IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol.
intelmq.bots.collectors.stomp.collector
and intelmq.bots.outputs.stomp.output
(PR#2408 by Jan Kaliszewski):
auth_by_ssl_client_certificate
(Boolean, default: true; if false then
ssl_client_certificate
and ssl_client_certificate_key
will be ignored);username
(STOMP authentication login, default: "guest"; to be used only
if auth_by_ssl_client_certificate
is false);password
(STOMP authentication passcode, default: "guest"; to be used only
if auth_by_ssl_client_certificate
is false).ssl_ca_certificate
configuration parameter for
intelmq.bots.collectors.stomp.collector
and/or intelmq.bots.outputs.stomp.output
to an empty string - which means that the SSL machinery used for STOMP communication
will attempt to load the system’s default CA certificates (PR#2414 by Jan Kaliszewski).intelmq.lib.message
: For invalid message keys, add a hint on the failure to the exception: not allowed by configuration or not matching regular expression (PR#2398 by Sebastian Wagner).intelmq.lib.exceptions.InvalidKey
: Add optional parameter additional_text
(PR#2398 by Sebastian Wagner).intelmq.lib.mixins
: Add a new class, StompMixin
(defined in a new submodule: stomp
),
which provides certain common STOMP-bot-specific operations, factored out from
intelmq.bots.collectors.stomp.collector
and intelmq.bots.outputs.stomp.output
(PR#2408 and PR#2414 by Jan Kaliszewski).intelmq.lib.upgrades
: Replace deprecated instances of url2fqdn
experts by the new url
expert in runtime configuration (PR#2432 by Sebastian Wagner).intelmq.lib.bot
: Ensure closing log files on reloading (PR#2435 by Kamil Mankowski).intelmq.bots.collectors.stomp.collector
(PR#2408 and PR#2414 by Jan Kaliszewski):
stomp.py
older than 4.1.12
.stomp.py
, including the latest (8.1.0
);
fixes #2342.stomp.py
suffer from.shutdown
. Also,
never attempt to reconnect if the version of stomp.py
is older than 4.1.21
(it
did not work properly anyway).port
config parameter to int
.check
hook (verifying, in particular, accessibility
of necessary file(s)).StompCollectorBot
instances:
ssl_ca_cert
, ssl_cl_cert
, ssl_cl_cert_key
.
intelmq.bots.collectors.amqp
: fix SSL context to pointing to create a client-side connection that verifies the server (PR by Kamil Mankowski).intelmq.bots.collectors.shadowserver.collector_reports_api
:
intelmq.bots.collectors.alienvault_otx.collector
(PR#2449 by qux-bbb):
intelmq.bots.parsers.netlab_360.parser
: Removed as the feed is discontinued. (#2442 by Filip Pokorný)intelmq.bots.parsers.webinspektor.parser
: Removed as the feed is discontinued. (#2442 by Filip Pokorný)intelmq.bots.parsers.sucuri.parser
: Removed as the feed is discontinued. (#2442 by Filip Pokorný)intelmq.bots.parsers.shadowserver._config
:
intelmq.bots.parsers.cymru
: Save current line. (PR by Kamil Mankowski)intelmq.bots.experts.jinja
(PR#2417 by Mikk Margus Möll):
socket_perms
and socket_group
parameters to change
file permissions on socket file, if it is in use.intelmq.bots.experts.ripe
(PR#2461 by Mikk Margus Möll):
intelmq.bots.outputs.stomp.output
(PR#2408 and PR#2414 by Jan Kaliszewski):
stomp.py
older than 4.1.12
.stomp.py
, including the latest (8.1.0
).stomp.py
suffer from.AttributeError
caused by attempts to get unset attributes of StompOutputBot
(ssl_ca_cert
et consortes).port
config parameter to int
.check
hook (verifying, in particular, accessibility
of necessary file(s)).stomp.py
version check (raise MissingDependencyError
if not >=4.1.12
).intelmq.bots.outputs.stomp.output
(PR#2423 by Kamil Mankowski):
NotConnectedException
.intelmq.bots.outputs.smtp_batch.output
(PR #2439 by Edvard Rejthar):
bcc
intelmq.bots.outputs.amqp
: fix SSL context to pointing to create a client-side connection that verifies the server (PR by Kamil Mankowski).pendulum
to suggested packages, as it is required for the sieve bot (PR#2424 by Sebastian Wagner).debian/control
: in Suggests
field, replace python3-stomp.py (>= 4.1.9)
with
python3-stomp (>= 4.1.12)
, i.e., fix the package name by removing the .py
suffix and bump the minimum version to 4.1.12
(PR#2414 by Jan Kaliszewski).intelmq_psql_initdb
:
raw
fields separately, and adding IF NOT EXISTS
/OR REPLACE
clauses (PR#2404 by Kamil Mankowski).Installation: https://intelmq.readthedocs.io/en/develop/user/installation.html Upgrade: https://intelmq.readthedocs.io/en/develop/user/upgrade.html
Fixes an issue which prevented bots from stopping gracefully after reloading. As logrotate reloads all bots regularly, this bug affects most IntelMQ installations.
