IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol.
intelmq.bots.collectors.stomp.collector
and intelmq.bots.outputs.stomp.output (PR#2408 by Jan Kaliszewski):
auth_by_ssl_client_certificate (Boolean, default: true; if false then
ssl_client_certificate and ssl_client_certificate_key will be ignored);username (STOMP authentication login, default: "guest"; to be used only
if auth_by_ssl_client_certificate is false);password (STOMP authentication passcode, default: "guest"; to be used only
if auth_by_ssl_client_certificate is false).ssl_ca_certificate configuration parameter for
intelmq.bots.collectors.stomp.collector and/or intelmq.bots.outputs.stomp.output
to an empty string - which means that the SSL machinery used for STOMP communication
will attempt to load the system’s default CA certificates (PR#2414 by Jan Kaliszewski).intelmq.lib.message: For invalid message keys, add a hint on the failure to the exception: not allowed by configuration or not matching regular expression (PR#2398 by Sebastian Wagner).intelmq.lib.exceptions.InvalidKey: Add optional parameter additional_text (PR#2398 by Sebastian Wagner).intelmq.lib.mixins: Add a new class, StompMixin (defined in a new submodule: stomp),
which provides certain common STOMP-bot-specific operations, factored out from
intelmq.bots.collectors.stomp.collector and intelmq.bots.outputs.stomp.output
(PR#2408 and PR#2414 by Jan Kaliszewski).intelmq.lib.upgrades: Replace deprecated instances of url2fqdn experts by the new url expert in runtime configuration (PR#2432 by Sebastian Wagner).intelmq.lib.bot: Ensure closing log files on reloading (PR#2435 by Kamil Mankowski).intelmq.bots.collectors.stomp.collector (PR#2408 and PR#2414 by Jan Kaliszewski):
stomp.py older than 4.1.12.stomp.py, including the latest (8.1.0);
fixes #2342.stomp.py suffer from.shutdown. Also,
never attempt to reconnect if the version of stomp.py is older than 4.1.21 (it
did not work properly anyway).port config parameter to int.check hook (verifying, in particular, accessibility
of necessary file(s)).StompCollectorBot instances:
ssl_ca_cert, ssl_cl_cert, ssl_cl_cert_key.
intelmq.bots.collectors.amqp: fix SSL context to pointing to create a client-side connection that verifies the server (PR by Kamil Mankowski).intelmq.bots.collectors.shadowserver.collector_reports_api:
intelmq.bots.collectors.alienvault_otx.collector (PR#2449 by qux-bbb):
intelmq.bots.parsers.netlab_360.parser: Removed as the feed is discontinued. (#2442 by Filip Pokorný)intelmq.bots.parsers.webinspektor.parser: Removed as the feed is discontinued. (#2442 by Filip Pokorný)intelmq.bots.parsers.sucuri.parser: Removed as the feed is discontinued. (#2442 by Filip Pokorný)intelmq.bots.parsers.shadowserver._config:
intelmq.bots.parsers.cymru: Save current line. (PR by Kamil Mankowski)intelmq.bots.experts.jinja (PR#2417 by Mikk Margus Möll):
socket_perms and socket_group parameters to change
file permissions on socket file, if it is in use.intelmq.bots.experts.ripe (PR#2461 by Mikk Margus Möll):
intelmq.bots.outputs.stomp.output (PR#2408 and PR#2414 by Jan Kaliszewski):
stomp.py older than 4.1.12.stomp.py, including the latest (8.1.0).stomp.py suffer from.AttributeError caused by attempts to get unset attributes of StompOutputBot
(ssl_ca_cert et consortes).port config parameter to int.check hook (verifying, in particular, accessibility
of necessary file(s)).stomp.py version check (raise MissingDependencyError if not >=4.1.12).intelmq.bots.outputs.stomp.output (PR#2423 by Kamil Mankowski):
NotConnectedException.intelmq.bots.outputs.smtp_batch.output (PR #2439 by Edvard Rejthar):
bcc
intelmq.bots.outputs.amqp: fix SSL context to pointing to create a client-side connection that verifies the server (PR by Kamil Mankowski).pendulum to suggested packages, as it is required for the sieve bot (PR#2424 by Sebastian Wagner).debian/control: in Suggests field, replace python3-stomp.py (>= 4.1.9) with
python3-stomp (>= 4.1.12), i.e., fix the package name by removing the .py
suffix and bump the minimum version to 4.1.12 (PR#2414 by Jan Kaliszewski).intelmq_psql_initdb:
raw fields separately, and adding IF NOT EXISTS/OR REPLACE clauses (PR#2404 by Kamil Mankowski).Installation: https://intelmq.readthedocs.io/en/develop/user/installation.html Upgrade: https://intelmq.readthedocs.io/en/develop/user/upgrade.html
Fixes an issue which prevented bots from stopping gracefully after reloading. As logrotate reloads all bots regularly, this bug affects most IntelMQ installations.
