From c41ae045d90c979400d529fe64879e23e48a7675 Mon Sep 17 00:00:00 2001 From: Sebastian Waldbauer Date: Mon, 2 Nov 2020 15:40:31 +0100 Subject: [PATCH] Added intelmq to example_config Signed-off-by: Sebastian Waldbauer --- example_config/intelmq/etc/defaults.conf | 39 + example_config/intelmq/etc/feeds.yaml | 1667 +++++++++++++++++ example_config/intelmq/etc/harmonization.conf | 410 ++++ example_config/intelmq/etc/pipeline.conf | 86 + example_config/intelmq/etc/runtime.conf | 226 +++ 5 files changed, 2428 insertions(+) create mode 100644 example_config/intelmq/etc/defaults.conf create mode 100644 example_config/intelmq/etc/feeds.yaml create mode 100644 example_config/intelmq/etc/harmonization.conf create mode 100644 example_config/intelmq/etc/pipeline.conf create mode 100644 example_config/intelmq/etc/runtime.conf diff --git a/example_config/intelmq/etc/defaults.conf b/example_config/intelmq/etc/defaults.conf new file mode 100644 index 0000000..4cb5dc0 --- /dev/null +++ b/example_config/intelmq/etc/defaults.conf @@ -0,0 +1,39 @@ +{ + "accuracy": 100, + "destination_pipeline_broker": "redis", + "destination_pipeline_db": 2, + "destination_pipeline_host": "127.0.0.1", + "destination_pipeline_password": null, + "destination_pipeline_port": 6379, + "error_dump_message": true, + "error_log_exception": true, + "error_log_message": false, + "error_max_retries": 3, + "error_procedure": "pass", + "error_retry_delay": 15, + "http_proxy": null, + "http_timeout_max_tries": 3, + "http_timeout_sec": 30, + "http_user_agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36", + "http_verify_cert": true, + "https_proxy": null, + "load_balance": false, + "log_processed_messages_count": 500, + "log_processed_messages_seconds": 900, + "logging_handler": "file", + "logging_level": "INFO", + "logging_path": "/opt/intelmq/var/log/", + "logging_syslog": "/dev/log", + "process_manager": "intelmq", + "rate_limit": 0, + "source_pipeline_broker": "redis", + "source_pipeline_db": 2, + "source_pipeline_host": "127.0.0.1", + "source_pipeline_password": null, + "source_pipeline_port": 6379, + "ssl_ca_certificate": null, + "statistics_database": 3, + "statistics_host": "127.0.0.1", + "statistics_password": null, + "statistics_port": 6379 +} diff --git a/example_config/intelmq/etc/feeds.yaml b/example_config/intelmq/etc/feeds.yaml new file mode 100644 index 0000000..f5c5db9 --- /dev/null +++ b/example_config/intelmq/etc/feeds.yaml @@ -0,0 +1,1667 @@ +--- +providers: + ViriBack: + Unsafe sites: + description: Latest detected unsafe sites. + additional_information: You need to install the lxml library in order to parse this feed. + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://tracker.viriback.com/ + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.html_table.parser + parameters: + columns: ["malware.name", "source.url", "source.ip", "time.source"] + type: malware + time_format: from_format_midnight|%d-%m-%Y + html_parser: lxml + revision: 2018-06-27 + documentation: https://viriback.com/ + public: yes + WebInspektor: + Unsafe sites: + description: Latest detected unsafe sites. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://app.webinspector.com/public/recent_detections/ + rate_limit: 60 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.webinspektor.parser + parameters: + revision: 2018-03-09 + documentation: + public: yes + Sucuri: + Hidden IFrames: + description: Latest hidden iframes identified on compromised web sites. + additional_information: Please note that the parser only extracts the hidden iframes and the conditional redirects, not the encoded javascript. + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://labs.sucuri.net/?malware + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.sucuri.parser + parameters: + revision: 2018-01-28 + documentation: http://labs.sucuri.net/?malware + public: yes + Surbl: + Malicious Domains: + description: Detected malicious domains. Note that you have to opened up Sponsored Datafeed Service (SDS) access to the SURBL data via rsync for your IP address. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.rsync.collector_rsync + parameters: + file: wild.surbl.org.rbldnsd + rsync_path: blacksync.prolocation.net::surbl-wild/ + parser: + module: intelmq.bots.parsers.surbl.parser + parameters: + revision: 2018-09-04 + documentation: + public: no + MalwarePatrol: + DansGuardian: + description: Malware block list with URLs + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://lists.malwarepatrol.net/cgi/getfile?receipt={{ your API key }}&product=8&list=dansguardian + rate_limit: 180000 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.malwarepatrol.parser_dansguardian + parameters: + revision: 2018-01-20 + documentation: https://www.malwarepatrol.net/non-commercial/ + public: no + Malware Domains: + Malicious: + description: Malware Prevention through Domain Blocking (Black Hole DNS Sinkhole) + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://mirror1.malwaredomains.com/files/domains.txt + rate_limit: 172800 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.malwaredomains.parser + parameters: + revision: 2018-01-20 + documentation: http://www.malwaredomains.com/ + public: yes + ZoneH: + Defacements: + description: all the information contained in Zone-H's cybercrime archive were + either collected online from public sources or directly notified anonymously + to us. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.mail.collector_mail_attach + parameters: + mail_host: __HOST__ + mail_password: __PASSWORD__ + mail_ssl: true + mail_user: __USERNAME__ + sent_from: datazh@zone-h.org + folder: INBOX + subject_regex: Report + extract_files: false + attach_regex: csv + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.zoneh.parser + parameters: + revision: 2018-01-20 + documentation: https://zone-h.org/ + public: no + OpenPhish: + Public feed: + description: OpenPhish is a fully automated self-contained platform for phishing + intelligence. It identifies phishing sites and performs intelligence analysis + in real time without human intervention and without using any external resources, + such as blacklists. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.openphish.com/feed.txt + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.openphish.parser + parameters: + revision: 2018-01-20 + documentation: https://www.openphish.com/ + public: yes + Premium Feed: + description: OpenPhish is a fully automated self-contained platform for phishing + intelligence. It identifies phishing sites and performs intelligence analysis + in real time without human intervention and without using any external resources, + such as blacklists. + additional_information: Discounts available for Government and National CERTs a well as for Nonprofit and Not-for-Profit organizations. + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://openphish.com/prvt-intell/ + http_password: "{{ your password}}" + http_username: "{{ your username}}" + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.openphish.parser_commercial + parameters: + revision: 2018-02-06 + documentation: https://www.openphish.com/phishing_feeds.html + public: no + Netlab 360: + Mirai Scanner: + description: 'This feed provides IP addresses which actively scan for vulnerable + IoT devices and install Mirai Botnet.' + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://data.netlab.360.com/feeds/mirai-scanner/scanner.list + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.netlab_360.parser + parameters: + revision: 2018-01-20 + documentation: http://data.netlab.360.com/mirai-scanner/ + public: yes + Magnitude EK: + description: 'This feed lists FQDN and possibly the URL used by Magnitude Exploit + Kit. Information also includes the IP address used for the domain and last + time seen.' + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://data.netlab.360.com/feeds/ek/magnitude.txt + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.netlab_360.parser + parameters: + revision: 2018-01-20 + documentation: http://data.netlab.360.com/ek + public: yes + DGA: + description: 'This feed lists DGA family, Domain, Start and end of valid time(UTC) + of a number of DGA families.' + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://data.netlab.360.com/feeds/dga/dga.txt + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.netlab_360.parser + parameters: + revision: 2018-01-20 + documentation: http://data.netlab.360.com/dga + public: yes + Hajime Scanner: + description: 'This feed lists IP address for know Hajime bots network. These IPs data are obtained by joining the DHT network and interacting with the Hajime node' + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://data.netlab.360.com/feeds/hajime-scanner/bot.list + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.netlab_360.parser + parameters: + revision: 2019-08-01 + documentation: https://data.netlab.360.com/hajime/ + public: yes + Abuse.ch: + Feodo Tracker IPs: + description: 'List of botnet Command&Control servers (C&Cs) tracked by Feodo Tracker, + associated with Dridex and Emotet (aka Heodo).' + additional_information: https://feodotracker.abuse.ch/ + The data in the column Last Online is used for `time.source` if available, with 00:00 as time. Otherwise first seen is used as `time.source`. + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://feodotracker.abuse.ch/downloads/ipblocklist.csv + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.abusech.parser_ip + parameters: + revision: 2019-03-25 + documentation: https://feodotracker.abuse.ch/ + public: yes + URLhaus: + description: URLhaus is a project from abuse.ch with the goal of sharing malicious + URLs that are being used for malware distribution. URLhaus offers a country, ASN + (AS number) and Top Level Domain (TLD) feed for network operators / Internet Service + Providers (ISPs), Computer Emergency Response Teams (CERTs) and domain registries. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://urlhaus.abuse.ch/feeds/tld//, + https://urlhaus.abuse.ch/feeds/country//, or + https://urlhaus.abuse.ch/feeds/asn// + rate_limit: 129600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.generic.parser_csv + parameters: + skip_header: false + default_url_protocol: http:// + type_translation: '{"malware_download": "malware-distribution"}' + delimeter: "," + columns: + - time.source + - source.url + - status + - classification.type|__IGNORE__ + - source.fqdn|__IGNORE__ + - source.ip + - source.asn + - source.geolocation.cc + revision: 2020-07-07 + documentation: https://urlhaus.abuse.ch/feeds/ + public: yes + Feodo Tracker Browse: + description: '' + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://feodotracker.abuse.ch/browse + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.html_table.parser + parameters: + columns: "time.source,source.ip,malware.name,status,extra.SBL,source.as_name,source.geolocation.cc" + ignore_values: ",,,,Not listed,," + skip_table_head: True + type: c2server + revision: 2019-03-19 + documentation: https://feodotracker.abuse.ch/browse + public: yes + Blueliv: + CrimeServer: + description: Blueliv Crimeserver Collector is the bot responsible to get the + report through the API. + additional_information: + The service uses a different API for free users and paying subscribers. In 'CrimeServer' + feed the difference lies in the data points present in the feed. The non-free API + available from Blueliv contains, for this specific feed, following extra fields not + present in the free API; + "_id" - Internal unique ID + "subType" - Subtype of the Crime Server + "countryName" - Country name where the Crime Server is located, in English + "city" - City where the Crime Server is located + "domain" - Domain of the Crime Server + "host" - Host of the Crime Server + "createdAt" - Date when the Crime Server was added to Blueliv CrimeServer database + "asnCidr" - Range of IPs that belong to an ISP (registered via Autonomous System Number (ASN)) + "asnId" - Identifier of an ISP registered via ASN + "asnDesc" Description of the ISP registered via ASN + bots: + collector: + module: intelmq.bots.collectors.blueliv.collector_crimeserver + parameters: + rate_limit: 3600 + api_key: __APIKEY__ + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.blueliv.parser_crimeserver + parameters: + revision: 2018-01-20 + documentation: https://www.blueliv.com/ + public: no + Team Cymru: + CAP: + description: Team Cymru provides daily lists of compromised or abused devices + for the ASNs and/or netblocks with a CSIRT's jurisdiction. This includes such + information as bot infected hosts, command and control systems, open resolvers, + malware urls, phishing urls, and brute force attacks + additional_information: | + "Two feeds types are offered: + * The new https://www.cymru.com/$certname/$certname_{time[%Y%m%d]}.txt + * and the old https://www.cymru.com/$certname/infected_{time[%Y%m%d]}.txt + Both formats are supported by the parser and the new one is recommended. + As of 2019-09-12 the old format will be retired soon." + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_password: "{{your password}}" + http_url_formatting: true + http_url: https://www.cymru.com/$certname/$certname_{time[%Y%m%d]}.txt + http_username: "{{your login}}" + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.cymru.parser_cap_program + parameters: + revision: 2018-01-20 + documentation: https://www.team-cymru.com/CSIRT-AP.html https://www.cymru.com/$certname/report_info.txt + public: no + Full Bogons IPv4: + description: Fullbogons are a larger set which also includes IP space that has + been allocated to an RIR, but not assigned by that RIR to an actual ISP or + other end-user. IANA maintains a convenient IPv4 summary page listing allocated + and reserved netblocks, and each RIR maintains a list of all prefixes that + they have assigned to end-users. Our bogon reference pages include additional + links and resources to assist those who wish to properly filter bogon prefixes + within their networks. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt + rate_limit: 129600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.cymru.parser_full_bogons + parameters: + revision: 2018-01-20 + documentation: https://www.team-cymru.com/bogon-reference-http.html + public: yes + Full Bogons IPv6: + description: Fullbogons are a larger set which also includes IP space that has + been allocated to an RIR, but not assigned by that RIR to an actual ISP or + other end-user. IANA maintains a convenient IPv4 summary page listing allocated + and reserved netblocks, and each RIR maintains a list of all prefixes that + they have assigned to end-users. Our bogon reference pages include additional + links and resources to assist those who wish to properly filter bogon prefixes + within their networks. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt + rate_limit: 129600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.cymru.parser_full_bogons + parameters: + revision: 2018-01-20 + documentation: https://www.team-cymru.com/bogon-reference-http.html + public: yes + Taichung: + Netflow Recent: + description: "Abnormal flows detected: Attacking (DoS, Brute-Force, Scanners) and malicious hosts (C&C servers, hosting malware)" + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.tc.edu.tw/net/netflow/lkout/recent/ + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.taichung.parser + revision: 2018-01-20 + documentation: https://www.tc.edu.tw/net/netflow/lkout/recent/ + public: yes + Dataplane: + SSH Client Connection: + description: Entries below consist of fields with identifying characteristics + of a source IP address that has been seen initiating an SSH connection to + a remote host. This report lists hosts that are suspicious of more than just + port scanning. The hosts may be SSH server cataloging or conducting authentication + attack attempts. Report is updated hourly. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://dataplane.org/sshclient.txt + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.dataplane.parser + parameters: + revision: 2018-01-20 + documentation: http://dataplane.org/ + public: yes + SSH Password Authentication: + description: Entries below consist of fields with identifying characteristics + of a source IP address that has been seen attempting to remotely login to + a host using SSH password authentication. The report lists hosts that are + highly suspicious and are likely conducting malicious SSH password authentication + attacks. Report is updated hourly. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://dataplane.org/sshpwauth.txt + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.dataplane.parser + parameters: + revision: 2018-01-20 + documentation: http://dataplane.org/ + public: yes + SIP Query: + description: Entries consist of fields with identifying characteristics of a + source IP address that has been seen initiating a SIP OPTIONS query to a remote + host. This report lists hosts that are suspicious of more than just port scanning. + The hosts may be SIP server cataloging or conducting various forms of telephony + abuse. Report is updated hourly. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://dataplane.org/sipquery.txt + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.dataplane.parser + parameters: + revision: 2018-01-20 + documentation: http://dataplane.org/ + public: yes + SIP Registration: + description: Entries consist of fields with identifying characteristics of a + source IP address that has been seen initiating a SIP REGISTER operation to + a remote host. This report lists hosts that are suspicious of more than just + port scanning. The hosts may be SIP client cataloging or conducting various + forms of telephony abuse. Report is updated hourly. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://dataplane.org/sipregistration.txt + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.dataplane.parser + parameters: + revision: 2018-01-20 + documentation: http://dataplane.org/ + public: yes + Turris: + Greylist: + description: The data are processed and clasified every week and behaviour of + IP addresses that accessed a larger number of Turris routers is evaluated. + The result is a list of addresses that have tried to obtain information about + services on the router or tried to gain access to them. We publish this so + called "greylist" that also contains a list of tags for each address which + indicate what behaviour of the address was observed. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.turris.cz/greylist-data/greylist-latest.csv + rate_limit: 43200 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.turris.parser + parameters: + revision: 2018-01-20 + documentation: https://project.turris.cz/greylist-data/legend.txt + public: yes + Malc0de: + Bind Format: + description: This feed includes FQDN's of malicious hosts, the file format is + in Bind file format. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://malc0de.com/bl/ZONES + rate_limit: 10800 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.malc0de.parser + parameters: + revision: 2018-01-20 + documentation: http://malc0de.com/dashboard/ + public: yes + Windows Format: + description: This feed includes FQDN's of malicious hosts, the file format is + in Windows Hosts file format. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://malc0de.com/bl/BOOT + rate_limit: 10800 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.malc0de.parser + parameters: + revision: 2018-01-20 + documentation: http://malc0de.com/dashboard/ + public: yes + IP Blacklist: + description: This feed includes IP Addresses of malicious hosts. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://malc0de.com/bl/IP_Blacklist.txt + rate_limit: 10800 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.malc0de.parser + parameters: + revision: 2018-01-20 + documentation: http://malc0de.com/dashboard/ + public: yes + University of Toulouse: + Blacklist: + description: Various blacklist feeds + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://dsi.ut-capitole.fr/blacklists/download/{collection name}.tar.gz + extract_files: 'true' + rate_limit: 43200 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.generic.parser_csv + parameters: + type: "{depends on a collection}" + delimiter: 'false' + columns: "{depends on a collection}" + revision: 2018-01-20 + documentation: https://dsi.ut-capitole.fr/blacklists/ + public: yes + Autoshun: + Shunlist: + description: You need to register in order to use the list. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.autoshun.org/download/?api_key=__APIKEY__&format=html + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.autoshun.parser + parameters: + revision: 2018-01-20 + documentation: https://www.autoshun.org/ + public: no + Danger Rulez: + Bruteforce Blocker: + description: Its main purpose is to block SSH bruteforce attacks via firewall. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://danger.rulez.sk/projects/bruteforceblocker/blist.php + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.danger_rulez.parser + parameters: + revision: 2018-01-20 + documentation: http://danger.rulez.sk/index.php/bruteforceblocker/ + public: yes + Spamhaus: + Drop: + description: The DROP list will not include any IP address space under the control + of any legitimate network - even if being used by "the spammers from hell". + DROP will only include netblocks allocated directly by an established Regional + Internet Registry (RIR) or National Internet Registry (NIR) such as ARIN, + RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.spamhaus.org/drop/drop.txt + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.spamhaus.parser_drop + parameters: + revision: 2018-01-20 + documentation: https://www.spamhaus.org/drop/ + public: yes + ASN Drop: + description: ASN-DROP contains a list of Autonomous System Numbers controlled + by spammers or cyber criminals, as well as "hijacked" ASNs. ASN-DROP can be + used to filter BGP routes which are being used for malicious purposes. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.spamhaus.org/drop/asndrop.txt + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.spamhaus.parser_drop + parameters: + revision: 2018-01-20 + documentation: https://www.spamhaus.org/drop/ + public: yes + Dropv6: + description: The DROPv6 list includes IPv6 ranges allocated to spammers or cyber + criminals. DROPv6 will only include IPv6 netblocks allocated directly by an + established Regional Internet Registry (RIR) or National Internet Registry + (NIR) such as ARIN, RIPE, AFRINIC, APNIC, LACNIC or KRNIC or direct RIR allocations. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.spamhaus.org/drop/dropv6.txt + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.spamhaus.parser_drop + parameters: + revision: 2018-01-20 + documentation: https://www.spamhaus.org/drop/ + public: yes + CERT: + description: Spamhaus CERT Insight Portal. Access limited to CERTs and CSIRTs + with national or regional responsibility. + . + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: "{{ your CERT portal URL }}" + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.spamhaus.parser_cert + parameters: + revision: 2018-01-20 + documentation: https://www.spamhaus.org/news/article/705/spamhaus-launches-cert-insight-portal + public: no + EDrop: + description: EDROP is an extension of the DROP list that includes sub-allocated + netblocks controlled by spammers or cyber criminals. EDROP is meant to be + used in addition to the direct allocations on the DROP list. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.spamhaus.org/drop/edrop.txt + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.spamhaus.parser_drop + parameters: + revision: 2018-01-20 + documentation: https://www.spamhaus.org/drop/ + public: yes + PhishTank: + Online: + description: PhishTank is a collaborative clearing house for data and information + about phishing on the Internet. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://data.phishtank.com/data/{{ your API key }}/online-valid.csv + rate_limit: 28800 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.phishtank.parser + parameters: + revision: 2018-01-20 + documentation: https://www.phishtank.com/developer_info.php + public: no + CINSscore: + Army List: + description: 'The CINS Army list is a subset of the CINS Active Threat Intelligence + ruleset, and consists of IP addresses that meet one of two basic criteria: + 1) The IP''s recent Rogue Packet score factor is very poor, or 2) The IP has + tripped a designated number of ''trusted'' alerts across a given number of + our Sentinels deployed around the world.' + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://cinsscore.com/list/ci-badguys.txt + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.ci_army.parser + parameters: + revision: 2018-01-20 + documentation: https://cinsscore.com/#list + public: yes + Blocklist.de: + IRC Bots: + description: No description provided by feed provider. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://lists.blocklist.de/lists/ircbot.txt + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.blocklistde.parser + parameters: + revision: 2018-01-20 + documentation: http://www.blocklist.de/en/export.html + public: yes + Strong IPs: + description: Blocklist.DE Strong IPs Collector is the bot responsible to get + the report from source of information. All IPs which are older then 2 month + and have more then 5.000 attacks. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://lists.blocklist.de/lists/strongips.txt + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.blocklistde.parser + parameters: + revision: 2018-01-20 + documentation: http://www.blocklist.de/en/export.html + public: yes + Mail: + description: Blocklist.DE Mail Collector is the bot responsible to get the report + from source of information. All IP addresses which have been reported within + the last 48 hours as having run attacks on the service Mail, Postfix. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://lists.blocklist.de/lists/mail.txt + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.blocklistde.parser + parameters: + revision: 2018-01-20 + documentation: http://www.blocklist.de/en/export.html + public: yes + Apache: + description: Blocklist.DE Apache Collector is the bot responsible to get the + report from source of information. All IP addresses which have been reported + within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, + RFI-Attacks. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://lists.blocklist.de/lists/apache.txt + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.blocklistde.parser + parameters: + revision: 2018-01-20 + documentation: http://www.blocklist.de/en/export.html + public: yes + FTP: + description: Blocklist.DE FTP Collector is the bot responsible to get the report + from source of information. All IP addresses which have been reported within + the last 48 hours for attacks on the Service FTP. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://lists.blocklist.de/lists/ftp.txt + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.blocklistde.parser + parameters: + revision: 2018-01-20 + documentation: http://www.blocklist.de/en/export.html + public: yes + SSH: + description: Blocklist.DE SSH Collector is the bot responsible to get the report + from source of information. All IP addresses which have been reported within + the last 48 hours as having run attacks on the service SSH. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://lists.blocklist.de/lists/ssh.txt + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.blocklistde.parser + parameters: + revision: 2018-01-20 + documentation: http://www.blocklist.de/en/export.html + public: yes + Brute-force Logins: + description: Blocklist.DE Brute-force Login Collector is the bot responsible + to get the report from source of information. All IPs which attacks Joomlas, + Wordpress and other Web-Logins with Brute-Force Logins. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://lists.blocklist.de/lists/bruteforcelogin.txt + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.blocklistde.parser + parameters: + revision: 2018-01-20 + documentation: http://www.blocklist.de/en/export.html + public: yes + Bots: + description: Blocklist.DE Bots Collector is the bot responsible to get the report + from source of information. All IP addresses which have been reported within + the last 48 hours as having run attacks attacks on the RFI-Attacks, REG-Bots, + IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum + or Wiki). + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://lists.blocklist.de/lists/bots.txt + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.blocklistde.parser + parameters: + revision: 2018-01-20 + documentation: http://www.blocklist.de/en/export.html + public: yes + IMAP: + description: Blocklist.DE IMAP Collector is the bot responsible to get the report + from source of information. All IP addresses which have been reported within + the last 48 hours for attacks on the service like IMAP, SASL, POP3, etc. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://lists.blocklist.de/lists/imap.txt + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.blocklistde.parser + parameters: + revision: 2018-01-20 + documentation: http://www.blocklist.de/en/export.html + public: yes + SIP: + description: Blocklist.DE SIP Collector is the bot responsible to get the report + from source of information. All IP addresses that tried to login in a SIP-, + VOIP- or Asterisk-Server and are included in the IPs-List from http://www.infiltrated.net/ + (Twitter). + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://lists.blocklist.de/lists/sip.txt + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.blocklistde.parser + parameters: + revision: 2018-01-20 + documentation: http://www.blocklist.de/en/export.html + public: yes + CERT.PL: + N6 Stomp Stream: + description: N6 Collector - CERT.pl's N6 Collector - N6 feed via STOMP interface. + Note that rate_limit does not apply for this bot as it is waiting for messages + on a stream. + additional_information: Contact cert.pl to get access to the feed. + bots: + collector: + module: intelmq.bots.collectors.stomp.collector + parameters: + exchange: "{insert your exchange point as given by CERT.pl}" + ssl_client_certificate_key: "{insert path to client cert key file for + CERT.pl's n6}" + ssl_ca_certificate: "{insert path to CA file for CERT.pl's n6}" + port: '61614' + ssl_client_certificate: "{insert path to client cert file for CERTpl's + n6}" + server: n6stream.cert.pl + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.n6.parser_n6stomp + parameters: + revision: 2018-01-20 + documentation: https://n6.cert.pl/en/ + public: no + AlienVault: + OTX: + description: AlienVault OTX Collector is the bot responsible to get the report + through the API. Report could vary according to subscriptions. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.alienvault_otx.collector + parameters: + api_key: "{{ your API key }}" + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.alienvault.parser_otx + parameters: + revision: 2018-01-20 + documentation: https://otx.alienvault.com/ + public: no + Reputation List: + description: List of malicious IPs. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://reputation.alienvault.com/reputation.data + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.alienvault.parser + parameters: + revision: 2018-01-20 + documentation: + public: yes + CleanMX: + Virus: + description: In order to download the CleanMX feed you need to use a custom + user agent and register that user agent. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&domain= + http_timeout_sec: 120 + http_user_agent: "{{ your user agent }}" + rate_limit: 129600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.cleanmx.parser + parameters: + revision: 2018-01-20 + documentation: http://clean-mx.de/ + public: no + Phishing: + description: In order to download the CleanMX feed you need to use a custom + user agent and register that user agent. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://support.clean-mx.de/clean-mx/xmlphishing?response=alive&domain= + http_timeout_sec: 120 + http_user_agent: "{{ your user agent }}" + rate_limit: 129600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.cleanmx.parser + parameters: + revision: 2018-01-20 + documentation: http://clean-mx.de/ + public: no + Malware Domain List: + Blacklist: + description: No description provided by feed provider. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://www.malwaredomainlist.com/updatescsv.php + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.malwaredomainlist.parser + parameters: + revision: 2018-01-20 + documentation: http://www.malwaredomainlist.com/ + public: yes + AnubisNetworks: + Cyberfeed Stream: + description: Fetches and parsers the Cyberfeed data stream. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http_stream + parameters: + http_url: https://prod.cyberfeed.net/stream?key={{ your API key }} + strip_lines: 'true' + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.anubisnetworks.parser + parameters: + use_malware_familiy_as_classification_identifier: true + revision: 2020-06-15 + documentation: https://www.anubisnetworks.com/ https://www.bitsight.com/ + public: no + Bambenek: + C2 Domains: + description: 'Master Feed of known, active and non-sinkholed C&Cs domain + names. Requires access credentials.' + additional_information: 'License: https://osint.bambenekconsulting.com/license.txt' + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://faf.bambenekconsulting.com/feeds/c2-dommasterlist.txt + http_username: __USERNAME__ + http_password: __PASSWORD__ + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.bambenek.parser + parameters: + revision: 2018-01-20 + documentation: https://osint.bambenekconsulting.com/feeds/ + public: no + C2 IPs: + description: 'Master Feed of known, active and non-sinkholed C&Cs IP addresses. + Requires access credentials.' + additional_information: 'License: https://osint.bambenekconsulting.com/license.txt' + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://faf.bambenekconsulting.com/feeds/c2-ipmasterlist.txt + http_username: __USERNAME__ + http_password: __PASSWORD__ + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.bambenek.parser + parameters: + revision: 2018-01-20 + documentation: https://osint.bambenekconsulting.com/feeds/ + public: no + DGA Domains: + description: Domain feed of known DGA domains from -2 to +3 days + additional_information: 'License: https://osint.bambenekconsulting.com/license.txt' + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://faf.bambenekconsulting.com/feeds/dga-feed.txt + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.bambenek.parser + parameters: + revision: 2018-01-20 + documentation: https://osint.bambenekconsulting.com/feeds/ + public: yes + DynDNS: + Infected Domains: + description: DynDNS ponmocup. List of ponmocup malware redirection domains and + infected web-servers. See also http://security-research.dyndns.org/pub/botnet-links.html + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://security-research.dyndns.org/pub/malware-feeds/ponmocup-infected-domains-CIF-latest.txt + rate_limit: 10800 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.dyn.parser + parameters: + revision: 2018-01-20 + documentation: http://security-research.dyndns.org/pub/malware-feeds/ + public: yes + DShield: + Suspicious Domains: + description: There are many suspicious domains on the internet. In an effort + to identify them, as well as false positives, we have assembled weighted lists + based on tracking and malware lists from different sources. ISC is collecting + and categorizing various lists associated with a certain level of sensitivity. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.dshield.org/feeds/suspiciousdomains_High.txt + rate_limit: 129600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.dshield.parser_domain + parameters: + revision: 2018-01-20 + documentation: https://www.dshield.org/reports.html + public: yes + Block: + description: This list summarizes the top 20 attacking class C (/24) subnets + over the last three days. The number of 'attacks' indicates the number of + targets reporting scans from this subnet. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.dshield.org/block.txt + rate_limit: 129600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.dshield.parser_block + parameters: + revision: 2018-01-20 + documentation: https://www.dshield.org/reports.html + public: yes + AS Details: + description: No description provided by feed provider. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://dshield.org/asdetailsascii.html?as={{ AS Number }} + rate_limit: 129600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.dshield.parser_asn + parameters: + revision: 2018-01-20 + documentation: https://www.dshield.org/reports.html + public: yes + VXVault: + URLs: + description: This feed provides IP addresses hosting Malware. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://vxvault.net/URL_List.php + rate_limit: 3600 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.vxvault.parser + parameters: + revision: 2018-01-20 + documentation: http://vxvault.net/ViriList.php + public: yes + ShadowServer: + Via IMAP: + description: Shadowserver sends out a variety of reports (see https://www.shadowserver.org/wiki/pmwiki.php/Services/Reports). + additional_information: The configuration retrieves the data from a e-mails via IMAP from the attachments. + bots: + collector: + module: intelmq.bots.collectors.mail.collector_mail_attach + parameters: + mail_host: __HOST__ + mail_password: __PASSWORD__ + mail_ssl: true + mail_user: __USERNAME__ + attach_regex: csv.zip + extract_files: true + rate_limit: 86400 + subject_regex: __REGEX__ + folder: INBOX + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.shadowserver.parser + parameters: + revision: 2018-01-20 + documentation: https://www.shadowserver.org/what-we-do/network-reporting/ + public: no + Via Request Tracker: + description: Shadowserver sends out a variety of reports (see https://www.shadowserver.org/wiki/pmwiki.php/Services/Reports). + additional_information: The configuration retrieves the data from a RT/RTIR ticketing instance via the attachment or an download. + bots: + collector: + module: intelmq.bots.collectors.rt.collector_rt + parameters: + attachment_regex: \\.csv\\.zip$ + extract_attachment: true + extract_download: false + http_password: "{{ your HTTP Authentication password or null }}" + http_username: "{{ your HTTP Authentication username or null }}" + password: __PASSWORD__ + provider: __PROVIDER__ + rate_limit: 3600 + search_not_older_than: "{{ relative time or null }}" + search_owner: nobody + search_queue: Incident Reports + search_requestor: autoreports@shadowserver.org + search_status: new + search_subject_like: \[__COUNTRY__\] Shadowserver __COUNTRY__ + set_status: open + take_ticket: true + uri: http://localhost/rt/REST/1.0 + url_regex: https://dl.shadowserver.org/[a-zA-Z0-9?_-]* + user: __USERNAME__ + parser: + module: intelmq.bots.parsers.shadowserver.parser + parameters: + revision: 2018-01-20 + documentation: https://www.shadowserver.org/what-we-do/network-reporting/ + public: no + Fraunhofer: + DGA Archive: + description: Fraunhofer DGA collector fetches data from Fraunhofer's domain + generation archive. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://dgarchive.caad.fkie.fraunhofer.de/today + http_password: "{{ your password}}" + http_username: "{{ your username}}" + rate_limit: 10800 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.fraunhofer.parser_dga + parameters: + revision: 2018-01-20 + documentation: https://dgarchive.caad.fkie.fraunhofer.de/welcome/ + public: no + MalwareURL: + Latest malicious activity: + description: Latest malicious domains/IPs. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.malwareurl.com/ + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.malwareurl.parser + parameters: + revision: 2018-02-05 + documentation: https://www.malwareurl.com/ + public: yes + Microsoft: + BingMURLs via Interflow: + description: Collects Malicious URLs detected by Bing from the Interflow API. The feed is available via Microsoft’s Government Security Program (GSP). + additional_information: Depending on the file sizes you may need to increase the parameter 'http_timeout_sec' of the collector. + bots: + collector: + module: intelmq.bots.collectors.microsoft.collector_interflow + parameters: + api_key: "{{your API key}}" + file_match: "^bingmurls_" + not_older_than: "2 days" + rate_limit: 3600 + http_timeout_sec: 300 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.microsoft.parser_bingmurls + parameters: + revision: 2018-05-29 + documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange + public: no + CTIP via Interflow: + description: Collects CTIP (Sinkhole data) files from the Interflow API.The feed is available via Microsoft’s Government Security Program (GSP). + additional_information: Depending on the file sizes you may need to increase the parameter 'http_timeout_sec' of the collector. As many IPs occur very often in the data, you may want to use a deduplicator specifically for the feed. + bots: + collector: + module: intelmq.bots.collectors.microsoft.collector_interflow + parameters: + api_key: "{{your API key}}" + file_match: "^ctip_" + not_older_than: "2 days" + rate_limit: 3600 + http_timeout_sec: 300 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.microsoft.parser_ctip + parameters: + revision: 2018-03-06 + documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange + public: no + CTIP via Azure: + description: Collects CTIP (Sinkhole data) files from a shared Azure Storage. The feed is available via Microsoft’s Government Security Program (GSP). + additional_information: The cache is needed for memorizing which files have already been processed, the TTL should be higher than the oldest file available in the storage (currently the last three days are available). The connection string contains endpoint as well as authentication information. + bots: + collector: + module: intelmq.bots.collectors.microsoft.collector_azure + parameters: + connection_string: "{{your connection string}}" + container_name: "ctip-infected-summary" + name: __FEED__ + provider: __PROVIDER__ + rate_limit: 3600 + redis_cache_db: 5 + redis_cache_host: 127.0.0.1 + redis_cache_port: 6379 + redis_cache_ttl: 864000 + parser: + module: intelmq.bots.parsers.microsoft.parser_ctip + parameters: + revision: 2020-05-29 + documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange + public: no + Threatminer: + Recent domains: + description: Latest malicious domains. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.threatminer.org/ + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.threatminer.parser + parameters: + revision: 2018-02-06 + documentation: https://www.threatminer.org/ + public: yes + Calidog: + CertStream: + description: HTTP Websocket Stream from certstream.calidog.io providing data from Certificate Transparency Logs. + additional_information: Be aware that this feed provides a lot of data and may overload your system quickly. + bots: + collector: + module: intelmq.bots.collectors.calidog.collector_certstream + parameters: + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.calidog.parser_certstream + parameters: + revision: 2018-06-15 + documentation: https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067 + public: yes + McAfee Advanced Threat Defense: + Sandbox Reports: + description: Processes reports from McAfee's sandboxing solution via the openDXL API. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.opendxl.collector + parameters: + dxl_config_file: "{{location of dxl configuration file}}" + dxl_topic: "/mcafee/event/atd/file/report" + parser: + module: intelmq.bots.parsers.mcafee.parser_atd + parameters: + verdict_severity: 4 + revision: 2018-07-05 + documentation: https://www.mcafee.com/enterprise/en-us/products/advanced-threat-defense.html + public: no + CyberCrime Tracker: + Latest: + description: C2 servers + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://cybercrime-tracker.net/index.php + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.html_table.parser + parameters: + columns: ["time.source", "source.url", "source.ip", "malware.name", "__IGNORE__"] + skip_table_head: true + default_url_protocol: http:// + type: c2server + revision: 2019-03-19 + documentation: https://cybercrime-tracker.net/index.php + public: yes + PrecisionSec: + Agent Tesla: + description: Agent Tesla IoCs, URLs where the malware is hosted. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://precisionsec.com/threat-intelligence-feeds/agent-tesla/ + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.html_table.parser + parameters: + columns: ["source.ip|source.url", "time.source"] + skip_table_head: true + default_url_protocol: http:// + type: malware + revision: 2019-04-02 + documentation: https://precisionsec.com/threat-intelligence-feeds/agent-tesla/ + public: yes + Have I Been Pwned: + Enterprise Callback: + description: With the Enterprise Subscription of 'Have I Been Pwned' you are able to provide a callback URL and any new leak data is submitted to it. It is recommended to put a webserver with Authorization check, TLS etc. in front of the API collector. + additional_information: | + "A minimal nginx configuration could look like: + ``` + server { + listen 443 ssl http2; + server_name [your host name]; + client_max_body_size 50M; + + ssl_certificate [path to your key]; + ssl_certificate_key [path to your certificate]; + + location /[your private url] { + if ($http_authorization != '[your private password]') { + return 403; + } + proxy_pass http://localhost:5001/intelmq/push; + proxy_read_timeout 30; + proxy_connect_timeout 30; + } + } + ``` + " + bots: + collector: + module: intelmq.bots.collectors.api.collector_api + parameters: + port: 5001 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.hibp.parser_callback + parameters: + revision: 2019-09-11 + documentation: https://haveibeenpwned.com/EnterpriseSubscriber/ + public: no + Strangereal Intel: + DailyIOC: + description: Daily IOC from tweets and articles + additional_information: | + collector's `extra_fields` parameter may be any of fields from the github [content API response](https://developer.github.com/v3/repos/contents/) + bots: + collector: + module: intelmq.bots.collectors.github_api.collector_github_contents_api + parameters: + basic_auth_username: USERNAME + basic_auth_password: PASSWORD + repository: StrangerealIntel/DailyIOC + regex: .*.json + parser: + module: intelmq.bots.parsers.github_feed + parameters: + revision: 2019-12-05 + documentation: https://github.com/StrangerealIntel/DailyIOC + public: yes + CZ.NIC: + HaaS: + description: SSH attackers against HaaS (Honeypot as a Sevice) provided by CZ.NIC, z.s.p.o. The dump is published once a day. + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + extract_files: true + http_url: https://haas.nic.cz/stats/export/{time[%Y/%m/%Y-%m-%d]}.json.gz + http_url_formatting: + days: -1 + rate_limit: 86400 + parser: + module: intelmq.bots.parsers.cznic.parser_haas + parameters: + revision: 2020-07-22 + documentation: https://haas.nic.cz/ + public: yes + ESET: + ETI Domains: + description: Domain data from ESET's TAXII API. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.eset.collector + parameters: + username: + password: + endpoint: eti.eset.com + time_delta: 3600 + collection: ei.domains v2 (json) + parser: + module: intelmq.bots.parsers.eset.parser + parameters: + revision: 2020-06-30 + documentation: https://www.eset.com/int/business/services/threat-intelligence/ + public: no + ETI URLs: + description: URL data from ESET's TAXII API. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.eset.collector + parameters: + username: + password: + endpoint: eti.eset.com + time_delta: 3600 + collection: ei.urls (json) + parser: + module: intelmq.bots.parsers.eset.parser + parameters: + revision: 2020-06-30 + documentation: https://www.eset.com/int/business/services/threat-intelligence/ + public: no diff --git a/example_config/intelmq/etc/harmonization.conf b/example_config/intelmq/etc/harmonization.conf new file mode 100644 index 0000000..a173a29 --- /dev/null +++ b/example_config/intelmq/etc/harmonization.conf @@ -0,0 +1,410 @@ +{ + "event": { + "classification.identifier": { + "description": "The lowercase identifier defines the actual software or service (e.g. 'heartbleed' or 'ntp_version') or standardized malware name (e.g. 'zeus'). Note that you MAY overwrite this field during processing for your individual setup. This field is not standardized across IntelMQ setups/users.", + "type": "String" + }, + "classification.taxonomy": { + "description": "We recognize the need for the CSIRT teams to apply a static (incident) taxonomy to abuse data. With this goal in mind the type IOC will serve as a basis for this activity. Each value of the dynamic type mapping translates to a an element in the static taxonomy. The European CSIRT teams for example have decided to apply the eCSIRT.net incident classification. The value of the taxonomy key is thus a derivative of the dynamic type above. For more information about check [ENISA taxonomies](http://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/incident-handling-process/incident-taxonomy/existing-taxonomies).", + "length": 100, + "type": "LowercaseString" + }, + "classification.type": { + "description": "The abuse type IOC is one of the most crucial pieces of information for any given abuse event. The main idea of dynamic typing is to keep our ontology flexible, since we need to evolve with the evolving threatscape of abuse data. In contrast with the static taxonomy below, the dynamic typing is used to perform business decisions in the abuse handling pipeline. Furthermore, the value data set should be kept as minimal as possible to avoid \u201ctype explosion\u201d, which in turn dilutes the business value of the dynamic typing. In general, we normally have two types of abuse type IOC: ones referring to a compromised resource or ones referring to pieces of the criminal infrastructure, such as a command and control servers for example.", + "type": "ClassificationType" + }, + "comment": { + "description": "Free text commentary about the abuse event inserted by an analyst.", + "type": "String" + }, + "destination.abuse_contact": { + "description": "Abuse contact for destination address. A comma separated list.", + "type": "LowercaseString" + }, + "destination.account": { + "description": "An account name or email address, which has been identified to relate to the destination of an abuse event.", + "type": "String" + }, + "destination.allocated": { + "description": "Allocation date corresponding to BGP prefix.", + "type": "DateTime" + }, + "destination.as_name": { + "description": "The autonomous system name to which the connection headed.", + "type": "String" + }, + "destination.asn": { + "description": "The autonomous system number to which the connection headed.", + "type": "ASN" + }, + "destination.domain_suffix": { + "description": "The suffix of the domain from the public suffix list.", + "type": "FQDN" + }, + "destination.fqdn": { + "description": "A DNS name related to the host from which the connection originated. DNS allows even binary data in DNS, so we have to allow everything. A final point is stripped, string is converted to lower case characters.", + "regex": "^.*[^\\.]$", + "type": "FQDN" + }, + "destination.geolocation.cc": { + "description": "Country-Code according to ISO3166-1 alpha-2 for the destination IP.", + "length": 2, + "regex": "^[a-zA-Z0-9]{2}$", + "type": "UppercaseString" + }, + "destination.geolocation.city": { + "description": "Some geolocation services refer to city-level geolocation.", + "type": "String" + }, + "destination.geolocation.country": { + "description": "The country name derived from the ISO3166 country code (assigned to cc field).", + "type": "String" + }, + "destination.geolocation.latitude": { + "description": "Latitude coordinates derived from a geolocation service, such as MaxMind geoip db.", + "type": "Float" + }, + "destination.geolocation.longitude": { + "description": "Longitude coordinates derived from a geolocation service, such as MaxMind geoip db.", + "type": "Float" + }, + "destination.geolocation.region": { + "description": "Some geolocation services refer to region-level geolocation.", + "type": "String" + }, + "destination.geolocation.state": { + "description": "Some geolocation services refer to state-level geolocation.", + "type": "String" + }, + "destination.ip": { + "description": "The IP which is the target of the observed connections.", + "type": "IPAddress" + }, + "destination.local_hostname": { + "description": "Some sources report a internal hostname within a NAT related to the name configured for a compromized system", + "type": "String" + }, + "destination.local_ip": { + "description": "Some sources report a internal (NATed) IP address related a compromized system. N.B. RFC1918 IPs are OK here.", + "type": "IPAddress" + }, + "destination.network": { + "description": "CIDR for an autonomous system. Also known as BGP prefix. If multiple values are possible, select the most specific.", + "type": "IPNetwork" + }, + "destination.port": { + "description": "The port to which the connection headed.", + "type": "Integer" + }, + "destination.registry": { + "description": "The IP registry a given ip address is allocated by.", + "length": 7, + "type": "Registry" + }, + "destination.reverse_dns": { + "description": "Reverse DNS name acquired through a reverse DNS query on an IP address. N.B. Record types other than PTR records may also appear in the reverse DNS tree. Furthermore, unfortunately, there is no rule prohibiting people from writing anything in a PTR record. Even JavaScript will work. A final point is stripped, string is converted to lower case characters.", + "regex": "^.*[^\\.]$", + "type": "FQDN" + }, + "destination.tor_node": { + "description": "If the destination IP was a known tor node.", + "type": "Boolean" + }, + "destination.url": { + "description": "A URL denotes on IOC, which refers to a malicious resource, whose interpretation is defined by the abuse type. A URL with the abuse type phishing refers to a phishing resource.", + "type": "URL" + }, + "destination.urlpath": { + "description": "The path portion of an HTTP or related network request.", + "type": "String" + }, + "event_description.target": { + "description": "Some sources denominate the target (organization) of a an attack.", + "type": "String" + }, + "event_description.text": { + "description": "A free-form textual description of an abuse event.", + "type": "String" + }, + "event_description.url": { + "description": "A description URL is a link to a further description of the the abuse event in question.", + "type": "URL" + }, + "event_hash": { + "description": "Computed event hash with specific keys and values that identify a unique event. At present, the hash should default to using the SHA1 function. Please note that for an event hash to be able to match more than one event (deduplication) the receiver of an event should calculate it based on a minimal set of keys and values present in the event. Using for example the observation time in the calculation will most likely render the checksum useless for deduplication purposes.", + "length": 40, + "regex": "^[A-F0-9./]+$", + "type": "UppercaseString" + }, + "extra": { + "description": "All anecdotal information, which cannot be parsed into the data harmonization elements. E.g. os.name, os.version, etc. **Note**: this is only intended for mapping any fields which can not map naturally into the data harmonization. It is not intended for extending the data harmonization with your own fields.", + "type": "JSONDict" + }, + "feed.accuracy": { + "description": "A float between 0 and 100 that represents how accurate the data in the feed is", + "type": "Accuracy" + }, + "feed.code": { + "description": "Code name for the feed, e.g. DFGS, HSDAG etc.", + "length": 100, + "type": "String" + }, + "feed.documentation": { + "description": "A URL or hint where to find the documentation of this feed.", + "type": "String" + }, + "feed.name": { + "description": "Name for the feed, usually found in collector bot configuration.", + "type": "String" + }, + "feed.provider": { + "description": "Name for the provider of the feed, usually found in collector bot