From 44ba247057a91131716c9b45c130778f7b302998 Mon Sep 17 00:00:00 2001 From: Sebastian Waldbauer Date: Mon, 2 Nov 2020 15:41:07 +0100 Subject: [PATCH] Added BOTS Signed-off-by: Sebastian Waldbauer --- example_config/intelmq/etc/BOTS | 1241 +++++++++++++++++++++++++++++++ 1 file changed, 1241 insertions(+) create mode 100644 example_config/intelmq/etc/BOTS diff --git a/example_config/intelmq/etc/BOTS b/example_config/intelmq/etc/BOTS new file mode 100644 index 0000000..0018e0c --- /dev/null +++ b/example_config/intelmq/etc/BOTS @@ -0,0 +1,1241 @@ +{ + "Collector": { + "AMQP": { + "description": "Collect data from an AMQP Server and fetch either intelmq or any other messages. Requires the pika python library.", + "module": "intelmq.bots.collectors.amqp.collector_amqp", + "parameters": { + "connection_attempts": 3, + "connection_heartbeat": 3600, + "connection_host": "127.0.0.1", + "connection_port": 5672, + "connection_vhost": "", + "expect_intelmq_message": false, + "name": "My Queue", + "password": "", + "provider": "AMQP Collector", + "queue_name": "", + "use_ssl": false, + "username": "" + } + }, + "API": { + "description": "Collect data by exposing a HTTP API interface.", + "module": "intelmq.bots.collectors.api.collector_api", + "parameters": { + "name": "API", + "port": 5000, + "provider": "APICollector" + } + }, + "File": { + "description": "Fetch data from the file system.", + "module": "intelmq.bots.collectors.file.collector_file", + "parameters": { + "chunk_replicate_header": true, + "chunk_size": null, + "delete_file": false, + "name": "__FEED__", + "path": "/tmp/", + "postfix": ".csv", + "provider": "__PROVIDER__", + "rate_limit": 300 + } + }, + "Mail Attachment Fetcher": { + "description": "Monitor IMAP mailboxes and retrieve mail attachments.", + "module": "intelmq.bots.collectors.mail.collector_mail_attach", + "parameters": { + "attach_regex": "csv.zip", + "extract_files": true, + "folder": "INBOX", + "mail_host": "", + "mail_password": "", + "mail_ssl": true, + "mail_user": "", + "name": "__FEED__", + "provider": "__PROVIDER__", + "rate_limit": 60, + "subject_regex": "" + } + }, + "Mail URL Fetcher": { + "description": "Monitor IMAP mailboxes and fetch files from URLs contained in mail bodies.", + "module": "intelmq.bots.collectors.mail.collector_mail_url", + "parameters": { + "chunk_replicate_header": true, + "chunk_size": null, + "folder": "INBOX", + "http_password": null, + "http_username": null, + "mail_host": "", + "mail_password": "", + "mail_ssl": true, + "mail_user": "", + "name": "__FEED__", + "provider": "__PROVIDER__", + "rate_limit": 60, + "ssl_client_certificate": null, + "subject_regex": "", + "url_regex": "http://" + } + }, + "Mail Body Fetcher": { + "description": "Monitor IMAP mailboxes and fetch mail bodies.", + "module": "intelmq.bots.collectors.mail.collector_mail_body", + "parameters": { + "content_types": true, + "folder": "INBOX", + "mail_host": "", + "mail_password": "", + "mail_ssl": true, + "mail_user": "", + "name": "__FEED__", + "provider": "__PROVIDER__", + "rate_limit": 60, + "subject_regex": "" + } + }, + "URL Fetcher": { + "description": "Fetch reports from an URL.", + "module": "intelmq.bots.collectors.http.collector_http", + "parameters": { + "extract_files": false, + "http_password": null, + "http_url": "", + "http_url_formatting": false, + "http_username": null, + "name": "__FEED__", + "provider": "__PROVIDER__", + "rate_limit": 3600, + "ssl_client_certificate": null, + "verify_gpg_signatures": false, + "gpg_signature_suffix": ".asc", + "gpg_keyring": null + } + }, + "URL Stream Fetcher": { + "description": "Open a streaming connection to the URL and process data per line.", + "module": "intelmq.bots.collectors.http.collector_http_stream", + "parameters": { + "http_password": null, + "http_url": "", + "http_username": null, + "name": "__FEED__", + "provider": "__PROVIDER__", + "rate_limit": 3600, + "ssl_client_certificate": null, + "strip_lines": true + } + }, + "MISP Generic": { + "description": "Collect events from a MISP server.", + "module": "intelmq.bots.collectors.misp.collector", + "parameters": { + "misp_key": "", + "misp_tag_processed": "", + "misp_tag_to_process": "", + "misp_url": "", + "name": "__FEED__", + "provider": "__PROVIDER__", + "rate_limit": 3600 + } + }, + "Request Tracker": { + "description": "Fetches attachments and URLs from an Request Tracker ticketing server.", + "module": "intelmq.bots.collectors.rt.collector_rt", + "parameters": { + "attachment_regex": "\\.csv\\.zip$", + "extract_attachment": true, + "extract_download": true, + "http_password": null, + "http_username": null, + "name": "__FEED__", + "password": "password", + "provider": "__PROVIDER__", + "rate_limit": 3600, + "search_not_older_than": null, + "search_owner": "nobody", + "search_queue": "Incident Reports", + "search_requestor": null, + "search_status": "new", + "search_subject_like": "Report", + "set_status": "open", + "ssl_client_certificate": null, + "take_ticket": true, + "uri": "http://localhost/rt/REST/1.0", + "url_regex": "https://dl.shadowserver.org/[a-zA-Z0-9?