CSEC_PUBLIC/intelmq-docker
1
0
Fork 0
mirror of https://github.com/certat/intelmq-docker.git synced 2025-12-07 01:32:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

MAINT: IntelMQ 2.3.1 REL configs

Browse Source 
Signed-off-by: Sebastian Waldbauer <waldbauer@cert.at>
This commit is contained in:
Sebastian Waldbauer
2021-04-27 10:15:40 +02:00
parent ac115f609d
commit 1cf11ba674
5 changed files with 158 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

166
example_config/intelmq/etc/BOTS
View File

@@ -41,6 +41,14 @@
"rate_limit": 300 "rate_limit": 300
} }
}, },
"Kafka": {
"description": "Fetch data from the Apache Kafka distributed stream processing system.",
"module": "intelmq.bots.collectors.kafka.collector",
"parameters": {
"bootstrap_servers": "localhost:9092",
"topic": "<topic>"
}
},
"Mail Attachment Fetcher": { "Mail Attachment Fetcher": {
"description": "Monitor IMAP mailboxes and retrieve mail attachments.", "description": "Monitor IMAP mailboxes and retrieve mail attachments.",
"module": "intelmq.bots.collectors.mail.collector_mail_attach", "module": "intelmq.bots.collectors.mail.collector_mail_attach",
@@ -100,6 +108,7 @@
"module": "intelmq.bots.collectors.http.collector_http", "module": "intelmq.bots.collectors.http.collector_http",
"parameters": { "parameters": {
"extract_files": false, "extract_files": false,
"gpg_keyring": null,
"http_password": null, "http_password": null,
"http_url": "<insert url of feed>", "http_url": "<insert url of feed>",
"http_url_formatting": false, "http_url_formatting": false,
@@ -107,10 +116,10 @@
"name": "__FEED__", "name": "__FEED__",
"provider": "__PROVIDER__", "provider": "__PROVIDER__",
"rate_limit": 3600, "rate_limit": 3600,
"signature_url": null,
"signature_url_formatting": false,
"ssl_client_certificate": null, "ssl_client_certificate": null,
"verify_gpg_signatures": false, "verify_pgp_signatures": false
"gpg_signature_suffix": ".asc",
"gpg_keyring": null
} }
}, },
"URL Stream Fetcher": { "URL Stream Fetcher": {
@@ -242,12 +251,12 @@
"description": "Collect data from ESET's TAXII API", "description": "Collect data from ESET's TAXII API",
"module": "intelmq.bots.collectors.eset.collector", "module": "intelmq.bots.collectors.eset.collector",
"parameters": { "parameters": {
"username": "<username>", "collection": "<collection>",
"password": "<password>",
"endpoint": "eti.eset.com", "endpoint": "eti.eset.com",
"time_delta": 3600, "password": "<password>",
"rate_limit": 3600, "rate_limit": 3600,
"collection": "<collection>" "time_delta": 3600,
"username": "<username>"
} }
}, },
"Github API": { "Github API": {
@@ -305,6 +314,21 @@
"redis_cache_ttl": 604800 "redis_cache_ttl": 604800
} }
}, },
"Shadowserver Reports API": {
"description": "Connects to the Shadowserver API, requests a list of all the reports for a specific country and processes the ones that are new.",
"module": "intelmq.bots.collectors.shadowserver.collector_reports_api",
"parameters": {
"country": "<CC>",
"api_key": "<API key>",
"secret": "<API secret>",
"types": "<single report or list of reports>",
"rate_limit": 86400,
"redis_cache_db": 12,
"redis_cache_host": "127.0.0.1",
"redis_cache_port": 6379,
"redis_cache_ttl": 864000
}
},
"Shodan Stream": { "Shodan Stream": {
"description": "Collect the Shodan stream from the Shodan API.", "description": "Collect the Shodan stream from the Shodan API.",
"module": "intelmq.bots.collectors.shodan.collector_stream", "module": "intelmq.bots.collectors.shodan.collector_stream",
@@ -407,6 +431,16 @@
"module": "intelmq.bots.parsers.ci_army.parser", "module": "intelmq.bots.parsers.ci_army.parser",
"parameters": {} "parameters": {}
}, },
"CZ.NIC HaaS": {
"description": "CZ.NIC HaaS Parser is the bot responsible to parse the report and sanitize the information.",
"module": "intelmq.bots.parsers.cznic.parser_haas",
"parameters": {}
},
"CZ.NIC Proki": {
"description": "Parse the feed from malicious IP addresses on Czech networks.",
"module": "intelmq.bots.parsers.cznic.parser_proki",
"parameters": {}
},
"CertStream": { "CertStream": {
"description": "Parse the CertStream feed.", "description": "Parse the CertStream feed.",
"module": "intelmq.bots.parsers.calidog.parser_certstream", "module": "intelmq.bots.parsers.calidog.parser_certstream",
@@ -427,11 +461,6 @@
"module": "intelmq.bots.parsers.cymru.parser_full_bogons", "module": "intelmq.bots.parsers.cymru.parser_full_bogons",
"parameters": {} "parameters": {}
}, },
"CZ.NIC HaaS": {
"description": "CZ.NIC HaaS Parser is the bot responsible to parse the report and sanitize the information.",
"module": "intelmq.bots.parsers.cznic.parser_haas",
"parameters": {}
},
"DShield AS": { "DShield AS": {
"description": "Parse the DShield AS.", "description": "Parse the DShield AS.",