configuration.", + "type": "String" + }, + "feed.url": { + "description": "The URL of a given abuse feed, where applicable", + "type": "URL" + }, + "malware.hash.md5": { + "description": "A string depicting an MD5 checksum for a file, be it a malware sample for example.", + "length": 200, + "regex": "^[ -~]+$", + "type": "String" + }, + "malware.hash.sha1": { + "description": "A string depicting a SHA1 checksum for a file, be it a malware sample for example.", + "length": 200, + "regex": "^[ -~]+$", + "type": "String" + }, + "malware.hash.sha256": { + "description": "A string depicting a SHA256 checksum for a file, be it a malware sample for example.", + "length": 200, + "regex": "^[ -~]+$", + "type": "String" + }, + "malware.name": { + "description": "The malware name in lower case.", + "regex": "^[ -~]+$", + "type": "LowercaseString" + }, + "malware.version": { + "description": "A version string for an identified artifact generation, e.g. a crime-ware kit.", + "regex": "^[ -~]+$", + "type": "String" + }, + "misp.attribute_uuid": { + "description": "MISP - Malware Information Sharing Platform & Threat Sharing UUID of an attribute.", + "length": 36, + "regex": "^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}$", + "type": "LowercaseString" + }, + "misp.event_uuid": { + "description": "MISP - Malware Information Sharing Platform & Threat Sharing UUID.", + "length": 36, + "regex": "^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[0-9a-z]{12}$", + "type": "LowercaseString" + }, + "output": { + "description": "Event data converted into foreign format, intended to be exported by output plugin.", + "type": "JSON" + }, + "protocol.application": { + "description": "e.g. vnc, ssh, sip, irc, http or smtp.", + "length": 100, + "regex": "^[ -~]+$", + "type": "LowercaseString" + }, + "protocol.transport": { + "description": "e.g. tcp, udp, icmp.", + "iregex": "^(ip|icmp|igmp|ggp|ipencap|st2|tcp|cbt|egp|igp|bbn-rcc|nvp(-ii)?|pup|argus|emcon|xnet|chaos|udp|mux|dcn|hmp|prm|xns-idp|trunk-1|trunk-2|leaf-1|leaf-2|rdp|irtp|iso-tp4|netblt|mfe-nsp|merit-inp|sep|3pc|idpr|xtp|ddp|idpr-cmtp|tp\\+\\+|il|ipv6|sdrp|ipv6-route|ipv6-frag|idrp|rsvp|gre|mhrp|bna|esp|ah|i-nlsp|swipe|narp|mobile|tlsp|skip|ipv6-icmp|ipv6-nonxt|ipv6-opts|cftp|sat-expak|kryptolan|rvd|ippc|sat-mon|visa|ipcv|cpnx|cphb|wsn|pvp|br-sat-mon|sun-nd|wb-mon|wb-expak|iso-ip|vmtp|secure-vmtp|vines|ttp|nsfnet-igp|dgp|tcf|eigrp|ospf|sprite-rpc|larp|mtp|ax.25|ipip|micp|scc-sp|etherip|encap|gmtp|ifmp|pnni|pim|aris|scps|qnx|a/n|ipcomp|snp|compaq-peer|ipx-in-ip|vrrp|pgm|l2tp|ddx|iatp|st|srp|uti|smp|sm|ptp|isis|fire|crtp|crdup|sscopmce|iplt|sps|pipe|sctp|fc|divert)$", + "length": 11, + "type": "LowercaseString" + }, + "raw": { + "description": "The original line of the event from encoded in base64.", + "type": "Base64" + }, + "rtir_id": { + "description": "Request Tracker Incident Response ticket id.", + "type": "Integer" + }, + "screenshot_url": { + "description": "Some source may report URLs related to a an image generated of a resource without any metadata. Or an URL pointing to resource, which has been rendered into a webshot, e.g. a PNG image and the relevant metadata related to its retrieval/generation.", + "type": "URL" + }, + "source.abuse_contact": { + "description": "Abuse contact for source address. A comma separated list.", + "type": "LowercaseString" + }, + "source.account": { + "description": "An account name or email address, which has been identified to relate to the source of an abuse event.", + "type": "String" + }, + "source.allocated": { + "description": "Allocation date corresponding to BGP prefix.", + "type": "DateTime" + }, + "source.as_name": { + "description": "The autonomous system name from which the connection originated.", + "type": "String" + }, + "source.asn": { + "description": "The autonomous system number from which originated the connection.", + "type": "ASN" + }, + "source.domain_suffix": { + "description": "The suffix of the domain from the public suffix list.", + "type": "FQDN" + }, + "source.fqdn": { + "description": "A DNS name related to the host from which the connection originated. DNS allows even binary data in DNS, so we have to allow everything. A final point is stripped, string is converted to lower case characters.", + "regex": "^.*[^\\.]$", + "type": "FQDN" + }, + "source.geolocation.cc": { + "description": "Country-Code according to ISO3166-1 alpha-2 for the source IP.", + "length": 2, + "regex": "^[a-zA-Z0-9]{2}$", + "type": "UppercaseString" + }, + "source.geolocation.city": { + "description": "Some geolocation services refer to city-level geolocation.", + "type": "String" + }, + "source.geolocation.country": { + "description": "The country name derived from the ISO3166 country code (assigned to cc field).", + "type": "String" + }, + "source.geolocation.cymru_cc": { + "description": "The country code denoted for the ip by the Team Cymru asn to ip mapping service.", + "length": 2, + "regex": "^[a-zA-Z0-9]{2}$", + "type": "UppercaseString" + }, + "source.geolocation.geoip_cc": { + "description": "MaxMind Country Code (ISO3166-1 alpha-2).", + "length": 2, + "regex": "^[a-zA-Z0-9]{2}$", + "type": "UppercaseString" + }, + "source.geolocation.latitude": { + "description": "Latitude coordinates derived from a geolocation service, such as MaxMind geoip db.", + "type": "Float" + }, + "source.geolocation.longitude": { + "description": "Longitude coordinates derived from a geolocation service, such as MaxMind geoip db.", + "type": "Float" + }, + "source.geolocation.region": { + "description": "Some geolocation services refer to region-level geolocation.", + "type": "String" + }, + "source.geolocation.state": { + "description": "Some geolocation services refer to state-level geolocation.", + "type": "String" + }, + "source.ip": { + "description": "The ip observed to initiate the connection", + "type": "IPAddress" + }, + "source.local_hostname": { + "description": "Some sources report a internal hostname within a NAT related to the name configured for a compromised system", + "type": "String" + }, + "source.local_ip": { + "description": "Some sources report a internal (NATed) IP address related a compromised system. N.B. RFC1918 IPs are OK here.", + "type": "IPAddress" + }, + "source.network": { + "description": "CIDR for an autonomous system. Also known as BGP prefix. If multiple values are possible, select the most specific.", + "type": "IPNetwork" + }, + "source.port": { + "description": "The port from which the connection originated.", + "length": 5, + "type": "Integer" + }, + "source.registry": { + "description": "The IP registry a given ip address is allocated by.", + "length": 7, + "type": "Registry" + }, + "source.reverse_dns": { + "description": "Reverse DNS name acquired through a reverse DNS query on an IP address. N.B. Record types other than PTR records may also appear in the reverse DNS tree. Furthermore, unfortunately, there is no rule prohibiting people from writing anything in a PTR record. Even JavaScript will work. A final point is stripped, string is converted to lower case characters.", + "regex": "^.*[^\\.]$", + "type": "FQDN" + }, + "source.tor_node": { + "description": "If the source IP was a known tor node.", + "type": "Boolean" + }, + "source.url": { + "description": "A URL denotes an IOC, which refers to a malicious resource, whose interpretation is defined by the abuse type. A URL with the abuse type phishing refers to a phishing resource.", + "type": "URL" + }, + "source.urlpath": { + "description": "The path portion of an HTTP or related network request.", + "type": "String" + }, + "status": { + "description": "Status of the malicious resource (phishing, dropzone, etc), e.g. online, offline.", + "type": "String" + }, + "time.observation": { + "description": "The time the collector of the local instance processed (observed) the event.", + "type": "DateTime" + }, + "time.source": { + "description": "The time of occurence of the event as reported the feed (source).", + "type": "DateTime" + }, + "tlp": { + "description": "Traffic Light Protocol level of the event.", + "type": "TLP" + } + }, + "report": { + "extra": { + "description": "All anecdotal information of the report, which cannot be parsed into the data harmonization elements. E.g. subject of mails, etc. This is data is not automatically propagated to the events.", + "type": "JSONDict" + }, + "feed.accuracy": { + "description": "A float between 0 and 100 that represents how accurate the data in the feed is", + "type": "Accuracy" + }, + "feed.code": { + "description": "Code name for the feed, e.g. DFGS, HSDAG etc.", + "length": 100, + "type": "String" + }, + "feed.documentation": { + "description": "A URL or hint where to find the documentation of this feed.", + "type": "String" + }, + "feed.name": { + "description": "Name for the feed, usually found in collector bot configuration.", + "type": "String" + }, + "feed.provider": { + "description": "Name for the provider of the feed, usually found in collector bot configuration.", + "type": "String" + }, + "feed.url": { + "description": "The URL of a given abuse feed, where applicable", + "type": "URL" + }, + "raw": { + "description": "The original raw and unparsed data encoded in base64.", + "type": "Base64" + }, + "rtir_id": { + "description": "Request Tracker Incident Response ticket id.", + "type": "Integer" + }, + "time.observation": { + "description": "The time the collector of the local instance processed (observed) the