_-]*", + "user": "intelmq" + } + }, + "Rsync": { + "description": "Collect data with rsync from any resource rsync supports.", + "module": "intelmq.bots.collectors.rsync.collector_rsync", + "parameters": { + "file": "", + "name": "RsyncCollector", + "rate_limit": 1000, + "rsync_path": "" + } + }, + "TCP": { + "description": "Receive events by opening a TCP port (ex: from TCP Output of another IntelMQ instance).", + "module": "intelmq.bots.collectors.tcp.collector", + "parameters": { + "ip": "", + "name": "__FEED__", + "port": "", + "provider": "__PROVIDER__" + } + }, + "XMPP": { + "description": "Connect to an XMPP Server and a room, in order to receive reports from it. TLS is used by default. Bot can either pass on the body or the whole event.", + "module": "intelmq.bots.collectors.xmpp.collector", + "parameters": { + "ca_certs": "/etc/ssl/certs/ca-certificates.crt", + "name": "__FEED__", + "pass_full_xml": false, + "provider": "__PROVIDER__", + "strip_message": true, + "use_muc": false, + "xmpp_password": "", + "xmpp_room": null, + "xmpp_room_nick": null, + "xmpp_room_password": null, + "xmpp_server": "", + "xmpp_user": "", + "xmpp_userlist": null, + "xmpp_whitelist_mode": false + } + }, + "AlienVault OTX": { + "description": "Collect reports from the AlienVault OTX Collector API. Report varies according to subscriptions.", + "module": "intelmq.bots.collectors.alienvault_otx.collector", + "parameters": { + "api_key": "", + "interval": 24, + "modified_pulses_only": false, + "name": "OTX", + "provider": "AlienVault", + "rate_limit": 3600 + } + }, + "Blueliv Crimeserver": { + "description": "Collect reports from the Blueliv Crimeserver API.", + "module": "intelmq.bots.collectors.blueliv.collector_crimeserver", + "parameters": { + "api_key": "", + "api_url": "https://freeapi.blueliv.com", + "name": "Crimeserver", + "provider": "Blueliv", + "rate_limit": 3600 + } + }, + "CertStream": { + "description": "Collect information from CertStream certificate transparency logs.", + "module": "intelmq.bots.collectors.calidog.collector_certstream", + "parameters": { + "name": "CertStream", + "provider": "Calidog" + } + }, + "ESET ETI TAXII": { + "description": "Collect data from ESET's TAXII API", + "module": "intelmq.bots.collectors.eset.collector", + "parameters": { + "username": "", + "password": "", + "endpoint": "eti.eset.com", + "time_delta": 3600, + "rate_limit": 3600, + "collection": "" + } + }, + "Github API": { + "description": "Collect files from a GitHub repository via the API. Optionally with GitHub credentials.", + "module": "intelmq.bots.collectors.github_api.collector_github_contents_api", + "parameters": { + "basic_auth_password": "__PASSWORD__", + "basic_auth_username": "__USERNAME__", + "name": "__FEED__", + "provider": "__PROVIDER__", + "regex": ".*.json", + "repository": "StrangerealIntel/DailyIOC" + } + }, + "McAfee openDXL": { + "description": "Listen to McAfee openDXL fabric.", + "module": "intelmq.bots.collectors.opendxl.collector", + "parameters": { + "dxl_config_file": "", + "dxl_topic": "/mcafee/event/atd/file/report", + "name": "" + } + }, + "Microsoft Azure": { + "description": "Fetch data blobs from a Microsoft Azure container.", + "module": "intelmq.bots.collectors.microsoft.collector_azure", + "parameters": { + "connection_string": "", + "container_name": "", + "name": "Azure", + "provider": "Microsoft", + "rate_limit": 3600, + "redis_cache_db": "5", + "redis_cache_host": "127.0.0.1", + "redis_cache_password": null, + "redis_cache_port": 6379, + "redis_cache_ttl": 864000 + } + }, + "Microsoft Interflow": { + "description": "Fetch data from the Microsoft Interflow API.", + "module": "intelmq.bots.collectors.microsoft.collector_interflow", + "parameters": { + "api_key": "", + "file_match": null, + "http_timeout_sec": 300, + "name": "Interflow", + "not_older_than": "2 days", + "provider": "Microsoft", + "rate_limit": 3600, + "redis_cache_db": "5", + "redis_cache_host": "127.0.0.1", + "redis_cache_password": null, + "redis_cache_port": 6379, + "redis_cache_ttl": 604800 + } + }, + "Shodan Stream": { + "description": "Collect the Shodan stream from the Shodan