Until IntelMQ version 3.2.0, the bot incorrectly cached and re-used results for /24 networks instead of single IP addresses.
If the bot retrieved the PTR for 192.0.43.7
, it was cached for 192.0.43.0/24
and used for all IP addresses in this range, for example for 192.0.43.8
.
IntelMQ version 3.2.1 fixes this issue.
The bugfix will correctly increase the cache sizes and decrease the performance, as less (incorrect) data is re-used.
IEP007: Running IntelMQ bots as Python Library is implemented.
Installation: https://intelmq.readthedocs.io/en/develop/user/installation.html Upgrade: https://intelmq.readthedocs.io/en/develop/user/upgrade.html
The accompanying 3.2.0 release of intelmq-api switches it's backend from the library hug to fastapi. Deb-packages of intelmq-api 3.2.0 are delayed for some distributions because of necessary changes in packaging.
intelmq.lib.utils
:
resolve_dns
: Deprecate dnspython versions pre-2.0.0 and disable search domains (PR#2352)intelmq.lib.upgrages
: Fix a bug in the upgrade function for version 3.1.0 which caused an exception if a generic csv parser instance had no parameter type
(PR#2319 by Filip Pokorný).intelmq.lib.datatypes
: Adds TimeFormat
class to be used for the time_format
bot parameter (PR#2329 by Filip Pokorný).intelmq.lib.exceptions
: Fixes a bug in InvalidArgument
exception (PR#2329 by Filip Pokorný).intelmq.lib.harmonization
:
DateTime
conversion functions for consistency, backwards compatible (PR#2329 by Filip Pokorný).intelmq.lib.bot.Bot
: Allow setting the parameters via parameter on bot initialization.intelmq.bots.collector.rt
:
python-rt
to be below version 3.0 due to introduced breaking changes,Subject NOT LIKE
queries,intelmq.bots.collectors.rsync
: Support for optional private key, relative time parsing for the source path, extra rsync parameters and strict host key checking (PR#2241 by Mateo Durante).intelmq.bots.parsers.shadowserver._config
:
feedname
at shutdown to re-detect the feedname on reloads (PR#2361 by @elsif2, fixes #2360).intelmq.bots.parsers.shadowserver._config
:
p0f_genre
and p0f_detail
from the 'DNS-Open-Resolvers' report. (PR#2338)intelmq.bots.parsers.generic.parser_csv
: Changes time_format
parameter to use new TimeFormat
class (PR#2329 by Filip Pokorný).intelmq.bots.parsers.html_table.parser
: Changes time_format
parameter to use new TimeFormat
class (PR#2329 by Filip Pokorný).intelmq.bots.parsers.turris.parser.py
Updated to the latest data format (issue #2167). (PR#2373 by Filip Pokorný).intelmq.bots.experts.sieve
:
intelmq.bots.experts.cymru_whois
:
intelmq.bots.experts.sieve
:
intelmq.bots.outputs.cif3.output
: Added (PR#2244 by Michael Davis).intelmq.bots.outputs.sql.output
: New parameter fail_on_errors
(PR#2362 by Sebastian Wagner).intelmq.bots.outputs.smtp_batch.output
: Added a bot to gathering the events and sending them by e-mails at a stroke as CSV files (PR#2253 by Edvard Rejthar)skip_installation
and environment variable INTELMQ_TEST_INSTALLATION
to skip tests requiring an IntelMQ installation on the test host by default (PR#2370 by Sebastian Wagner, fixes #2369)intelmqsetup
:
/
if run with the INTELMQ_PATHS_NO_OPT
environment variable set. This affects only the PIP package as the DEB/RPM packages don't contain this tool. (PR#2355 by Kamil Mańkowski, fixes #2354)contrib.eventdb.separate-raws-table.sql
: Added the missing commas to complete the sql syntax. (PR#2386, fixes #2125 by Sebastian Kufner)intelmq_psql_initdb
:
-o
to set the output file destination. (by Sebastian Kufner)intelmqctl
:
This is short list of the most important known issues. The full list can be retrieved from GitHub.