Until IntelMQ version 3.2.0, the bot incorrectly cached and re-used results for /24 networks instead of single IP addresses.
If the bot retrieved the PTR for 192.0.43.7, it was cached for 192.0.43.0/24 and used for all IP addresses in this range, for example for 192.0.43.8.
IntelMQ version 3.2.1 fixes this issue.
The bugfix will correctly increase the cache sizes and decrease the performance, as less (incorrect) data is re-used.
IEP007: Running IntelMQ bots as Python Library is implemented.
Installation: https://intelmq.readthedocs.io/en/develop/user/installation.html Upgrade: https://intelmq.readthedocs.io/en/develop/user/upgrade.html
The accompanying 3.2.0 release of intelmq-api switches it's backend from the library hug to fastapi. Deb-packages of intelmq-api 3.2.0 are delayed for some distributions because of necessary changes in packaging.
intelmq.lib.utils:
resolve_dns: Deprecate dnspython versions pre-2.0.0 and disable search domains (PR#2352)intelmq.lib.upgrages: Fix a bug in the upgrade function for version 3.1.0 which caused an exception if a generic csv parser instance had no parameter type (PR#2319 by Filip Pokorný).intelmq.lib.datatypes: Adds TimeFormat class to be used for the time_format bot parameter (PR#2329 by Filip Pokorný).intelmq.lib.exceptions: Fixes a bug in InvalidArgument exception (PR#2329 by Filip Pokorný).intelmq.lib.harmonization:
DateTime conversion functions for consistency, backwards compatible (PR#2329 by Filip Pokorný).intelmq.lib.bot.Bot: Allow setting the parameters via parameter on bot initialization.intelmq.bots.collector.rt:
python-rt to be below version 3.0 due to introduced breaking changes,Subject NOT LIKE queries,intelmq.bots.collectors.rsync: Support for optional private key, relative time parsing for the source path, extra rsync parameters and strict host key checking (PR#2241 by Mateo Durante).intelmq.bots.parsers.shadowserver._config:
feedname at shutdown to re-detect the feedname on reloads (PR#2361 by @elsif2, fixes #2360).intelmq.bots.parsers.shadowserver._config:
p0f_genre and p0f_detail from the 'DNS-Open-Resolvers' report. (PR#2338)intelmq.bots.parsers.generic.parser_csv: Changes time_format parameter to use new TimeFormat class (PR#2329 by Filip Pokorný).intelmq.bots.parsers.html_table.parser: Changes time_format parameter to use new TimeFormat class (PR#2329 by Filip Pokorný).intelmq.bots.parsers.turris.parser.py Updated to the latest data format (issue #2167). (PR#2373 by Filip Pokorný).intelmq.bots.experts.sieve:
intelmq.bots.experts.cymru_whois:
intelmq.bots.experts.sieve:
intelmq.bots.outputs.cif3.output: Added (PR#2244 by Michael Davis).intelmq.bots.outputs.sql.output: New parameter fail_on_errors (PR#2362 by Sebastian Wagner).intelmq.bots.outputs.smtp_batch.output: Added a bot to gathering the events and sending them by e-mails at a stroke as CSV files (PR#2253 by Edvard Rejthar)skip_installation and environment variable INTELMQ_TEST_INSTALLATION to skip tests requiring an IntelMQ installation on the test host by default (PR#2370 by Sebastian Wagner, fixes #2369)intelmqsetup:
/ if run with the INTELMQ_PATHS_NO_OPT environment variable set. This affects only the PIP package as the DEB/RPM packages don't contain this tool. (PR#2355 by Kamil Mańkowski, fixes #2354)contrib.eventdb.separate-raws-table.sql: Added the missing commas to complete the sql syntax. (PR#2386, fixes #2125 by Sebastian Kufner)intelmq_psql_initdb:
-o to set the output file destination. (by Sebastian Kufner)intelmqctl:
This is short list of the most important known issues. The full list can be retrieved from GitHub.