API.", + "module": "intelmq.bots.collectors.shodan.collector_stream", + "parameters": { + "api_key": "", + "countries": [], + "name": "__FEED__", + "provider": "Shodan" + } + }, + "STOMP": { + "description": "Collect data from a STOMP Interface.", + "module": "intelmq.bots.collectors.stomp.collector", + "parameters": { + "exchange": "", + "name": "Stomp", + "port": 61614, + "provider": "N6", + "server": "n6stream.cert.pl", + "ssl_ca_certificate": "", + "ssl_client_certificate": "", + "ssl_client_certificate_key": "" + } + }, + "Twitter": { + "description": "Collect tweets from given target timelines.", + "module": "intelmq.bots.collectors.twitter.collector_twitter", + "parameters": { + "access_token_key": "", + "access_token_secret": "", + "consumer_key": "", + "consumer_secret": "", + "default_scheme": "http", + "exclude_replies": "false", + "follow_urls": "", + "include_rts": "true", + "name": "__FEED__", + "provider": "Twitter", + "target_timelines": "", + "timelimit": "", + "tweet_count": "" + } + } + }, + "Parser": { + "Abuse.ch Domain": { + "description": "Parse Abuse.ch domain feeds.", + "module": "intelmq.bots.parsers.abusech.parser_domain", + "parameters": {} + }, + "Abuse.ch IP": { + "description": "Parse Abuse.ch IP address feeds.", + "module": "intelmq.bots.parsers.abusech.parser_ip", + "parameters": {} + }, + "AlienVault": { + "description": "Parse data from the AlienVault API.", + "module": "intelmq.bots.parsers.alienvault.parser", + "parameters": {} + }, + "AlienVault OTX": { + "description": "Parse data from the AlienVault OTX API.", + "module": "intelmq.bots.parsers.alienvault.parser_otx", + "parameters": {} + }, + "AnubisNetworks Cyberfeed Stream": { + "description": "Parse single JSON-events from AnubisNetworks Cyberfeed stream.", + "module": "intelmq.bots.parsers.anubisnetworks.parser", + "parameters": { + "use_malware_familiy_as_classification_identifier": true + } + }, + "Autoshun": { + "description": "Parse the Autoshun feed.", + "module": "intelmq.bots.parsers.autoshun.parser", + "parameters": {} + }, + "Bambenek": { + "description": "Parse the Bambenek feeds.", + "module": "intelmq.bots.parsers.bambenek.parser", + "parameters": {} + }, + "Blocklist.de": { + "description": "Parse the Blocklist.DE feeds.", + "module": "intelmq.bots.parsers.blocklistde.parser", + "parameters": {} + }, + "Blueliv Crimeserver": { + "description": "Parse data from the Blueliv Crimeserver API.", + "module": "intelmq.bots.parsers.blueliv.parser_crimeserver", + "parameters": {} + }, + "CERT-EU CSV": { + "description": "Parse CSV data of the CERT-EU feed.", + "module": "intelmq.bots.parsers.cert_eu.parser_csv", + "parameters": {} + }, + "CI Army": { + "description": "Parse the CI Army feed.", + "module": "intelmq.bots.parsers.ci_army.parser", + "parameters": {} + }, + "CertStream": { + "description": "Parse the CertStream feed.", + "module": "intelmq.bots.parsers.calidog.parser_certstream", + "parameters": {} + }, + "CleanMX": { + "description": "Parse the CleanMX feeds.", + "module": "intelmq.bots.parsers.cleanmx.parser", + "parameters": {} + }, + "Cymru CAP Program": { + "description": "Parse the Cymru CAP Program feed.", + "module": "intelmq.bots.parsers.cymru.parser_cap_program", + "parameters": {} + }, + "Cymru Full Bogons": { + "description": "Parse the Cymru Full Bogons feed.", + "module": "intelmq.bots.parsers.cymru.parser_full_bogons", + "parameters": {} + }, + "CZ.NIC HaaS": { + "description": "CZ.NIC HaaS Parser is the bot responsible to parse the report and sanitize the information.", + "module": "intelmq.bots.parsers.cznic.parser_haas", + "parameters": {} + }, + "DShield AS": { + "description": "Parse the DShield AS.", + "module": "intelmq.bots.parsers.dshield.parser_asn", + "parameters": {} + }, + "DShield Block": { + "description": "Parse the DShield Block feed.", + "module": "intelmq.bots.parsers.dshield.parser_block", + "parameters": {} + }, + "DShield Suspicious Domains": { + "description": "Parse the DShield Suspicious Domains feed.", + "module": "intelmq.bots.parsers.dshield.parser_domain", + "parameters": {} + }, + "Danger Rulez": { + "description": "Parse the Danger Rulez feed.", + "module": "intelmq.bots.parsers.danger_rulez.parser", + "parameters": {} + }, + "Dataplane": { + "description": "Parse the Dataplane feeds.", + "module": "intelmq.bots.parsers.dataplane.parser", + "parameters": {} + }, + "DynDNS ponmocup Domains": { + "description": "Parse the DynDNS ponmocup feed.", + "module": "intelmq.bots.parsers.dyn.parser", + "parameters": {} + }, + "ESET": { + "description": "Parse data collected from ESET's TAXII