intelmq.parsers.html_table
may not process invalid URLs in patched Python version due to changes in urllib
(#2382).prepare_values
returning list instead of tuple (#2255).intelmq_psql_initdb
does not work for SQLite (#2202).Installation documentation: https://intelmq.readthedocs.io/en/maintenance/user/installation.html Upgrade documentation: https://intelmq.readthedocs.io/en/maintenance/user/upgrade.html
intelmq.lib.upgrades
:
intelmq.lib.message
:
extra.
namespace (PR#2059 by Sebastian Wagner, fixes #1807).intelmq.lib.bot.SQLBot
was replaced by an SQLMixin in intelmq.lib.mixins.SQLMixin
. The Generic DB Lookup Expert bot and the SQLOutput bot were updated accordingly.
intelmq.lib.datatypes
which for now only contains an Enum listing the four bot typesbottype
attribute to CollectorBot, ParserBot, ExpertBot, OutputBotintelmq.lib.processmanager
which also contains an interface definition the processmanager implementations must adhere to.
Both the processmanagers and the intelmqctl
script were cleaned up a bit.
The LogLevel
and ReturnType
Enums were added to intelmq.lib.datatypes
.intelmq.lib.bot
:
ParserBot
(PR#2192 by Sebastian Wagner).
default_fields
parameter to ParserBot
(PR#2293 by Filip Pokorný)intelmq.lib.pipeline
:
BRPOPLPUSH
to BLMOVE
, because BRPOPLPUSH
has been marked as deprecated by redis in favor of BLMOVE
(PR#2149 and PR#2240 by Sebastian Waldbauer and Sebastian Wagner, fixes #1827, #2233).intelmq.lib.utils
:
resolve_dns
for querying DNS, with the support for recommended methods from dnspython
package in versions 1 and 2.RewindableFileHandle
for easier handling and limiting number of temporary objects.intelmq.lib.harmonization
:
tzone
argument from DateTime.from_timestamp
and DateTime.from_epoch_millis
DateTime.from_timstamp
now also allows string argumentpytz
global dependencyintelmq.bots.collectors.mail._lib
:
intelmq.bots.collectors.blueliv
: Fix Blueliv collector requirements (PR#2161 by Gethvi).intelmq.bots.collectors.github_api._collector_github_api
: Added personal access token support (PR#2145 by Sebastian Waldbauer, fixes #1549).intelmq.bots.collectors.file.collector_file
: Added file lock support, no more race conditions (PR#2147 by Sebastian Waldbauer, fixes #2128)intelmq.bots.collectors.shadowserver.collector_reports_api.py
: Added file_format option to download reports in CSV format for better performance (PR#2246 by elsif2)intelmq.bots.parsers.alienvault.parser_otx
: Save CVE data in extra.cve
instead of extra.CVE
due to the field name restriction on lower-case characters (PR#2059 by Sebastian Wagner).
intelmq.bots.parsers.anubisnetworks.parser
: Changed field name format from extra.communication.http.x_forwarded_for_#1
to extra.communication.http.x_forwarded_for_1
due to the field name restriction on alphanumeric characters (PR#2059 by Sebastian Wagner).
intelmq.bots.parsers.dataplane.parser
:
Removed intelmq.bots.parsers.malc0de
: this bot was marked as deprecated and removed from feed due to offline status (PR#2184 by Tamas Gutsohn, fixes #2178).
