:ggranjon at excellium-services.be> | PGP Key ID: 0xE2FD5ED1<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpgp.circl.lu%2Fpks%2Flookup%3Fsearch%3D0xE2FD5ED1%26fingerprint%3Don%26op%3Dindex&data=05%7C01%7Cggranjon%40excellium-services.be%7Ca3ea354bfbba4c917b8508dab1af53c0%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C638017663871879706%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nxpQCH7aMResUacA8%2BXVVLi9u%2B%2B8xbz5KcsKa9ZR%2BjI%3D&reserved=0>
CERT-XLM | cert at excellium-services.com<mailto:cert at excellium-services.com> | PGP Key ID: 0xD74E5AC0<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpgp.circl.lu%2Fpks%2Flookup%3Fop%3Dvindex%26fingerprint%3Don%26search%3D0x67B311E5D74E5AC0&data=05%7C01%7Cggranjon%40excellium-services.be%7Ca3ea354bfbba4c917b8508dab1af53c0%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C638017663871879706%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=AbZwJGETGujbrPGAdr4X86B%2Fdbaxw9LZHshHzDWWH1I%3D&reserved=0>
Excellium Services Belgium N.V. | Orion Bldg, Belgicastraat 13, B-1930 Zaventem, Belgium
Mobile: +32 4 71 98 57 65
Emergency: +352 262 039 64 708 | emergency at excellium-services.com<mailto:emergency at excellium-services.com> | PGP Key ID: 0x42662EFE<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fexcellium-services.com%2Fassets%2FEMERGENCY_PKEY.asc&data=05%7C01%7Cggranjon%40excellium-services.be%7Ca3ea354bfbba4c917b8508dab1af53c0%7C6fbe60251d0f498dae4423b34f048283%7C1%7C0%7C638017663871879706%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zc5o7E0M2056ZkfmXQOhjFbvc2ryBMeRTuzKcnZLLdg%3D&reserved=0>
https://excellium-services.com/en/CERT-XLM/
https://www.trusted-introducer.org/directory/teams/cert-xlm.html
https://www.first.org/members/teams/cert-xlm

This email is confidential and may contain legally privileged information. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please e-mail the sender immediately and delete this message from your system. Note: e-mails are susceptible to corruption, interception and unauthorised amendment; we do not accept liability for any such changes, or for their consequences. You should be aware that we may monitor your e-mails and their content. Excellium Services SA.
--
List settings:
 https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users
IntelMQ Documentation: https://intelmq.readthedocs.io/
This email is confidential and may contain legally privileged information. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please e-mail the sender immediately and delete this message from your system. Note: e-mails are susceptible to corruption, interception and unauthorised amendment; we do not accept liability for any such changes, or for their consequences. You should be aware that we may monitor your e-mails and their content. Excellium Services SA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/intelmq-users/attachments/20221019/fd07c05a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6959 bytes
Desc: image001.png
URL: <http://lists.cert.at/pipermail/intelmq-users/attachments/20221019/fd07c05a/attachment.png>


More information about the IntelMQ-users mailing list