API", + "module": "intelmq.bots.parsers.eset.parser", + "parameters": {} + }, + "Fraunhofer DGA": { + "description": "Parse the Fraunhofer DGA feed.", + "module": "intelmq.bots.parsers.fraunhofer.parser_dga", + "parameters": {} + }, + "Generic CSV": { + "description": "Parse generic CSV data. Ignoring lines starting with character #. URLs without protocol can be prefixed with a default value.", + "module": "intelmq.bots.parsers.generic.parser_csv", + "parameters": { + "column_regex_search": {}, + "columns": [ + "", + "source.fqdn" + ], + "default_url_protocol": "http://", + "delimiter": ",", + "filter_text": null, + "filter_type": null, + "skip_header": true, + "time_format": null, + "type": "c2server", + "type_translation": null + } + }, + "Github": { + "description": "Parse known GitHub feeds.", + "module": "intelmq.bots.parsers.github_feed.parser", + "parameters": {} + }, + "HTML Table": { + "description": "Parse HTML table data.", + "module": "intelmq.bots.parsers.html_table.parser", + "parameters": { + "attribute_name": "", + "attribute_value": "", + "columns": [ + "", + "source.fqdn" + ], + "default_url_protocol": "http://", + "ignore_values": [ + "", + "" + ], + "skip_table_head": true, + "split_column": "", + "split_index": 0, + "split_separator": "", + "table_index": 0, + "time_format": null, + "type": "c2server" + } + }, + "Have I been Pwned Enterprise Callback": { + "description": "Parse reports of the 'Have I Been Pwned' Callback for Enterprise Subscribers.", + "module": "intelmq.bots.parsers.hibp.parser_callback", + "parameters": {} + }, + "JSON": { + "description": "Parse IntelMQ-JSON data.", + "module": "intelmq.bots.parsers.json.parser", + "parameters": { + "splitlines": false + } + }, + "MISP": { + "description": "Parse MISP events.", + "module": "intelmq.bots.parsers.misp.parser", + "parameters": {} + }, + "Malc0de": { + "description": "Parse the Malc0de IP feed in either IP Blacklist, Windows Format or Bind format.", + "module": "intelmq.bots.parsers.malc0de.parser", + "parameters": {} + }, + "Malware Domain List": { + "description": "Parse the Malware Domain List feed.", + "module": "intelmq.bots.parsers.malwaredomainlist.parser", + "parameters": {} + }, + "Malware Domains": { + "description": "Parse the Malware Domains feed.", + "module": "intelmq.bots.parsers.malwaredomains.parser", + "parameters": {} + }, + "MalwarePatrol Dans Guardian": { + "description": "Parse the MalwarePatrol Dans Guardian feed.", + "module": "intelmq.bots.parsers.malwarepatrol.parser_dansguardian", + "parameters": {} + }, + "Malwareurl": { + "description": "Parse the MalwareURL feed.", + "module": "intelmq.bots.parsers.malwareurl.parser", + "parameters": {} + }, + "McAfee Advanced Threat Defense": { + "description": "Parse IoCs from McAfee Advanced Threat Defense reports (hash, IP, URL).", + "module": "intelmq.bots.parsers.mcafee.parser_atd", + "parameters": { + "verdict_severity": "4" + } + }, + "Microsoft BingMURLs": { + "description": "Parse JSON data from Microsoft's Bing Malicious URLs list.", + "module": "intelmq.bots.parsers.microsoft.parser_bingmurls", + "parameters": {} + }, + "Microsoft CTIP": { + "description": "Parse JSON data from Microsoft's CTIP program.", + "module": "intelmq.bots.parsers.microsoft.parser_ctip", + "parameters": {} + }, + "N6Stomp": { + "description": "Parse CERT.pl's n6 feed.", + "module": "intelmq.bots.parsers.n6.parser_n6stomp", + "parameters": {} + }, + "Netlab 360": { + "description": "Parse the Netlab 360 DGA, Hajime, Magnitude and Mirai feeds.", + "module": "intelmq.bots.parsers.netlab_360.parser", + "parameters": {} + }, + "OpenPhish": { + "description": "Parse the OpenPhish feed.", + "module": "intelmq.bots.parsers.openphish.parser", + "parameters": {} + }, + "OpenPhish Commercial": { + "description": "Parse the OpenPhish feed.", + "module": "intelmq.bots.parsers.openphish.parser_commercial", + "parameters": {} + }, + "PhishTank": { + "description": "Parse the PhishTank feed.", + "module": "intelmq.bots.parsers.phishtank.parser", + "parameters": {} + }, + "ShadowServer": { + "description": "Parse all ShadowServer feeds.", + "module": "intelmq.bots.parsers.shadowserver.parser", + "parameters": { + "feedname": "", + "overwrite": true + } + }, + "Shodan": { + "description": "Parse Shodan data collected via the Shodan API.", + "module": "intelmq.bots.parsers.shodan.parser", + "parameters": { + "ignore_errors": true, + "minimal_mode": false + } + }, + "Spamhaus CERT": { + "description": "Parse the Spamhaus CERT feed.", + "module": "intelmq.bots.parsers.spamhaus.parser_cert", + "parameters": {} + }, + "Spamhaus Drop": { + "description": "Parse the Spamhaus