intelmq.bots.parsers.microsoft.parser_ctip
:
overwrite
(PR#2112 by Sebastian Wagner, fixes #2022).Payload.domain
if it contains the same IP address as Payload.serverIp
(PR#2144 by Mikk Margus Möll and Sebastian Wagner).intelmq.bots.parsers.shodan.parser
(PR#2117 by Mikk Margus Möll):
extra.ftp.<something>.parameters
, FTP parameters are collected together into extra.ftp.features
as a list of said features, reducing field count.rsync.modules
is collected.NoValueException
with a string argument to signify that the conversion would not succeed, such as in the case of a single IP address being given in hostnames, which would then be passed into source.reverse_dns and
fail to validate as a FQDN._common_keys
is moved out of the class._dict_dict_to_obj_list
is introduced, for converting a string-to-dict mapping into a list of dicts with the previous key as an attribute of the dict; this can be useful for preventing issues where, when feeding the data into aggregating tools, you'd end up with many more fields than necessary, e.g vulns.CVE-2010-0001.cvss
, CVE-2010-0002.cvss
etc._get_first
to get the first item from a list, with NoValueException
raised on empty lists._get_first_hostname
to handle the first valid FQDN from a list of hostnames for hostnames in the Shodan banner, if there is one, and gives NoValueException
otherwise.ssl.cert.serial
and ssl.dhparams.generator
, which may return both integers and strings, are converted to strings.apply_mapping
, such as reducing needless loop iterations, removing a big try-except, and adding the NoValueException
handling described above.intelmq.bots.parsers.shadowserver._config
:
Accessible AMQP
, Device Identification Report
(IPv4 and IPv6) (PR#2134 by Mateo Durante).SSL-POODLE-Vulnerable-Servers IPv6
(file name scan6_ssl_poodle
) (PR#2134 by Mateo Durante).Malware-URL
, Sandbox-Connection
, Sandbox-DNS
, Accessible-AMQP
, Open-AnonymouIs-MQTT
, Accessible-QUIC
, Accessible-SSH
, SYNful-Knock
, and Special
(PR#2227 by elsif2)Amplification-DDoS-Victim
, CAIDA-IP-Spoofer
, Darknet
, Drone
, Drone-Brute-Force
, IPv6-Sinkhole-HTTP-Drone
, Microsoft-Sinkhole
, and Sinkhole-HTTP-Drone
(PR#2227 by elsif2).Accessible-HTTP-proxy
and Open-HTTP-proxy
(PR#2246 by elsif2).Honeypot-DDoS
report and added the DDoS-Participant
report (PR#2303 by elsif2)Accessible-SLP
, IPv6 Accesssible-SLP
, IPv6-DNS-Open-Resolvers
, and IPv6-Open-LDAP-TCP
reports (PR#2311 by elsif2)Accessible-ICS
and Open-MSSQL
(PR#2311 by elsif2)intelmq.bots.parsers.cymru.parser_cap_program
: The parser mapped the hostname into source.fqdn
which is not allowed by the IntelMQ Data Format. Added a check (PR#2215 by Sebastian Waldbauer, fixes #2169)
intelmq.bots.parsers.generic.parser_csv
:
intelmq.bots.parsers.autoshun.parser
: Removed, as the feed is discontinued (PR#2214 by Sebastian Waldbauer, fixes #2162).
intelmq.bots.parsers.openphish.parser_commercial
: Refactored complete code (PR#2160 by Filip Pokorný).
host
field to source.fqdn
when the content was an IP address.intelmq.bots.parsers.phishtank.parser
: Refactored code (PR#2270 by Filip Pokorný)
intelmq.bots.parsers.dshield.parser_domain
: Has been removed, due to the feed is discontinued. (PR#2276 by Sebastian Waldbauer)
intelmq.bots.parsers.abusech.parser_ip
: Removed (PR#2268 by Filip Pokorný).
intelmq.bots.parsers.abusech.parser_domain
: Removed (PR#2268 by Filip Pokorný).