intelmq.parsers.html_table may not process invalid URLs in patched Python version due to changes in urllib (#2382).prepare_values returning list instead of tuple (#2255).intelmq_psql_initdb does not work for SQLite (#2202).Installation documentation: https://intelmq.readthedocs.io/en/maintenance/user/installation.html Upgrade documentation: https://intelmq.readthedocs.io/en/maintenance/user/upgrade.html
intelmq.lib.upgrades:
intelmq.lib.message:
extra. namespace (PR#2059 by Sebastian Wagner, fixes #1807).intelmq.lib.bot.SQLBot was replaced by an SQLMixin in intelmq.lib.mixins.SQLMixin. The Generic DB Lookup Expert bot and the SQLOutput bot were updated accordingly.
intelmq.lib.datatypes which for now only contains an Enum listing the four bot typesbottype attribute to CollectorBot, ParserBot, ExpertBot, OutputBotintelmq.lib.processmanager which also contains an interface definition the processmanager implementations must adhere to.
Both the processmanagers and the intelmqctl script were cleaned up a bit.
The LogLevel and ReturnType Enums were added to intelmq.lib.datatypes.intelmq.lib.bot:
ParserBot (PR#2192 by Sebastian Wagner).
default_fields parameter to ParserBot (PR#2293 by Filip Pokorný)intelmq.lib.pipeline:
BRPOPLPUSH to BLMOVE, because BRPOPLPUSH has been marked as deprecated by redis in favor of BLMOVE (PR#2149 and PR#2240 by Sebastian Waldbauer and Sebastian Wagner, fixes #1827, #2233).intelmq.lib.utils:
resolve_dns for querying DNS, with the support for recommended methods from dnspython package in versions 1 and 2.RewindableFileHandle for easier handling and limiting number of temporary objects.intelmq.lib.harmonization:
tzone argument from DateTime.from_timestamp and DateTime.from_epoch_millis
DateTime.from_timstamp now also allows string argumentpytz global dependencyintelmq.bots.collectors.mail._lib:
intelmq.bots.collectors.blueliv: Fix Blueliv collector requirements (PR#2161 by Gethvi).intelmq.bots.collectors.github_api._collector_github_api: Added personal access token support (PR#2145 by Sebastian Waldbauer, fixes #1549).intelmq.bots.collectors.file.collector_file: Added file lock support, no more race conditions (PR#2147 by Sebastian Waldbauer, fixes #2128)intelmq.bots.collectors.shadowserver.collector_reports_api.py: Added file_format option to download reports in CSV format for better performance (PR#2246 by elsif2)intelmq.bots.parsers.alienvault.parser_otx: Save CVE data in extra.cve instead of extra.CVE due to the field name restriction on lower-case characters (PR#2059 by Sebastian Wagner).
intelmq.bots.parsers.anubisnetworks.parser: Changed field name format from extra.communication.http.x_forwarded_for_#1 to extra.communication.http.x_forwarded_for_1 due to the field name restriction on alphanumeric characters (PR#2059 by Sebastian Wagner).
intelmq.bots.parsers.dataplane.parser:
Removed intelmq.bots.parsers.malc0de: this bot was marked as deprecated and removed from feed due to offline status (PR#2184 by Tamas Gutsohn, fixes #2178).