DROP, EDROP, DROPv6, and ASN-DROP feeds.", + "module": "intelmq.bots.parsers.spamhaus.parser_drop", + "parameters": {} + }, + "Sucuri Malware": { + "description": "Parse the Sucuri Malware Hidden Iframes and Conditional redirections feeds.", + "module": "intelmq.bots.parsers.sucuri.parser", + "parameters": {} + }, + "Surbl": { + "description": "Parse the Surbl feed.", + "module": "intelmq.bots.parsers.surbl.parser", + "parameters": {} + }, + "Taichung": { + "description": "Parse the Taichung feed.", + "module": "intelmq.bots.parsers.taichung.parser", + "parameters": {} + }, + "Threatminer": { + "description": "Parse the Threatminer feed.", + "module": "intelmq.bots.parsers.threatminer.parser", + "parameters": {} + }, + "Turris Greylist": { + "description": "Parse the Turris Greylist feed.", + "module": "intelmq.bots.parsers.turris.parser", + "parameters": {} + }, + "Twitter": { + "description": "Parse tweets and extract IoC data. Currently only URLs are supported, a whitelist of safe domains can be provided.", + "module": "intelmq.bots.parsers.twitter.parser", + "parameters": { + "classification_type": "blacklist", + "domain_whitelist": "t.co", + "substitutions": ".net;[.]net" + } + }, + "VXVault": { + "description": "Parse the VXVault feed.", + "module": "intelmq.bots.parsers.vxvault.parser", + "parameters": {} + }, + "Web Inspektor": { + "description": "Parse the Web Inspektor.", + "module": "intelmq.bots.parsers.webinspektor.parser", + "parameters": {} + }, + "ZoneH": { + "description": "Parse the ZoneH CSV feed.", + "module": "intelmq.bots.parsers.zoneh.parser", + "parameters": {} + } + }, + "Expert": { + "ASN Lookup": { + "description": "Add ASN and netmask information from a local BGP dump.", + "module": "intelmq.bots.experts.asn_lookup.expert", + "parameters": { + "database": "/opt/intelmq/var/lib/bots/asn_lookup/ipasn.dat" + } + }, + "Abusix": { + "description": "Add abuse contact information from the Abusix online service for source and destination IP address.", + "module": "intelmq.bots.experts.abusix.expert", + "parameters": { + "redis_cache_db": "5", + "redis_cache_host": "127.0.0.1", + "redis_cache_password": null, + "redis_cache_port": "6379", + "redis_cache_ttl": "86400" + } + }, + "CSV Converter": { + "description": "Convert data to CSV.", + "module": "intelmq.bots.experts.csv_converter.expert", + "parameters": { + "delimiter": ",", + "fieldnames": "time.source,classification.type,source.ip" + } + }, + "Cymru Whois": { + "description": "Add ASN, netmask, AS name, country, registry and allocation time from the Cymru Whois DNS service.", + "module": "intelmq.bots.experts.cymru_whois.expert", + "parameters": { + "overwrite": false, + "redis_cache_db": "5", + "redis_cache_host": "127.0.0.1", + "redis_cache_password": null, + "redis_cache_port": "6379", + "redis_cache_ttl": "86400" + } + }, + "DO-Portal": { + "description": "Retrieve abuse contact information for the source IP address from a do-portal instance.", + "module": "intelmq.bots.experts.do_portal.expert", + "parameters": { + "mode": "append", + "portal_api_key": "", + "portal_url": "" + } + }, + "Deduplicator": { + "description": "Detection and drop exact duplicate messages. Message hashes are cached in the Redis datbase.", + "module": "intelmq.bots.experts.deduplicator.expert", + "parameters": { + "filter_keys": "raw,time.observation", + "filter_type": "blacklist", + "redis_cache_db": "6", + "redis_cache_host": "127.0.0.1", + "redis_cache_password": null, + "redis_cache_port": "6379", + "redis_cache_ttl": "86400" + } + }, + "Domain Suffix": { + "description": "Extract the domain suffix from a domain and save it in the the domain_suffix field. Requires a local file with valid domain suffixes.", + "module": "intelmq.bots.experts.domain_suffix.expert", + "parameters": { + "field": "fqdn", + "suffix_file": "" + } + }, + "Field Reducer": { + "description": "Remove fields from events.", + "module": "intelmq.bots.experts.field_reducer.expert", + "parameters": { + "keys": "", + "type": "" + } + }, + "Filter": { + "description": "Filter events, supports named paths for splitting the message flow.", + "module": "intelmq.bots.experts.filter.expert", + "parameters": { + "filter_action": "", + "filter_key": "", + "filter_regex": "", + "filter_value": "" + } + }, + "Format Field": { + "description": "Perform string method operations on column values.", + "module": "intelmq.bots.experts.format_field.expert", + "parameters": { + "new_value": "", + "old_value": "", + "replace_column": "", + "replace_count": 1, + "split_column": "", + "split_separator": ",", + "strip_chars": " ", + "strip_columns": "malware.name" + } + }, + "Generic DB Lookup": { + "description": "Fetche data from a database.", + "module": "intelmq.bots.experts.generic_db_lookup.expert", + "parameters": { + "database": "intelmq", + "engine": "", + "host": "localhost", + "match_fields": { + "source.asn": "asn" + }, + "overwrite": false, + "password": "", + "port": "5432", + "replace_fields": { + "contact": "source.abuse_contact", + "note": "comment" + }, + "sslmode": "require", + "table": "contacts", + "user": "intelmq" + } + }, + "Geohash": { + "description": "Compute the geohash from longitude/latitude information, save it to extra.