intelmq.bots.parsers.abusech.parser_feodotracker
: Added new parser bot (PR#2268 by Filip Pokorný)
intelmq.bots.parsers.generic.parser_csv
: Parameter type
is deprecated, default_fields
should be used. (PR#2293 by Filip Pokorný)
intelmq.bots.parsers.generic.parser_csv
: Parameter skip_header
now allows also integer as a fixed number of lines to skip. (PR#2313 by Filip Pokorný)
intelmq.bots.parsers.taichung.parser
: Removed (PR#2266 by Filip Pokorný)
intelmq.bots.experts.domain_valid
: New bot for checking domain's validity (PR#1966 by Marius Karotkis).intelmq.bots.experts.truncate_by_delimiter.expert
: Cut string if its length is higher than a maximum length (PR#1967 by Marius Karotkis).intelmq.bots.experts.remove_affix
: Remove prefix or postfix strings from a field (PR#1965 by Marius Karotkis).intelmq.bots.experts.asn_lookup.expert
: Fixes update-database script on the last few days of a month (PR#2121 by Filip Pokorný, fixes #2088).intelmq.bots.experts.threshold.expert
: Correctly use the standard parameter redis_cache_ttl
instead of the previously used parameter timeout
(PR#2155 by Karl-Johan Karlsson).intelmq.bots.experts.jinja2.expert
: Lift restriction on requirement jinja2 < 3 (PR#2158 by Sebastian Wagner).intelmq.bots.experts.asn_lookup.expert
, intelmq.bots.experts.domain_suffix.expert
, intelmq.bots.experts.maxmind_geoip.expert
, intelmq.bots.experts.recordedfuture_iprisk.expert
, intelmq.bots.experts.tor_nodes.expert
: New parameter autoupdate_cached_database
to disable automatic updates (downloads) of cached databases (PR#2180 by Sebastian Wagner).intelmq.bots.experts.url.expert
: New bot for extracting additional information from source.url
and/or destination.url
(PR#2315 by Filip Pokorný).intelmq.bots.outputs.postgresql
: this bot was marked as deprecated in 2019 announced to be removed in version 3 of IntelMQ (PR#2045 by Birger Schacht).intelmq.bots.outputs.rpz_file.output
to create RPZ files (PR#1962 by Marius Karotkis).intelmq.bots.outputs.bro_file.output
to create Bro intel formatted files (PR#1963 by Marius Karotkis).intelmq.bots.outputs.templated_smtp.output
:
from_json()
(which just calls json.loads()
in the standard Python environment), meaning the Templated SMTP output bot can take strings containing JSON documents and do the formatting itself (PR#2120 by Karl-Johan Karlsson).intelmq.bots.outputs.sql
:
default_fields
parameter (PR#2293 by Filip Pokorný).skip_header
parameter (PR#2313 by Filip Pokorný).intelmq.bots.experts.sieve.validator
from executables in setup.py
(PR#2256 by Filip Pokorný).intelmq.lib.test
:
skip_ci
also detects dpkg-buildpackage
environments by checking the environment variable DEB_BUILD_ARCH
(PR#2123 by Sebastian Wagner).exponential backtracking on strings
fixed. (PR#2148 by Sebastian Waldbauer, fixes #2138)test_invalid_ptr
(PR#2208 by Sebastian Wagner, fixes #2206).requests_mock
to the development
extra requirements in setup.py
(PR#2210 by Sebastian Wagner).INTELMQ_PIPELINE_HOST
as redis host, analogous to other tests (PR#2209 by Sebastian Wagner, fixes #2207).intelmq.lib.test.BotTestCase
: Adds skip_checks
variable to not fail on non-empty messages from calling check
function (PR#2315 by Filip Pokorný).intelmqctl
:
check
: handle SyntaxError
in bot modules and report it without breaking execution (fixes #2177)intelmqsetup
: Revised installation of manager by building the static files at setup, not build time, making it behave more meaningful. Requires intelmq-manager >= 3.1.0 (PR#2198 by Sebastian Wagner, fixes #2197).intelmqdump
: Respected global and per-bot custom settings of logging_path
(fix #1605).This is short list of the most important known issues. The full list can be retrieved from GitHub.
Full Changelog: https://github.com/certtools/intelmq/compare/3.0.2...3.1.0-rc1
Installation documentation: https://intelmq.readthedocs.io/en/maintenance/user/installation.html Upgrade documentation: https://intelmq.readthedocs.io/en/maintenance/user/upgrade.html
intelmq.lib.bot.CollectorBot
: Fixed an issue with within the new_report
function, which re-loads the harmonization file after a new incoming dataset, which leads to CPU drain and decreased performance (PR#2106 by Sebastian Waldbauer, fixes #2098).intelmq.lib.bot.Bot
: Make private members __is_multithreadable
and __collector_empty_process
protected members _is_multithreadable
and _collector_empty_process
to make them easily modifiable by Bot classes (PR#2109 by Sebastian Wagner, fixes #2108).