intelmq.bots.parsers.microsoft.parser_ctip:
overwrite (PR#2112 by Sebastian Wagner, fixes #2022).Payload.domain if it contains the same IP address as Payload.serverIp (PR#2144 by Mikk Margus Möll and Sebastian Wagner).intelmq.bots.parsers.shodan.parser (PR#2117 by Mikk Margus Möll):
extra.ftp.<something>.parameters, FTP parameters are collected together into extra.ftp.features as a list of said features, reducing field count.rsync.modules is collected.NoValueException with a string argument to signify that the conversion would not succeed, such as in the case of a single IP address being given in hostnames, which would then be passed into source.reverse_dns and fail to validate as a FQDN._common_keys is moved out of the class._dict_dict_to_obj_list is introduced, for converting a string-to-dict mapping into a list of dicts with the previous key as an attribute of the dict; this can be useful for preventing issues where, when feeding the data into aggregating tools, you'd end up with many more fields than necessary, e.g vulns.CVE-2010-0001.cvss, CVE-2010-0002.cvss etc._get_first to get the first item from a list, with NoValueException raised on empty lists._get_first_hostname to handle the first valid FQDN from a list of hostnames for hostnames in the Shodan banner, if there is one, and gives NoValueException otherwise.ssl.cert.serial and ssl.dhparams.generator, which may return both integers and strings, are converted to strings.apply_mapping, such as reducing needless loop iterations, removing a big try-except, and adding the NoValueException handling described above.intelmq.bots.parsers.shadowserver._config:
Accessible AMQP, Device Identification Report (IPv4 and IPv6) (PR#2134 by Mateo Durante).SSL-POODLE-Vulnerable-Servers IPv6 (file name scan6_ssl_poodle) (PR#2134 by Mateo Durante).Malware-URL, Sandbox-Connection, Sandbox-DNS, Accessible-AMQP, Open-AnonymouIs-MQTT, Accessible-QUIC, Accessible-SSH, SYNful-Knock, and Special (PR#2227 by elsif2)Amplification-DDoS-Victim, CAIDA-IP-Spoofer, Darknet, Drone, Drone-Brute-Force, IPv6-Sinkhole-HTTP-Drone, Microsoft-Sinkhole, and Sinkhole-HTTP-Drone (PR#2227 by elsif2).Accessible-HTTP-proxy and Open-HTTP-proxy (PR#2246 by elsif2).Honeypot-DDoS report and added the DDoS-Participant report (PR#2303 by elsif2)Accessible-SLP, IPv6 Accesssible-SLP, IPv6-DNS-Open-Resolvers, and IPv6-Open-LDAP-TCP reports (PR#2311 by elsif2)Accessible-ICS and Open-MSSQL (PR#2311 by elsif2)intelmq.bots.parsers.cymru.parser_cap_program: The parser mapped the hostname into source.fqdn which is not allowed by the IntelMQ Data Format. Added a check (PR#2215 by Sebastian Waldbauer, fixes #2169)
intelmq.bots.parsers.generic.parser_csv:
intelmq.bots.parsers.autoshun.parser: Removed, as the feed is discontinued (PR#2214 by Sebastian Waldbauer, fixes #2162).
intelmq.bots.parsers.openphish.parser_commercial: Refactored complete code (PR#2160 by Filip Pokorný).
host field to source.fqdn when the content was an IP address.intelmq.bots.parsers.phishtank.parser: Refactored code (PR#2270 by Filip Pokorný)
intelmq.bots.parsers.dshield.parser_domain: Has been removed, due to the feed is discontinued. (PR#2276 by Sebastian Waldbauer)
intelmq.bots.parsers.abusech.parser_ip: Removed (PR#2268 by Filip Pokorný).
intelmq.bots.parsers.abusech.parser_domain: Removed (PR#2268 by Filip Pokorný).