"module": "intelmq.bots.parsers.dshield.parser_asn", "module": "intelmq.bots.parsers.dshield.parser_asn",
@@ -481,6 +510,7 @@
"", "",
"source.fqdn" "source.fqdn"
], ],
"compose_fields": null,
"default_url_protocol": "http://", "default_url_protocol": "http://",
"delimiter": ",", "delimiter": ",",
"filter_text": null, "filter_text": null,
@@ -532,6 +562,17 @@
"splitlines": false "splitlines": false
} }
}, },
"Key-Value": {
"description": "Parse key=value strings.",
"module": "intelmq.bots.parsers.key_value.parser",
"parameters": {
"keys": {},
"kv_separator": "=",
"pair_separator": " ",
"strip_quotes": true,
"timestamp_key": null
}
},
"MISP": { "MISP": {
"description": "Parse MISP events.", "description": "Parse MISP events.",
"module": "intelmq.bots.parsers.misp.parser", "module": "intelmq.bots.parsers.misp.parser",
@@ -542,11 +583,6 @@
"module": "intelmq.bots.parsers.malc0de.parser", "module": "intelmq.bots.parsers.malc0de.parser",
"parameters": {} "parameters": {}
}, },
"Malware Domain List": {
"description": "Parse the Malware Domain List feed.",
"module": "intelmq.bots.parsers.malwaredomainlist.parser",
"parameters": {}
},
"Malware Domains": { "Malware Domains": {
"description": "Parse the Malware Domains feed.", "description": "Parse the Malware Domains feed.",
"module": "intelmq.bots.parsers.malwaredomains.parser", "module": "intelmq.bots.parsers.malwaredomains.parser",
@@ -604,14 +640,22 @@
"module": "intelmq.bots.parsers.phishtank.parser", "module": "intelmq.bots.parsers.phishtank.parser",
"parameters": {} "parameters": {}
}, },
"ShadowServer": { "Shadowserver CSV": {
"description": "Parse all ShadowServer feeds.", "description": "Parse Shadowserver feeds in CSV format.",
"module": "intelmq.bots.parsers.shadowserver.parser", "module": "intelmq.bots.parsers.shadowserver.parser",
"parameters": { "parameters": {
"feedname": "", "feedname": "",
"overwrite": true "overwrite": true
} }
}, },
"Shadowserver JSON": {
"description": "Parse all Shadowserver feeds in JSON format (data coming from the reports API).",
"module": "intelmq.bots.parsers.shadowserver.parser_json",
"parameters": {
"feedname": "",
"overwrite": true
}
},
"Shodan": { "Shodan": {
"description": "Parse Shodan data collected via the Shodan API.", "description": "Parse Shodan data collected via the Shodan API.",
"module": "intelmq.bots.parsers.shodan.parser", "module": "intelmq.bots.parsers.shodan.parser",
@@ -729,7 +773,7 @@
} }
}, },
"Deduplicator": { "Deduplicator": {
"description": "Detection and drop exact duplicate messages. Message hashes are cached in the Redis datbase.", "description": "Detection and drop exact duplicate messages. Message hashes are cached in the Redis database.",
"module": "intelmq.bots.experts.deduplicator.expert", "module": "intelmq.bots.experts.deduplicator.expert",
"parameters": { "parameters": {
"filter_keys": "raw,time.observation", "filter_keys": "raw,time.observation",
@@ -816,7 +860,8 @@
"module": "intelmq.bots.experts.gethostbyname.expert", "module": "intelmq.bots.experts.gethostbyname.expert",
"parameters": { "parameters": {
"fallback_to_url": true, "fallback_to_url": true,
"gaierrors_to_ignore": null "gaierrors_to_ignore": null,
"overwrite": false
} }
}, },
"IDEA Converter": { "IDEA Converter": {
@@ -839,9 +884,9 @@
"module": "intelmq.bots.experts.maxmind_geoip.expert", "module": "intelmq.bots.experts.maxmind_geoip.expert",
"parameters": { "parameters": {
"database": "/opt/intelmq/var/lib/bots/maxmind_geoip/GeoLite2-City.mmdb", "database": "/opt/intelmq/var/lib/bots/maxmind_geoip/GeoLite2-City.mmdb",
"license_key": "<insert Maxmind license key>",
"overwrite": false, "overwrite": false,
"use_registered": false, "use_registered": false
"license_key": "<insert Maxmind license key>"
} }
}, },
"McAfee Active Response Lookup": { "McAfee Active Response Lookup": {
@@ -853,7 +898,7 @@
} }
}, },
"Modify": { "Modify": {
"description": "Perform arbitrary changes to event's fields based on regular-expression-based rules on different values. See docs/Bots.md for some examples.", "description": "Perform arbitrary changes to event's fields based on regular-expression-based rules on different values. See the bot's documentation for some examples.",
"module": "intelmq.bots.experts.modify.expert", "module": "intelmq.bots.experts.modify.expert",
"parameters": { "parameters": {
"case_sensitive": true, "case_sensitive": true,
@@ -900,9 +945,9 @@
"description": "Adds the Risk Score from RecordedFuture IPRisk associated with source.ip or destination.ip with a local database.", "description": "Adds the Risk Score from RecordedFuture IPRisk associated with source.ip or destination.ip with a local database.",