Also affected and adapted bots by this change are:
intelmq.bots.collectors.api.collector_api
intelmq.bots.collectors.stomp.collector
intelmq.bots.experts.splunk_saved_search.expert
intelmq.bots.experts.threshold.expert
intelmq.bots.outputs.file.output
intelmq.bots.outputs.misp.output_api
intelmq.bots.outputs.misp.output_feed
intelmq.bots.outputs.tcp.output
intelmq.bots.outputs.udp.output
intelmq.lib.cache
: Do not create the Cache class if the host is null, allows deactivating the bot statistics (PR#2104 by Sebastian Waldbauer, fixes #2103).intelmq.bots.experts.domain_suffix.expert
: Only print skipped database update message if verbose mode is active (PR#2107 by Sebastian Wagner, fixes #2016).See open bug reports for a more detailed list.
Installation documentation: https://intelmq.readthedocs.io/en/maintenance/user/installation.html Upgrade documentation: https://intelmq.readthedocs.io/en/maintenance/user/upgrade.html
intelmq.lib.bot_debugger
: Fix accessing the bot's destination queues (PR#2027 by Mikk Margus Möll).intelmq.lib.pipeline
: Fix handling of load_balance
parameter (PR#2027 by Mikk Margus Möll).intelmq.lib.bot
: Fix handling of parameter destination_queues
if value is an empty dictionary (PR#2051 by Sebastian Wagner, fixes #2034).intelmq.bots.collectors.shodan.collector_stream
: Fix access to parameters, the bot wrongly used self.parameters
(PR#2020 by Mikk Margus Möll).intelmq.bots.collectors.mail.collector_mail_attach
: Add attachment file name as extra.file_name
also if the attachment is not compressed (PR#2021 by Alex Kaplan).intelmq.bots.collectors.http.collector_http_stream
: Fix access to parameters, the bot wrongly used self.parameters
(by Sebastian Wagner).intelmq.bots.parsers.microsoft.parser_ctip
: Map Payload.domain
to destination.fqdn
instead of extra.payload.domain
as it matches to destination.ip
from DestinationIp
(PR#2023 by Sebastian Wagner).intelmq.bots.parsers.malwaredomains
because the upstream data source (malwaredomains.com) does not exist anymore (PR#2026 by Birger Schacht, fixes #2024).intelmq.bots.parsers.shadowserver.config
:
intelmq.bots.experts.gethostbyname.expert
: Handle numeric values for the gaierrors_to_ignore
parameter (PR#2073 by Sebastian Wagner, fixes #2072).intelmq.bots.experts.filter.expert
: Fix handling of empty-string parameters not_after
and not_before
(PR#2075 by Sebastian Wagner, fixes #2074).intelmq.bots.outputs.mcafee.output_esm_ip
: Fix access to parameters, the bot wrongly used self.parameters
(by Sebastian Wagner).intelmq.bots.outputs.misp.output_api
: Fix access to parameters, the bot wrongly used self.parameters
(by Sebastian Wagner).intelmq.bots.outputs.smtp.output
: Add Content-Disposition
-header to the attachment, fixing the display in Mail Clients as actual attachment (PR#2052 by Sebastian Wagner, fixes #2018).recordedfuture_iprisk
update call (by Sebastian Wagner).logging.warn
with logging.warning
(by Sebastian Wagner, fixes #2013).intelmq.tests.bots.experts.rdap.test_expert
: Declare cache use, fixes build failures (by Sebastian Wagner, fixes #2014).intelmq.tests.bots.collectors.mail.test_collector_attach
: Test text attachment (by Sebastian Wagner).intelmqctl
:
/opt/intelmq
, use the internal default instead (PR#2092 by Sebastian Wagner, fixes #2091).See open bug reports for a more detailed list.
This is just an intermediate unstable release towards 3.0.0. Please do not use it in production.