intelmq.bots.parsers.abusech.parser_feodotracker: Added new parser bot (PR#2268 by Filip Pokorný)
intelmq.bots.parsers.generic.parser_csv: Parameter type is deprecated, default_fields should be used. (PR#2293 by Filip Pokorný)
intelmq.bots.parsers.generic.parser_csv: Parameter skip_header now allows also integer as a fixed number of lines to skip. (PR#2313 by Filip Pokorný)
intelmq.bots.parsers.taichung.parser: Removed (PR#2266 by Filip Pokorný)
intelmq.bots.experts.domain_valid: New bot for checking domain's validity (PR#1966 by Marius Karotkis).intelmq.bots.experts.truncate_by_delimiter.expert: Cut string if its length is higher than a maximum length (PR#1967 by Marius Karotkis).intelmq.bots.experts.remove_affix: Remove prefix or postfix strings from a field (PR#1965 by Marius Karotkis).intelmq.bots.experts.asn_lookup.expert: Fixes update-database script on the last few days of a month (PR#2121 by Filip Pokorný, fixes #2088).intelmq.bots.experts.threshold.expert: Correctly use the standard parameter redis_cache_ttl instead of the previously used parameter timeout (PR#2155 by Karl-Johan Karlsson).intelmq.bots.experts.jinja2.expert: Lift restriction on requirement jinja2 < 3 (PR#2158 by Sebastian Wagner).intelmq.bots.experts.asn_lookup.expert, intelmq.bots.experts.domain_suffix.expert, intelmq.bots.experts.maxmind_geoip.expert, intelmq.bots.experts.recordedfuture_iprisk.expert, intelmq.bots.experts.tor_nodes.expert: New parameter autoupdate_cached_database to disable automatic updates (downloads) of cached databases (PR#2180 by Sebastian Wagner).intelmq.bots.experts.url.expert: New bot for extracting additional information from source.url and/or destination.url (PR#2315 by Filip Pokorný).intelmq.bots.outputs.postgresql: this bot was marked as deprecated in 2019 announced to be removed in version 3 of IntelMQ (PR#2045 by Birger Schacht).intelmq.bots.outputs.rpz_file.output to create RPZ files (PR#1962 by Marius Karotkis).intelmq.bots.outputs.bro_file.output to create Bro intel formatted files (PR#1963 by Marius Karotkis).intelmq.bots.outputs.templated_smtp.output:
from_json() (which just calls json.loads() in the standard Python environment), meaning the Templated SMTP output bot can take strings containing JSON documents and do the formatting itself (PR#2120 by Karl-Johan Karlsson).intelmq.bots.outputs.sql:
default_fields parameter (PR#2293 by Filip Pokorný).skip_header parameter (PR#2313 by Filip Pokorný).intelmq.bots.experts.sieve.validator from executables in setup.py (PR#2256 by Filip Pokorný).intelmq.lib.test:
skip_ci also detects dpkg-buildpackage environments by checking the environment variable DEB_BUILD_ARCH (PR#2123 by Sebastian Wagner).exponential backtracking on strings fixed. (PR#2148 by Sebastian Waldbauer, fixes #2138)test_invalid_ptr (PR#2208 by Sebastian Wagner, fixes #2206).requests_mock to the development extra requirements in setup.py (PR#2210 by Sebastian Wagner).INTELMQ_PIPELINE_HOST as redis host, analogous to other tests (PR#2209 by Sebastian Wagner, fixes #2207).intelmq.lib.test.BotTestCase: Adds skip_checks variable to not fail on non-empty messages from calling check function (PR#2315 by Filip Pokorný).intelmqctl:
check: handle SyntaxError in bot modules and report it without breaking execution (fixes #2177)intelmqsetup: Revised installation of manager by building the static files at setup, not build time, making it behave more meaningful. Requires intelmq-manager >= 3.1.0 (PR#2198 by Sebastian Wagner, fixes #2197).intelmqdump: Respected global and per-bot custom settings of logging_path (fix #1605).This is short list of the most important known issues. The full list can be retrieved from GitHub.
Full Changelog: https://github.com/certtools/intelmq/compare/3.0.2...3.1.0-rc1
Installation documentation: https://intelmq.readthedocs.io/en/maintenance/user/installation.html Upgrade documentation: https://intelmq.readthedocs.io/en/maintenance/user/upgrade.html
intelmq.lib.bot.CollectorBot: Fixed an issue with within the new_report function, which re-loads the harmonization file after a new incoming dataset, which leads to CPU drain and decreased performance (PR#2106 by Sebastian Waldbauer, fixes #2098).intelmq.lib.bot.Bot: Make private members __is_multithreadable and __collector_empty_process protected members _is_multithreadable and _collector_empty_process to make them easily modifiable by Bot classes (PR#2109 by Sebastian Wagner, fixes #2108).