"module": "intelmq.bots.experts.recordedfuture_iprisk.expert", "module": "intelmq.bots.experts.recordedfuture_iprisk.expert",
"parameters": { "parameters": {
"api_token": "<insert Recorded Future IPRisk API token>",
"database": "/opt/intelmq/var/lib/bots/recordedfuture_iprisk/rfiprisk.dat", "database": "/opt/intelmq/var/lib/bots/recordedfuture_iprisk/rfiprisk.dat",
"overwrite": false, "overwrite": false
"api_token": "<insert Recorded Future IPRisk API token>"
} }
}, },
"Reverse DNS": { "Reverse DNS": {
@@ -925,11 +970,54 @@
"file": "/opt/intelmq/var/lib/bots/sieve/filter.sieve" "file": "/opt/intelmq/var/lib/bots/sieve/filter.sieve"
} }
}, },
"Splunk saved search": {
"description": "Enrich an event from Splunk search results.",
"module": "intelmq.bots.experts.splunk_saved_search.expert",
"parameters": {
"auth_token": "VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wIG92ZXIgdGhlIGxhenkgZG9nLgo=",
"multiple_result_handling": [
"warn",
"use_first",
"send"
],
"not_found": [
"warn",
"send"
],
"overwrite": null,
"result_fields": {
"result field": "event field"
},
"retry_interval": 5,
"saved_search": "search_name",
"search_parameters": {
"event field": "search parameter"
},
"url": "https://splunk:8089/"
}
},
"Taxonomy": { "Taxonomy": {
"description": "Apply the eCSIRT Taxonomy to all events.", "description": "Apply the eCSIRT Taxonomy to all events.",
"module": "intelmq.bots.experts.taxonomy.expert", "module": "intelmq.bots.experts.taxonomy.expert",
"parameters": {} "parameters": {}
}, },
"Threshold": {
"description": "Check if the number of similar messages during a specified time interval exceeds a set value.",
"module": "intelmq.bots.experts.threshold.expert",
"parameters": {
"add_keys": {
"comment": "Threshold reached"
},
"filter_keys": "raw,time.observation",
"filter_type": "blacklist",
"redis_cache_db": "11",
"redis_cache_host": "127.0.0.1",
"redis_cache_password": null,
"redis_cache_port": "6379",
"threshold": 100,
"timeout": 3600
}
},
"Tor Nodes": { "Tor Nodes": {
"description": "Check if the IP address is a Tor Exit Node based on a local database of TOR nodes.", "description": "Check if the IP address is a Tor Exit Node based on a local database of TOR nodes.",
"module": "intelmq.bots.experts.tor_nodes.expert", "module": "intelmq.bots.experts.tor_nodes.expert",
@@ -939,7 +1027,7 @@
} }
}, },
"Wait": { "Wait": {
"description": "Wait for a some time or until a queue size is lower than a given numer.", "description": "Wait for a some time or until a queue size is lower than a given number.",
"module": "intelmq.bots.experts.wait.expert", "module": "intelmq.bots.experts.wait.expert",
"parameters": { "parameters": {
"queue_db": 2, "queue_db": 2,
@@ -1119,24 +1207,24 @@
"description": "Request Tracker ticket creation bot. Create linked Investigation queue ticket if needed, according to the RTIR flow", "description": "Request Tracker ticket creation bot. Create linked Investigation queue ticket if needed, according to the RTIR flow",
"module": "intelmq.bots.outputs.rt.output", "module": "intelmq.bots.outputs.rt.output",
"parameters": { "parameters": {
"rt_uri": "http://localhost/REST/1.0",
"verify_cert": true,
"rt_user": "apiuser",
"rt_password": "<password>",
"queue": "Incidents",
"description_attr": "event_description.text",
"CF_mapping": { "CF_mapping": {
"event_description.text": "Description",
"source.ip": "IP",
"classification.type": "Incident Type",
"classification.taxonomy": "Classification", "classification.taxonomy": "Classification",
"extra.incident.severity": "Incident Severity", "classification.type": "Incident Type",
"event_description.text": "Description",
"extra.incident.importance": "Importance", "extra.incident.importance": "Importance",
"extra.organization.name": "Customer" "extra.incident.severity": "Incident Severity",
"extra.organization.name": "Customer",
"source.ip": "IP"
}, },
"create_investigation": false, "create_investigation": false,
"description_attr": "event_description.text",
"final_status": "resolved",
"investigation_fields": "time.source,time.observation,source.ip,source.port,source.fqdn,source.url,classification.taxonomy,classification.type,classification.identifier,event_description.url,event_description.text,malware.name,protocol.application,protocol.transport", "investigation_fields": "time.source,time.observation,source.ip,source.port,source.fqdn,source.url,classification.taxonomy,classification.type,classification.identifier,event_description.url,event_description.text,malware.name,protocol.application,protocol.transport",
"final_status": "resolved" "queue": "Incidents",
"rt_password": "<password>",
"rt_uri": "http://localhost/REST/1.0",
"rt_user": "apiuser",
"verify_cert": true
} }
}, },
"SMTP": { "SMTP": {