Installation documentation: https://intelmq.readthedocs.io/en/maintenance/user/installation.html Upgrade documentation: https://intelmq.readthedocs.io/en/maintenance/user/upgrade.html
BOTS
file is no longer used and has been removed (by Sebastian Wagner).defaults.conf
file is no longer used and has been removed (PR#1814 by Birger Schacht).pipeline.conf
file is no longer used and has been removed (PR#1849 by Birger Schacht).runtime.conf
was renamed to runtime.yaml
and is now in YAML format (PR#1812 by Birger Schacht).intelmq.lib.harmonization
:
ClassificationTaxonomy
with fixed list of taxonomies and sanitiationintelmq.lib.bot
:
InvalidValue
exceptions upon message retrieval by dumping the message instead of repeating endlessly (#1765, PR#1766 by Filip Pokorný).parameters
member (PR#1729 by Birger Schacht).init
to allow bots accessing data directly on startup/initialization for cleanup or maintenance tasks (PR#1982 by Sebastian Wagner).intelmq.lib.exceptions
:
InvalidValue
: Add optional parameter object
(PR#1766 by Filip Pokorný).intelmq.lib.utils
:
list_all_bots
to list all available/installed bots as replacement for the BOTS file (#368, #552, #644, #757, #1069, #1750, PR#1751 by Sebastian Waldbauer).get_bots_settings
to return the effective bot parameters, with global parameters applied.create_request_session_from_bot
(PR#1997 by Sebastian Wagner, #1404).parse_relative
: Add support for parsing minutes and seconds (PR#1857 by Sebastian Wagner).intelmq.lib.bot_debugger
:
logging_level
directly in __init__
before the bot's initialization by changing the default value (by Sebastian Wagner).load_configuration_patch
by adapting it to the parameter and configuration rewrite (by Sebastian Wagner).group
setting of bots to determine the required message type of messages given on the command line (PR#1949 by Sebastian Wagner).rewrite_config_files.py
: Removed obsolete BOTS-file-related rewriting functionality.The IntelMQ Data Harmonization ("DHO") is renamed to IntelMQ Data Format ("IDF"). Internal files remain and work the same as before (PR#1818 by Sebastian Waldbauer, fixes 1810). Update allowed classification fields to version 1.3 (2021-05-18) (fixes #1409, #1476).
abusive content
has been renamed to abusive-content
.information content security
has been renamed to information-content-security
.
unauthorised-information-access
has been fixed, a bug prevented the use of it.unauthorised-information-modification
has been fixed, a bug prevented the use of it.leak
has been renamed to data-leak
.dropzone
has been removed. Taxonomy other
with type other
and identifier dropzone
can be used instead. Ongoing discussion in the RSIT WG.intrusion attempts
has been renamed to intrusion-attempts
.compromised
has been renamed to system-compromise
.unauthorized-command
has been merged into system-compromise
.unauthorized-login
has been merged into system-compromise
.backdoor
has been merged into system-compromise
(PR#1995 by Sebastian Wagner, addresses #1409).defacement
has been merged into taxonomy information-content-security
, type unauthorised-information-modification
(PR#1994 by Sebastian Wagner, addresses #1409).information gathering
has been rename to information-gathering
.malicious code
has been renamed to malicious-code
.