Also affected and adapted bots by this change are:
intelmq.bots.collectors.api.collector_api
intelmq.bots.collectors.stomp.collector
intelmq.bots.experts.splunk_saved_search.expert
intelmq.bots.experts.threshold.expert
intelmq.bots.outputs.file.output
intelmq.bots.outputs.misp.output_api
intelmq.bots.outputs.misp.output_feed
intelmq.bots.outputs.tcp.output
intelmq.bots.outputs.udp.output
intelmq.lib.cache: Do not create the Cache class if the host is null, allows deactivating the bot statistics (PR#2104 by Sebastian Waldbauer, fixes #2103).intelmq.bots.experts.domain_suffix.expert: Only print skipped database update message if verbose mode is active (PR#2107 by Sebastian Wagner, fixes #2016).See open bug reports for a more detailed list.
Installation documentation: https://intelmq.readthedocs.io/en/maintenance/user/installation.html Upgrade documentation: https://intelmq.readthedocs.io/en/maintenance/user/upgrade.html
intelmq.lib.bot_debugger: Fix accessing the bot's destination queues (PR#2027 by Mikk Margus Möll).intelmq.lib.pipeline: Fix handling of load_balance parameter (PR#2027 by Mikk Margus Möll).intelmq.lib.bot: Fix handling of parameter destination_queues if value is an empty dictionary (PR#2051 by Sebastian Wagner, fixes #2034).intelmq.bots.collectors.shodan.collector_stream: Fix access to parameters, the bot wrongly used self.parameters (PR#2020 by Mikk Margus Möll).intelmq.bots.collectors.mail.collector_mail_attach: Add attachment file name as extra.file_name also if the attachment is not compressed (PR#2021 by Alex Kaplan).intelmq.bots.collectors.http.collector_http_stream: Fix access to parameters, the bot wrongly used self.parameters (by Sebastian Wagner).intelmq.bots.parsers.microsoft.parser_ctip: Map Payload.domain to destination.fqdn instead of extra.payload.domain as it matches to destination.ip from DestinationIp (PR#2023 by Sebastian Wagner).intelmq.bots.parsers.malwaredomains because the upstream data source (malwaredomains.com) does not exist anymore (PR#2026 by Birger Schacht, fixes #2024).intelmq.bots.parsers.shadowserver.config:
intelmq.bots.experts.gethostbyname.expert: Handle numeric values for the gaierrors_to_ignore parameter (PR#2073 by Sebastian Wagner, fixes #2072).intelmq.bots.experts.filter.expert: Fix handling of empty-string parameters not_after and not_before (PR#2075 by Sebastian Wagner, fixes #2074).intelmq.bots.outputs.mcafee.output_esm_ip: Fix access to parameters, the bot wrongly used self.parameters (by Sebastian Wagner).intelmq.bots.outputs.misp.output_api: Fix access to parameters, the bot wrongly used self.parameters (by Sebastian Wagner).intelmq.bots.outputs.smtp.output: Add Content-Disposition-header to the attachment, fixing the display in Mail Clients as actual attachment (PR#2052 by Sebastian Wagner, fixes #2018).recordedfuture_iprisk update call (by Sebastian Wagner).logging.warn with logging.warning (by Sebastian Wagner, fixes #2013).intelmq.tests.bots.experts.rdap.test_expert: Declare cache use, fixes build failures (by Sebastian Wagner, fixes #2014).intelmq.tests.bots.collectors.mail.test_collector_attach: Test text attachment (by Sebastian Wagner).intelmqctl:
/opt/intelmq, use the internal default instead (PR#2092 by Sebastian Wagner, fixes #2091).See open bug reports for a more detailed list.
This is just an intermediate unstable release towards 3.0.0. Please do not use it in production.