6
example_config/intelmq/etc/defaults.conf
View File

@@ -2,7 +2,7 @@
"accuracy": 100, "accuracy": 100,
"destination_pipeline_broker": "redis", "destination_pipeline_broker": "redis",
"destination_pipeline_db": 2, "destination_pipeline_db": 2,
"destination_pipeline_host": "redis", "destination_pipeline_host": "127.0.0.1",
"destination_pipeline_password": null, "destination_pipeline_password": null,
"destination_pipeline_port": 6379, "destination_pipeline_port": 6379,
"error_dump_message": true, "error_dump_message": true,
@@ -30,12 +30,12 @@
"rate_limit": 0, "rate_limit": 0,
"source_pipeline_broker": "redis", "source_pipeline_broker": "redis",
"source_pipeline_db": 2, "source_pipeline_db": 2,
"source_pipeline_host": "redis", "source_pipeline_host": "127.0.0.1",
"source_pipeline_password": null, "source_pipeline_password": null,
"source_pipeline_port": 6379, "source_pipeline_port": 6379,
"ssl_ca_certificate": null, "ssl_ca_certificate": null,
"statistics_database": 3, "statistics_database": 3,
"statistics_host": "redis", "statistics_host": "127.0.0.1",
"statistics_password": null, "statistics_password": null,
"statistics_port": 6379 "statistics_port": 6379
} }