event.", + "type": "DateTime" + } + } +} diff --git a/example_config/intelmq/etc/pipeline.conf b/example_config/intelmq/etc/pipeline.conf new file mode 100644 index 0000000..1571db7 --- /dev/null +++ b/example_config/intelmq/etc/pipeline.conf @@ -0,0 +1,86 @@ +{ + "cymru-whois-expert": { + "destination-queues": [ + "file-output-queue" + ], + "source-queue": "cymru-whois-expert-queue" + }, + "deduplicator-expert": { + "destination-queues": [ + "taxonomy-expert-queue" + ], + "source-queue": "deduplicator-expert-queue" + }, + "feodo-tracker-browse-collector": { + "destination-queues": [ + "feodo-tracker-browse-parser-queue" + ] + }, + "feodo-tracker-browse-parser": { + "destination-queues": [ + "deduplicator-expert-queue" + ], + "source-queue": "feodo-tracker-browse-parser-queue" + }, + "file-output": { + "source-queue": "file-output-queue" + }, + "gethostbyname-1-expert": { + "destination-queues": [ + "cymru-whois-expert-queue" + ], + "source-queue": "gethostbyname-1-expert-queue" + }, + "gethostbyname-2-expert": { + "destination-queues": [ + "cymru-whois-expert-queue" + ], + "source-queue": "gethostbyname-2-expert-queue" + }, + "malc0de-parser": { + "destination-queues": [ + "deduplicator-expert-queue" + ], + "source-queue": "malc0de-parser-queue" + }, + "malc0de-windows-format-collector": { + "destination-queues": [ + "malc0de-parser-queue" + ] + }, + "malware-domain-list-collector": { + "destination-queues": [ + "malware-domain-list-parser-queue" + ] + }, + "malware-domain-list-parser": { + "destination-queues": [ + "deduplicator-expert-queue" + ], + "source-queue": "malware-domain-list-parser-queue" + }, + "spamhaus-drop-collector": { + "destination-queues": [ + "spamhaus-drop-parser-queue" + ] + }, + "spamhaus-drop-parser": { + "destination-queues": [ + "deduplicator-expert-queue" + ], + "source-queue": "spamhaus-drop-parser-queue" + }, + "taxonomy-expert": { + "destination-queues": [ + "url2fqdn-expert-queue" + ], + "source-queue": "taxonomy-expert-queue" + }, + "url2fqdn-expert": { + "destination-queues": [ + "gethostbyname-1-expert-queue", + "gethostbyname-2-expert-queue" + ], + "source-queue": "url2fqdn-expert-queue" + } +} diff --git a/example_config/intelmq/etc/runtime.conf b/example_config/intelmq/etc/runtime.conf new file mode 100644 index 0000000..69a3955 --- /dev/null +++ b/example_config/intelmq/etc/runtime.conf @@ -0,0 +1,226 @@ +{ + "cymru-whois-expert": { + "bot_id": "cymru-whois-expert", + "description": "Cymru Whois (IP to ASN) is the bot responsible to add network information to the events (BGP, ASN, AS Name, Country, etc..).", + "enabled": true, + "group": "Expert", + "groupname": "experts", + "module": "intelmq.bots.experts.cymru_whois.expert", + "name": "Cymru Whois", + "parameters": { + "overwrite": true, + "redis_cache_db": 5, + "redis_cache_password": null, + "redis_cache_port": 6379, + "redis_cache_ttl": 86400 + }, + "run_mode": "continuous" + }, + "deduplicator-expert": { + "bot_id": "deduplicator-expert", + "description": "Deduplicator is the bot responsible for detection and removal of duplicate messages. Messages get cached for seconds. If found in the cache, it is assumed to be a duplicate.", + "enabled": true, + "group": "Expert", + "groupname": "experts", + "module": "intelmq.bots.experts.deduplicator.expert", + "name": "Deduplicator", + "parameters": { + "filter_keys": "raw,time.observation", + "filter_type": "blacklist", + "redis_cache_db": 6, + "redis_cache_port": 6379, + "redis_cache_ttl": 86400 + }, + "run_mode": "continuous" + }, + "feodo-tracker-browse-collector": { + "description": "Generic URL Fetcher is the bot responsible to get the report from an URL.", + "enabled": true, + "group": "Collector", + "module": "intelmq.bots.collectors.http.collector_http", + "name": "URL Fetcher", + "parameters": { + "extract_files": false, + "http_password": null, + "http_url": "https://feodotracker.abuse.ch/browse", + "http_url_formatting": false, + "http_username": null, + "name": "Feodo Tracker Browse", + "provider": "Abuse.ch", + "rate_limit": 86400, + "ssl_client_certificate": null + }, + "run_mode": "continuous" + }, + "feodo-tracker-browse-parser": { + "description": "HTML Table Parser is a bot configurable to parse different html table data.", + "enabled": true, + "group": "Parser", + "module": "intelmq.bots.parsers.html_table.parser", + "name": "HTML Table", + "parameters": { + "attribute_name": "", + "attribute_value": "", + "columns": "time.source,source.ip,malware.name,status,extra.SBL,source.as_name,source.geolocation.cc", + "default_url_protocol": "http://", + "ignore_values": ",,,,Not listed,,", + "skip_table_head": true, + "split_column": "", + "split_index": 0, + "split_separator": "", + "table_index": 0, + "time_format": null, + "type": "c2server" + }, + "run_mode": "continuous" + }, + "file-output": { + "bot_id": "file-output", + "description": "File is the bot responsible to send events to a file.", + "enabled": true, + "group": "Output", + "groupname": "outputs", + "module": "intelmq.bots.outputs.file.output", + "name": "File", + "parameters": { + "file": "/opt/intelmq/var/lib/bots/file-output/events.txt", + "hierarchical_output": false, + "single_key": null + }, + "run_mode": "continuous" + }, + "gethostbyname-1-expert": { + "bot_id": "gethostbyname-1-expert", + "description": "fqdn2ip is the bot responsible to parsing the ip from the fqdn.", + "enabled": true, + "group": "Expert", + "groupname": "experts", + "module": "intelmq.bots.experts.gethostbyname.expert", + "name": "Gethostbyname", + "parameters": {}, + "run_mode": "continuous" + }, + "gethostbyname-2-expert": { + "bot_id": "gethostbyname-2-expert", + "description": "fqdn2ip is the bot responsible to parsing the ip from the fqdn.", + "enabled": true, + "group": "Expert", + "groupname": "experts", + "module": "intelmq.bots.experts.gethostbyname.expert", + "name": "Gethostbyname", + "parameters": {}, + "run_mode": "continuous" + }, + "malc0de-parser": { + "bot_id": "malc0de-parser", + "description": "Malc0de Parser is the bot responsible to parse the IP Blacklist and either Windows Format or Bind Format reports and sanitize the information.", + "enabled": true, + "group": "Parser", + "groupname": "parsers", + "module": "intelmq.bots.parsers.malc0de.parser", + "name": "Malc0de", + "parameters": {}, + "run_mode": "continuous" + }, + "malc0de-windows-format-collector": { + "bot_id": "malc0de-windows-format-collector", + "description": "", + "enabled": true, + "group": "Collector", + "groupname": "collectors", + "module": "intelmq.bots.collectors.http.collector_http", + "name": "Malc0de Windows Format", + "parameters": { + "http_password": null, + "http_url": "https://malc0de.com/bl/BOOT", + "http_username": null, + "name": "Windows Format", + "provider": "Malc0de", + "rate_limit": 10800, + "ssl_client_certificate": null + }, + "run_mode": "continuous" + }, + "malware-domain-list-collector": { + "bot_id": "malware-domain-list-collector", + "description": "Malware Domain List Collector is the bot responsible to get the report from source of information.", + "enabled": true, + "group": "Collector", + "groupname": "collectors", + "module": "intelmq.bots.collectors.http.collector_http", + "name": "Malware Domain List", + "parameters": { + "http_url": "http://www.malwaredomainlist.com/updatescsv.php", + "name": "Malware Domain List", + "provider": "Malware Domain List", + "rate_limit": 3600 + }, + "run_mode": "continuous" + }, + "malware-domain-list-parser": { + "bot_id": "malware-domain-list-parser", + "description": "Malware Domain List Parser is the bot responsible to parse the report and sanitize the information.", + "enabled": true, + "group": "Parser", + "groupname": "parsers", + "module": "intelmq.bots.parsers.malwaredomainlist.parser", + "name": "Malware Domain List", + "parameters": {}, + "run_mode": "continuous" + }, + "spamhaus-drop-collector": { + "bot_id": "spamhaus-drop-collector", + "description": "", + "enabled": true, + "group": "Collector", + "groupname": "collectors", + "module": "intelmq.bots.collectors.http.collector_http", + "name": "Spamhaus Drop", + "parameters": { + "http_password": null, + "http_url": "https://www.spamhaus.org/drop/drop.txt", + "http_username": null, + "name": "Drop", + "provider": "Spamhaus", + "rate_limit": 3600, + "ssl_client_certificate": null + }, + "run_mode": "continuous" + }, + "spamhaus-drop-parser": { + "bot_id": "spamhaus-drop-parser", + "description": "Spamhaus Drop Parser is the bot responsible to parse the DROP, EDROP, DROPv6, and ASN-DROP reports and sanitize the information.", + "enabled": true, + "group": "Parser", + "groupname": "parsers", + "module": "intelmq.bots.parsers.spamhaus.parser_drop", + "name": "Spamhaus Drop", + "parameters": {}, + "run_mode": "continuous" + }, + "taxonomy-expert": { + "bot_id": "taxonomy-expert", + "description": "Taxonomy is the bot responsible to apply the eCSIRT Taxonomy to all events.", + "enabled": true, + "group": "Expert", + "groupname": "experts", + "module": "intelmq.bots.experts.taxonomy.expert", + "name": "Taxonomy", + "parameters": {}, + "run_mode": "continuous" + }, + "url2fqdn-expert": { + "bot_id": "url2fqdn-expert", + "description": "url2fqdn is the bot responsible to parsing the fqdn from the url.", + "enabled": true, + "group": "Expert", + "groupname": "experts", + "module": "intelmq.bots.experts.url2fqdn.expert", + "name": "URL2FQDN", + "parameters": { + "load_balance": true, + "overwrite": false + }, + "run_mode": "continuous" + } +}