c2server
has been renamed to c2-server
.malware
has been integrated into infected-system
and malware-distribution
, respectively (PR#1917 by Sebastian Wagner addresses #1409).ransomware
has been integrated into infected-system
.dga domain
has been moved to the taxonomy other
renamed dga-domain
(PR#1992 by Sebastian Wagner fixes #1613).misconfiguration
is new.unknown
has been renamed to undetermined
.vulnerable client
has been renamed to vulnerable-system
.vulnerable service
has been renamed to vulnerable-system
.intelmq.bots.collectors.xmpp
: one of the dependencies of the bot was deprecated and according to a short survey on the IntelMQ
users mailinglist, the bot is not used by anyone. (https://lists.cert.at/pipermail/intelmq-users/2020-October/000177.html, PR#1761, closes #1614)intelmq.bots.collectors.mail._lib
: Added parameter mail_starttls
for STARTTLS in all mail collector bots (PR#1831 by Marius Karotkis, fixes #1128).intelmq.bots.collectors.fireeye
: A bot that collects indicators from Fireeye MAS appliances (PR#1745 by Christopher Schappelwein).intelmq.bots.collectors.api.collector_api
(PR#1987 by Mikk Margus Möll, fixes #1986):
intelmq.bots.collectors.rt.collector_rt
(PR#1997 by Sebastian Wagner, #1404):
unzip_attachment
(removed in 2.1.0) was removed.intelmq.bots.parsers.fireeye
: A bot that parses hashes and URLs from Fireeye MAS indicators (PR#1745 by Christopher Schappelwein).intelmq.bots.parsers.shadowserver._config
:
intelmq.bots.parsers.generic.parser_csv
:
time_format
(by Sebastian Wagner).intelmq.bots.experts.domain_suffix.expert
:
--update-database
option to update domain suffix database (by Sebastian Wagner).check
method: load database with UTF-8 encoding explicitly (by Sebastian Wagner).intelmq.bots.experts.http.expert_status
: A bot that fetches the HTTP Status for a given URI and adds it to the message (PR#1789 by Birger Schacht, fixes #1047 partly).intelmq.bots.experts.http.expert_content
: A bot that fetches an HTTP resource and checks if it contains a specific string.intelmq.bots.experts.lookyloo.expert
: A bot that sends requests to a lookyloo instance & adds screenshot_url
to the event (PR#1844 by Sebastian Waldbauer, fixes #1048).intelmq.bots.experts.rdap.expert
: A bot that checks the rdap protocol for an abuse contact for a given domain.intelmq.bots.experts.sieve.expert
:
:equals
:overlaps
:supersetof
:subsetof
:equals
!
(PR#1895, PR#1923 by Mikk Margus Möll).append
append!
(forced/overwriting):notcontains
operator, as it made is redundant by generic negation: ! foo :contains 'x'
instead of foo :notcontains 'x'
(PR#1957 by Mikk Margus Möll).:in
, :containsany
and :regexin
for string lists, and :in
for numeric value lists (PR#1957 by Mikk Margus Möll).
==
operator for lists, with the previous meaning of :in
. Have a look at the NEWS.md for more information.intelmq.bots.experts.uwhoisd
: A bot that fetches the whois entry from a uwhois-instance (PR#1918 by Raphaël Vinot).intelmq.bots.experts.ripencc_abuse_contact.expert
. It was replaced by intelmq.bots.experts.ripe.expert
and marked as deprecated in 2.0.0.beta1 (PR#1997 by Sebastian Wagner, #1404).intelmq.bots.experts.modify.expert
:
intelmq.bots.experts.aggregate
: A bot that aggregate events based upon given fields & a timespan. (PR#1959 by Sebastian Waldbauer)intelmq.bots.experts.tuency
: A bot that queries the IntelMQ API of a tuency instance (PR#1857 by Sebastian Wagner, fixes #1856).intelmq.bots.outputs.xmpp
: one of the dependencies of the bot was deprecated and according to a short survey on the IntelMQ
users mailinglist, the bot is not used by anyone. (https://lists.cert.at/pipermail/intelmq-users/2020-October/000177.html, PR#1761, closes #1614)intelmq.bots.outputs.smtp
: Add more debug logging (PR#1949 by Sebastian Wagner).intelmq.bots.outputs.templated_smtp
(PR#1901 by Karl-Johan Karlsson).certat/intelmq-full:develop
are built and published on every push to the develop branch (PR#1753 by Sebastian Waldbauer).intelmq.tests.lib.test_bot
:
InvalidValue
exception upon message retrieval (#1765, PR#1766 by Filip Pokorný and Sebastian Wagner).intelmq.lib.test
:
output
field as dictionaries, not as string in assertMessageEqual
(PR#1975 by Karl-Johan Karlsson).run_bot
from test cases (PR#1989 by Sebastian Wagner).
prepare_source_queue
out of prepare_bot
.stop_bot
to run_bot
.e
for deleting single entries by given IDs has been merged into the command d
("delete"), which can now delete either entries by ID or the whole file.v
for editing entries has been renamed to e
("edit").separate-raws-table.sql
(PR#1985 by Sebastian Wagner).update-asn-data
update-geoip-data
update-tor-nodes
update-rfiprisk-data
in favor of the built-in update-mechanisms (see the bots' documentation). A crontab file for calling all new update command can be found in contrib/cron-jobs/intelmq-update-database
.This is just an intermediate unstable release towards 3.0.0. Please do not use it in production.