42
example_config/intelmq/etc/feeds.yaml
View File

@@ -1219,24 +1219,6 @@ providers:
revision: 2018-01-20 revision: 2018-01-20
documentation: http://clean-mx.de/ documentation: http://clean-mx.de/
public: no public: no
Malware Domain List:
Blacklist:
description: No description provided by feed provider.
additional_information:
bots:
collector:
module: intelmq.bots.collectors.http.collector_http
parameters:
http_url: http://www.malwaredomainlist.com/updatescsv.php
rate_limit: 3600
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.malwaredomainlist.parser
parameters:
revision: 2018-01-20
documentation: http://www.malwaredomainlist.com/
public: yes
AnubisNetworks: AnubisNetworks:
Cyberfeed Stream: Cyberfeed Stream:
description: Fetches and parsers the Cyberfeed data stream. description: Fetches and parsers the Cyberfeed data stream.
@@ -1444,7 +1426,7 @@ providers:
revision: 2018-01-20 revision: 2018-01-20
documentation: http://vxvault.net/ViriList.php documentation: http://vxvault.net/ViriList.php
public: yes public: yes
ShadowServer: Shadowserver:
Via IMAP: Via IMAP:
description: Shadowserver sends out a variety of reports (see https://www.shadowserver.org/wiki/pmwiki.php/Services/Reports). description: Shadowserver sends out a variety of reports (see https://www.shadowserver.org/wiki/pmwiki.php/Services/Reports).
additional_information: The configuration retrieves the data from a e-mails via IMAP from the attachments. additional_information: The configuration retrieves the data from a e-mails via IMAP from the attachments.
@@ -1872,3 +1854,25 @@ providers:
revision: 2020-06-30 revision: 2020-06-30
documentation: https://www.eset.com/int/business/services/threat-intelligence/ documentation: https://www.eset.com/int/business/services/threat-intelligence/
public: no public: no
Shodan:
Country Stream:
description: Collects the Shodan stream for one or multiple countries from the Shodan API.
additional_information: A Shodan account with streaming permissions is needed.
bots:
collector:
module: intelmq.bots.collectors.shodan.collector_stream
parameters:
api_key: <API key>
countries: <comma-separated list of country codes>
error_retry_delay: 0
name: __FEED__
provider: __PROVIDER__
parser:
module: intelmq.bots.parsers.shodan.parser
parameters:
ignore_errors: false
error_retry_delay: 0
minimal_mode: false
revision: 2021-03-22
documentation: https://developer.shodan.io/api/stream
public: no

11
example_config/intelmq/etc/pipeline.conf
View File

@@ -48,17 +48,6 @@
"malc0de-parser-queue" "malc0de-parser-queue"
] ]
}, },
"malware-domain-list-collector": {
"destination-queues": [
"malware-domain-list-parser-queue"
]
},
"malware-domain-list-parser": {
"destination-queues": [
"deduplicator-expert-queue"
],
"source-queue": "malware-domain-list-parser-queue"
},
"spamhaus-drop-collector": { "spamhaus-drop-collector": {
"destination-queues": [ "destination-queues": [
"spamhaus-drop-parser-queue" "spamhaus-drop-parser-queue"

27
example_config/intelmq/etc/runtime.conf
View File

@@ -143,33 +143,6 @@
}, },
"run_mode": "continuous" "run_mode": "continuous"
}, },
"malware-domain-list-collector": {
"bot_id": "malware-domain-list-collector",
"description": "Malware Domain List Collector is the bot responsible to get the report from source of information.",
"enabled": true,
"group": "Collector",
"groupname": "collectors",
"module": "intelmq.bots.collectors.http.collector_http",
"name": "Malware Domain List",
"parameters": {
"http_url": "http://www.malwaredomainlist.com/updatescsv.php",
"name": "Malware Domain List",
"provider": "Malware Domain List",
"rate_limit": 3600
},
"run_mode": "continuous"
},
"malware-domain-list-parser": {
"bot_id": "malware-domain-list-parser",
"description": "Malware Domain List Parser is the bot responsible to parse the report and sanitize the information.",
"enabled": true,
"group": "Parser",
"groupname": "parsers",
"module": "intelmq.bots.parsers.malwaredomainlist.parser",
"name": "Malware Domain List",
"parameters": {},
"run_mode": "continuous"
},
"spamhaus-drop-collector": { "spamhaus-drop-collector": {
"bot_id": "spamhaus-drop-collector", "bot_id": "spamhaus-drop-collector",
"description": "", "description": "",