(source|destination).", + "module": "intelmq.bots.experts.geohash.expert", + "parameters": { + "overwrite": false, + "precision": 7 + } + }, + "Gethostbyname": { + "description": "Resolve the IP address for the FQDN.", + "module": "intelmq.bots.experts.gethostbyname.expert", + "parameters": { + "fallback_to_url": true, + "gaierrors_to_ignore": null + } + }, + "IDEA Converter": { + "description": "Convert events into the IDEA format.", + "module": "intelmq.bots.experts.idea.expert", + "parameters": { + "test_mode": false + } + }, + "MISP": { + "description": "Looking up the IP address in MISP instance and retrieve attribute and event UUIDs.", + "module": "intelmq.bots.experts.misp.expert", + "parameters": { + "misp_key": "", + "misp_url": "" + } + }, + "MaxMind GeoIP": { + "description": "Add geolocation information from a local MaxMind database to events (country, city, longitude, latitude).", + "module": "intelmq.bots.experts.maxmind_geoip.expert", + "parameters": { + "database": "/opt/intelmq/var/lib/bots/maxmind_geoip/GeoLite2-City.mmdb", + "overwrite": false, + "use_registered": false, + "license_key": "" + } + }, + "McAfee Active Response Lookup": { + "description": "Query connections to IP addresses to the given destination within the local environment using McAfee Active Response queries.", + "module": "intelmq.bots.experts.mcafee.expert_mar", + "parameters": { + "dxl_config_file": "", + "lookup_type": "" + } + }, + "Modify": { + "description": "Perform arbitrary changes to event's fields based on regular-expression-based rules on different values. See docs/Bots.md for some examples.", + "module": "intelmq.bots.experts.modify.expert", + "parameters": { + "case_sensitive": true, + "configuration_path": "/opt/intelmq/var/lib/bots/modify/modify.conf", + "maximum_matches": null, + "overwrite": false + } + }, + "National CERT by CERT.at": { + "description": "Add country and abuse contact information from the CERT.at national CERT Contact Database. Set filter to true if you want to filter out events for Austria. Set overwrite_cc to true if you want to overwrite an existing country code value.", + "module": "intelmq.bots.experts.national_cert_contact_certat.expert", + "parameters": { + "filter": false, + "http_verify_cert": true, + "overwrite_cc": false + } + }, + "RFC 1918": { + "description": "Removes fields or discard events if an IP address or domain is invalid as defined in standards like RFC 1918 (invalid, local, reserved, documentation). IP address, FQDN and URL fields are supported.", + "module": "intelmq.bots.experts.rfc1918.expert", + "parameters": { + "fields": "destination.ip,source.ip,source.url", + "policy": "del,drop,drop" + } + }, + "RIPE": { + "description": "Fetch abuse contact and/or geolocation information for the source and/or destination IP addresses and/or ASNs of the events.", + "module": "intelmq.bots.experts.ripe.expert", + "parameters": { + "mode": "append", + "query_ripe_db_asn": true, + "query_ripe_db_ip": true, + "query_ripe_stat_asn": true, + "query_ripe_stat_geolocation": true, + "query_ripe_stat_ip": true, + "redis_cache_db": "10", + "redis_cache_host": "127.0.0.1", + "redis_cache_password": null, + "redis_cache_port": "6379", + "redis_cache_ttl": "86400" + } + }, + "RecordedFuture IPRisk": { + "description": "Adds the Risk Score from RecordedFuture IPRisk associated with source.ip or destination.ip with a local database.", + "module": "intelmq.bots.experts.recordedfuture_iprisk.expert", + "parameters": { + "database": "/opt/intelmq/var/lib/bots/recordedfuture_iprisk/rfiprisk.dat", + "overwrite": false, + "api_token": "" + } + }, + "Reverse DNS": { + "description": "Get the correspondent domain name for source and destination IP address.", + "module": "intelmq.bots.experts.reverse_dns.expert", + "parameters": { + "cache_ttl_invalid_response": "60", + "overwrite": false, + "redis_cache_db": "7", + "redis_cache_host": "127.0.0.1", + "redis_cache_password": null, + "redis_cache_port": "6379", + "redis_cache_ttl": "86400" + } + }, + "Sieve": { + "description": "Filter