Installation documentation: https://intelmq.readthedocs.io/en/maintenance/user/installation.html Upgrade documentation: https://intelmq.readthedocs.io/en/maintenance/user/upgrade.html
BOTS file is no longer used and has been removed (by Sebastian Wagner).defaults.conf file is no longer used and has been removed (PR#1814 by Birger Schacht).pipeline.conf file is no longer used and has been removed (PR#1849 by Birger Schacht).runtime.conf was renamed to runtime.yaml and is now in YAML format (PR#1812 by Birger Schacht).intelmq.lib.harmonization:
ClassificationTaxonomy with fixed list of taxonomies and sanitiationintelmq.lib.bot:
InvalidValue exceptions upon message retrieval by dumping the message instead of repeating endlessly (#1765, PR#1766 by Filip Pokorný).parameters member (PR#1729 by Birger Schacht).init to allow bots accessing data directly on startup/initialization for cleanup or maintenance tasks (PR#1982 by Sebastian Wagner).intelmq.lib.exceptions:
InvalidValue: Add optional parameter object (PR#1766 by Filip Pokorný).intelmq.lib.utils:
list_all_bots to list all available/installed bots as replacement for the BOTS file (#368, #552, #644, #757, #1069, #1750, PR#1751 by Sebastian Waldbauer).get_bots_settings to return the effective bot parameters, with global parameters applied.create_request_session_from_bot (PR#1997 by Sebastian Wagner, #1404).parse_relative: Add support for parsing minutes and seconds (PR#1857 by Sebastian Wagner).intelmq.lib.bot_debugger:
logging_level directly in __init__ before the bot's initialization by changing the default value (by Sebastian Wagner).load_configuration_patch by adapting it to the parameter and configuration rewrite (by Sebastian Wagner).group setting of bots to determine the required message type of messages given on the command line (PR#1949 by Sebastian Wagner).rewrite_config_files.py: Removed obsolete BOTS-file-related rewriting functionality.The IntelMQ Data Harmonization ("DHO") is renamed to IntelMQ Data Format ("IDF"). Internal files remain and work the same as before (PR#1818 by Sebastian Waldbauer, fixes 1810). Update allowed classification fields to version 1.3 (2021-05-18) (fixes #1409, #1476).
abusive content has been renamed to abusive-content.information content security has been renamed to information-content-security.
unauthorised-information-access has been fixed, a bug prevented the use of it.unauthorised-information-modification has been fixed, a bug prevented the use of it.leak has been renamed to data-leak.dropzone has been removed. Taxonomy other with type other and identifier dropzone can be used instead. Ongoing discussion in the RSIT WG.intrusion attempts has been renamed to intrusion-attempts.compromised has been renamed to system-compromise.unauthorized-command has been merged into system-compromise.unauthorized-login has been merged into system-compromise.backdoor has been merged into system-compromise (PR#1995 by Sebastian Wagner, addresses #1409).defacement has been merged into taxonomy information-content-security, type unauthorised-information-modification (PR#1994 by Sebastian Wagner, addresses #1409).information gathering has been rename to information-gathering.malicious code has been renamed to malicious-code.
c2server has been renamed to c2-server.malware has been integrated into infected-system and malware-distribution, respectively (PR#1917 by Sebastian Wagner addresses #1409).ransomware has been integrated into infected-system.dga domain has been moved to the taxonomy other renamed dga-domain (PR#1992 by Sebastian Wagner fixes #1613).misconfiguration is new.unknown has been renamed to undetermined.vulnerable client has been renamed to vulnerable-system.vulnerable service has been renamed to vulnerable-system.intelmq.bots.collectors.xmpp: one of the dependencies of the bot was deprecated and according to a short survey on the IntelMQ
users mailinglist, the bot is not used by anyone. (https://lists.cert.at/pipermail/intelmq-users/2020-October/000177.html, PR#1761, closes #1614)intelmq.bots.collectors.mail._lib: Added parameter mail_starttls for STARTTLS in all mail collector bots (PR#1831 by Marius Karotkis, fixes #1128).intelmq.bots.collectors.fireeye: A bot that collects indicators from Fireeye MAS appliances (PR#1745 by Christopher Schappelwein).intelmq.bots.collectors.api.collector_api (PR#1987 by Mikk Margus Möll, fixes #1986):
intelmq.bots.collectors.rt.collector_rt (PR#1997 by Sebastian Wagner, #1404):
unzip_attachment (removed in 2.1.0) was removed.intelmq.bots.parsers.fireeye: A bot that parses hashes and URLs from Fireeye MAS indicators (PR#1745 by Christopher Schappelwein).intelmq.bots.parsers.shadowserver._config:
intelmq.bots.parsers.generic.parser_csv:
time_format (by Sebastian Wagner).intelmq.bots.experts.domain_suffix.expert:
--update-database option to update domain suffix database (by Sebastian Wagner).check method: load database with UTF-8 encoding explicitly (by Sebastian Wagner).intelmq.bots.experts.http.expert_status: A bot that fetches the HTTP Status for a given URI and adds it to the message (PR#1789 by Birger Schacht, fixes #1047 partly).intelmq.bots.experts.http.expert_content: A bot that fetches an HTTP resource and checks if it contains a specific string.intelmq.bots.experts.lookyloo.expert: A bot that sends requests to a lookyloo instance & adds screenshot_url to the event (PR#1844 by Sebastian Waldbauer, fixes #1048).intelmq.bots.experts.rdap.expert: A bot that checks the rdap protocol for an abuse contact for a given domain.intelmq.bots.experts.sieve.expert:
:equals
:overlaps
:supersetof
:subsetof
:equals
! (PR#1895, PR#1923 by Mikk Margus Möll).append
append! (forced/overwriting):notcontains operator, as it made is redundant by generic negation: ! foo :contains 'x' instead of foo :notcontains 'x' (PR#1957 by Mikk Margus Möll).:in, :containsany and :regexin for string lists, and :in for numeric value lists (PR#1957 by Mikk Margus Möll).
== operator for lists, with the previous meaning of :in. Have a look at the NEWS.md for more information.intelmq.bots.experts.uwhoisd: A bot that fetches the whois entry from a uwhois-instance (PR#1918 by Raphaël Vinot).intelmq.bots.experts.ripencc_abuse_contact.expert. It was replaced by intelmq.bots.experts.ripe.expert and marked as deprecated in 2.0.0.beta1 (PR#1997 by Sebastian Wagner, #1404).intelmq.bots.experts.modify.expert:
intelmq.bots.experts.aggregate: A bot that aggregate events based upon given fields & a timespan. (PR#1959 by Sebastian Waldbauer)intelmq.bots.experts.tuency: A bot that queries the IntelMQ API of a tuency instance (PR#1857 by Sebastian Wagner, fixes #1856).intelmq.bots.outputs.xmpp: one of the dependencies of the bot was deprecated and according to a short survey on the IntelMQ
users mailinglist, the bot is not used by anyone. (https://lists.cert.at/pipermail/intelmq-users/2020-October/000177.html, PR#1761, closes #1614)intelmq.bots.outputs.smtp: Add more debug logging (PR#1949 by Sebastian Wagner).intelmq.bots.outputs.templated_smtp (PR#1901 by Karl-Johan Karlsson).certat/intelmq-full:develop are built and published on every push to the develop branch (PR#1753 by Sebastian Waldbauer).intelmq.tests.lib.test_bot:
InvalidValue exception upon message retrieval (#1765, PR#1766 by Filip Pokorný and Sebastian Wagner).intelmq.lib.test:
output field as dictionaries, not as string in assertMessageEqual (PR#1975 by Karl-Johan Karlsson).run_bot from test cases (PR#1989 by Sebastian Wagner).
prepare_source_queue out of prepare_bot.stop_bot to run_bot.e for deleting single entries by given IDs has been merged into the command d ("delete"), which can now delete either entries by ID or the whole file.v for editing entries has been renamed to e ("edit").separate-raws-table.sql (PR#1985 by Sebastian Wagner).update-asn-data
update-geoip-data
update-tor-nodes
update-rfiprisk-data
in favor of the built-in update-mechanisms (see the bots' documentation). A crontab file for calling all new update command can be found in contrib/cron-jobs/intelmq-update-database.This is just an intermediate unstable release towards 3.0.0. Please do not use it in production.