and modify events based on a sieve-based language.", + "module": "intelmq.bots.experts.sieve.expert", + "parameters": { + "file": "/opt/intelmq/var/lib/bots/sieve/filter.sieve" + } + }, + "Taxonomy": { + "description": "Apply the eCSIRT Taxonomy to all events.", + "module": "intelmq.bots.experts.taxonomy.expert", + "parameters": {} + }, + "Tor Nodes": { + "description": "Check if the IP address is a Tor Exit Node based on a local database of TOR nodes.", + "module": "intelmq.bots.experts.tor_nodes.expert", + "parameters": { + "database": "/opt/intelmq/var/lib/bots/tor_nodes/tor_nodes.dat", + "overwrite": false + } + }, + "Wait": { + "description": "Wait for a some time or until a queue size is lower than a given numer.", + "module": "intelmq.bots.experts.wait.expert", + "parameters": { + "queue_db": 2, + "queue_host": "localhost", + "queue_name": null, + "queue_polling_interval": 0.05, + "queue_port": 6379, + "queue_size": 0, + "sleep_time": null + } + }, + "url2fqdn": { + "description": "Parse the FQDN from the URL.", + "module": "intelmq.bots.experts.url2fqdn.expert", + "parameters": { + "overwrite": false + } + } + }, + "Output": { + "AMQP Topic": { + "description": "Send events to an AMQP topic exchange. Requires the pika python library.", + "module": "intelmq.bots.outputs.amqptopic.output", + "parameters": { + "connection_attempts": 3, + "connection_heartbeat": 3600, + "connection_host": "127.0.0.1", + "connection_port": 5672, + "connection_vhost": "", + "content_type": "application/json", + "delivery_mode": 2, + "exchange_durable": true, + "exchange_name": "", + "exchange_type": "topic", + "keep_raw_field": false, + "message_hierarchical_output": false, + "message_jsondict_as_string": false, + "message_with_type": false, + "password": "", + "require_confirmation": true, + "routing_key": "", + "single_key": false, + "use_ssl": false, + "username": "" + } + }, + "Blackhole": { + "description": "Discard messages.", + "module": "intelmq.bots.outputs.blackhole.output", + "parameters": {} + }, + "Elasticsearch": { + "description": "Send events to an Elasticsearch database server.", + "module": "intelmq.bots.outputs.elasticsearch.output", + "parameters": { + "elastic_host": "127.0.0.1", + "elastic_index": "intelmq", + "elastic_port": 9200, + "flatten_fields": "extra", + "http_password": null, + "http_username": null, + "http_verify_cert": false, + "replacement_char": null, + "rotate_index": "never", + "ssl_ca_certificate": null, + "ssl_show_warnings": true, + "use_ssl": false + } + }, + "File": { + "description": "Write events to a file.", + "module": "intelmq.bots.outputs.file.output", + "parameters": { + "encoding_errors_mode": "strict", + "file": "/opt/intelmq/var/lib/bots/file-output/events.txt", + "format_filename": false, + "hierarchical_output": false, + "keep_raw_field": false, + "message_jsondict_as_string": false, + "message_with_type": false, + "single_key": false + } + }, + "Files": { + "description": "Write events lockfree into separate files.", + "module": "intelmq.bots.outputs.files.output", + "parameters": { + "dir": "/opt/intelmq/var/lib/bots/files-output/incoming", + "hierarchical_output": false, + "keep_raw_field": false, + "message_jsondict_as_string": false, + "message_with_type": false, + "single_key": false, + "suffix": ".json", + "tmp": "/opt/intelmq/var/lib/bots/files-output/tmp" + } + }, + "MISP API": { + "description": "Insert events into a MISP instance.", + "module": "intelmq.bots.outputs.misp.output_api", + "parameters": { + "add_feed_name_as_tag": true, + "add_feed_provider_as_tag": true, + "misp_additional_correlation_fields": [], + "misp_additional_tags": [], + "misp_key": "", + "misp_publish": false, + "misp_tag_for_bot": "", + "misp_to_ids_fields": [], + "misp_url": "", + "significant_fields": "" + } + }, + "MISP Feed": { + "description": "Generate an output in the MISP Feed format.", + "module": "intelmq.bots.outputs.misp.output_feed", + "parameters": { + "interval_event": "1 hour", + "misp_org_name": "", + "misp_org_uuid": "", + "output_dir": "/opt/intelmq/var/lib/bots/mispfeed-output" + } + }, + "McAfee ESM": { + "description": "Write events to the McAfee Enterprise Security Manager (ESM).", + "module": "intelmq.bots.outputs.mcafee.output_esm_ip", + "parameters": { + "esm_ip": "1.2.3.4", + "esm_password": "", + "esm_user": "NGCP", + "esm_watchlist": "", + "field": "source.ip" + } + }, + "MongoDB": { + "description": "Send events to a MongoDB database.", + "module": "intelmq.bots.outputs.mongodb.output", + "parameters": { + "collection": "", + "database": "", + "db_pass": null, + "db_user": null, + "hierarchical_output": true, + "host": "localhost", + "port": "27017", + "replacement_char": "_" + } + }, + "REST API": { + "description": "Send events to a REST API listener through HTTP POST.", + "module": "intelmq.bots.outputs.restapi.output", + "parameters": { + "auth_token": "", + "auth_token_name": "", + "auth_type": "", + "hierarchical_output": false, + "host": "", + "ssl_client_certificate": null, + "use_json": true + } + }, + "Redis": { + "description": "Send events to a Redis database.", + "module": "intelmq.bots.outputs.redis.output", + "parameters": { + "hierarchical_output": false, + "redis_db": 2, + "redis_password": "", + "redis_queue": "external-redis-queue", + "redis_server_ip": "127.0.0.1", + "redis_server_port": 6379, + "redis_timeout": 50000, + "with_type": true + } + }, + "Request Tracker": { + "description": "Request Tracker ticket creation bot. Create linked Investigation queue ticket if needed, according to the RTIR flow", + "module": "intelmq.bots.outputs.rt.output", + "parameters": { + "rt_uri": "http://localhost/REST/1.0", + "verify_cert": true, + "rt_user": "apiuser", + "rt_password": "", + "queue": "Incidents", + "description_attr": "event_description.text", + "CF_mapping": { + "event_description.text": "Description", + "source.ip": "IP", + "classification.type": "Incident Type", + "classification.taxonomy": "Classification", + "extra.incident.severity": "Incident Severity", + "extra.incident.importance": "Importance", + "extra.organization.name": "Customer" + }, + "create_investigation": false, + "investigation_fields": "time.source,time.observation,source.ip,source.port,source.fqdn,source.url,classification.taxonomy,classification.type,classification.identifier,event_description.url,event_description.text,malware.name,protocol.application,protocol.transport", + "final_status": "resolved" + } + }, + "SMTP": { + "description": "Send single events as CSV attachment in dynamically formatted e-mails via SMTP.", + "module": "intelmq.bots.outputs.smtp.output", + "parameters": { + "fieldnames": "classification.taxonomy,classification.type,classification.identifier,source.ip,source.asn,source.port", + "mail_from": "cert@localhost", + "mail_to": "{ev[source.abuse_contact]}", + "smtp_host": "localhost", + "smtp_password": null, + "smtp_port": null, + "smtp_username": null, + "ssl": false, + "starttls": true, + "subject": "Incident in your AS {ev[source.asn]}", + "text": "Dear network owner,\\n\\nWe have been informed that the following device might have security problems.\\n\\nYour localhost CERT" + } + }, + "SQL": { + "description": "Send events to a PostgreSQL or SQLite database.", + "module": "intelmq.bots.outputs.sql.output", + "parameters": { + "autocommit": true, + "database": "intelmq-events", + "engine": "", + "host": "localhost", + "jsondict_as_string": true, + "password": "", + "port": "5432", + "sslmode": "require", + "table": "events", + "user": "intelmq" + } + }, + "Stomp": { + "description": "Send events to a STMOP server.", + "module": "intelmq.bots.outputs.stomp.output", + "parameters": { + "exchange": "/exchange/_push", + "heartbeat": 60000, + "keep_raw_field": false, + "message_hierarchical_output": false, + "message_jsondict_as_string": false, + "message_with_type": false, + "port": 61614, + "server": "127.0.0.1", + "single_key": false, + "ssl_ca_certificate": "", + "ssl_client_certificate": "", + "ssl_client_certificate_key": "" + } + }, + "TCP": { + "description": "Send events to a TCP server as Splunk, ElasticSearch or another IntelMQ etc.", + "module": "intelmq.bots.outputs.tcp.output", + "parameters": { + "counterpart_is_intelmq": true, + "hierarchical_output": false, + "ip": "", + "port": "", + "separator": "" + } + }, + "Touch": { + "description": "Touch a file for every event received.", + "module": "intelmq.bots.outputs.touch.output", + "parameters": { + "path": "" + } + }, + "UDP": { + "description": "Send events to a UDP server, e.g. a syslog daemon.", + "module": "intelmq.bots.outputs.udp.output", + "parameters": { + "field_delimiter": "|", + "format": " read README.md", + "header": "
", + "keep_raw_field": false, + "udp_host": "localhost", + "udp_port": "" + } + }, + "XMPP": { + "description": "Send events to an XMPP server.", + "module": "intelmq.bots.outputs.xmpp.output", + "parameters": { + "ca_certs": "/etc/ssl/certs/ca-certificates.crt", + "hierarchical_output": false, + "use_muc": false, + "xmpp_password": "", + "xmpp_room": null, + "xmpp_room_nick": null, + "xmpp_room_password": null, + "xmpp_server": "", + "xmpp_to_server": "", + "xmpp_to_user": "", + "xmpp_user": "" + } + } + } +}