From ffdb9002c030166140a5463724d8c01a9d4db5f0 Mon Sep 17 00:00:00 2001 From: Sebastian Waldbauer Date: Fri, 29 Jan 2021 10:03:07 +0100 Subject: [PATCH] Fixed to latest config changes Signed-off-by: Sebastian Waldbauer --- example_config/intelmq/etc/defaults.conf | 4 +- example_config/intelmq/etc/feeds.yaml | 253 ++++++++++++++++-- example_config/intelmq/etc/harmonization.conf | 8 +- example_config/intelmq/etc/pipeline.conf | 42 +-- example_config/intelmq/etc/runtime.conf | 12 +- 5 files changed, 263 insertions(+), 56 deletions(-) diff --git a/example_config/intelmq/etc/defaults.conf b/example_config/intelmq/etc/defaults.conf index 59e4b04..090150e 100644 --- a/example_config/intelmq/etc/defaults.conf +++ b/example_config/intelmq/etc/defaults.conf @@ -22,6 +22,8 @@ "log_processed_messages_seconds": 900, "logging_handler": "file", "logging_level": "INFO", + "logging_max_copies": null, + "logging_max_size": 0, "logging_path": "/opt/intelmq/var/log/", "logging_syslog": "/dev/log", "process_manager": "intelmq", @@ -36,4 +38,4 @@ "statistics_host": "redis", "statistics_password": null, "statistics_port": 6379 -} \ No newline at end of file +} diff --git a/example_config/intelmq/etc/feeds.yaml b/example_config/intelmq/etc/feeds.yaml index f5c5db9..8ca7e89 100644 --- a/example_config/intelmq/etc/feeds.yaml +++ b/example_config/intelmq/etc/feeds.yaml @@ -287,7 +287,7 @@ providers: http_url: https://urlhaus.abuse.ch/feeds/tld//, https://urlhaus.abuse.ch/feeds/country//, or https://urlhaus.abuse.ch/feeds/asn// - rate_limit: 129600 + rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: @@ -296,7 +296,7 @@ providers: skip_header: false default_url_protocol: http:// type_translation: '{"malware_download": "malware-distribution"}' - delimeter: "," + delimiter: "," columns: - time.source - source.url @@ -406,7 +406,7 @@ providers: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt - rate_limit: 129600 + rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: @@ -429,7 +429,7 @@ providers: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt - rate_limit: 129600 + rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: @@ -542,11 +542,11 @@ providers: public: yes Turris: Greylist: - description: The data are processed and clasified every week and behaviour of + description: The data are processed and classified every week and behaviour of IP addresses that accessed a larger number of Turris routers is evaluated. The result is a list of addresses that have tried to obtain information about - services on the router or tried to gain access to them. We publish this so - called "greylist" that also contains a list of tags for each address which + services on the router or tried to gain access to them. The list also + contains a list of tags for each address which indicate what behaviour of the address was observed. additional_information: bots: @@ -561,7 +561,72 @@ providers: module: intelmq.bots.parsers.turris.parser parameters: revision: 2018-01-20 - documentation: https://project.turris.cz/greylist-data/legend.txt + documentation: https://project.turris.cz/en/greylist + public: yes + Greylist with PGP signature verification: + description: | + The data are processed and classified every week and behaviour of + IP addresses that accessed a larger number of Turris routers is evaluated. + The result is a list of addresses that have tried to obtain information about + services on the router or tried to gain access to them. The list also + contains a list of tags for each address which + indicate what behaviour of the address was observed. + + The Turris Greylist feed provides PGP signatures for the provided files. + You will need to import the public PGP key from the linked documentation + page, currently available at + https://pgp.mit.edu/pks/lookup?op=vindex&search=0x10876666 + or from below. + See the URL Fetcher Collector documentation for more information on + PGP signature verification. + + PGP Public key: + ``` + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: SKS 1.1.6 + Comment: Hostname: pgp.mit.edu + + mQINBFRl7D8BEADaRFoDa/+r27Gtqrdn8sZL4aSYTU4Q3gDr3TfigK8H26Un/Y79a/DUL1o0 + o8SRae3uwVcjJDHZ6KDnxThbqF7URfpuCcCYxOs8p/eu3dSueqEGTODHWF4ChIh2japJDc4t + 3FQHbIh2e3GHotVqJGhvxMmWqBFoZ/mlWvhjs99FFBZ87qbUNk7l1UAGEXeWeECgz9nGox40 + 3YpCgEsnJJsKC53y5LD/wBf4z+z0GsLg2GMRejmPRgrkSE/d9VjF/+niifAj2ZVFoINSVjjI + 8wQFc8qLiExdzwLdgc+ggdzk5scY3ugI5IBt1zflxMIOG4BxKj/5IWsnhKMG2NLVGUYOODoG + pKhcY0gCHypw1bmkp2m+BDVyg4KM2fFPgQ554DAX3xdukMCzzZyBxR3UdT4dN7xRVhpph3Y2 + Amh1E/dpde9uwKFk1oRHkRZ3UT1XtpbXtFNY0wCiGXPt6KznJAJcomYFkeLHjJo3nMK0hISV + GSNetVLfNWlTkeo93E1innbSaDEN70H4jPivjdVjSrLtIGfr2IudUJI84dGmvMxssWuM2qdg + FSzoTHw9UE9KT3SltKPS+F7u9x3h1J492YaVDncATRjPZUBDhbvo6Pcezhup7XTnI3gbRQc2 + oEUDb933nwuobHm3VsUcf9686v6j8TYehsbjk+zdA4BoS/IdCwARAQABtC5UdXJyaXMgR3Jl + eWxpc3QgR2VuZXJhdG9yIDxncmV5bGlzdEB0dXJyaXMuY3o+iQI4BBMBAgAiBQJUZew/AhsD + BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDAQrU3EIdmZoH4D/9Jo6j9RZxCAPTaQ9WZ + WOdb1Eqd/206bObEX+xJAago+8vuy+waatHYBM9/+yxh0SIg2g5whd6J7A++7ePpt5XzX6hq + bzdG8qGtsCRu+CpDJ40UwHep79Ck6O/A9KbZcZW1z/DhbYT3z/ZVWALy4RtgmyC67Vr+j/C7 + KNQ529bs3kP9AzvEIeBC4wdKl8dUSuZIPFbgf565zRNKLtHVgVhiuDPcxKmBEl4/PLYF30a9 + 5Tgp8/PNa2qp1DV/EZjcsxvSRIZB3InGBvdKdSzvs4N/wLnKWedj1GGm7tJhSkJa4MLBSOIx + yamhTS/3A5Cd1qoDhLkp7DGVXSdgEtpoZDC0jR7nTS6pXojcgQaF7SfJ3cjZaLI5rjsx0YLk + G4PzonQKCAAQG1G9haCDniD8NrrkZ3eFiafoKEECRFETIG0BJHjPdSWcK9jtNCupBYb7JCiz + Q0hwLh2wrw/wCutQezD8XfsBFFIQC18TsJAVgdHLZnGYkd5dIbV/1scOcm52w6EGIeMBBYlB + J2+JNukH5sJDA6zAXNl2I1H1eZsP4+FSNIfB6LdovHVPAjn7qXCw3+IonnQK8+g8YJkbbhKJ + sPejfg+ndpe5u0zX+GvQCFBFu03muANA0Y/OOeGIQwU93d/akN0P1SRfq+bDXnkRIJQOD6XV + 0ZPKVXlNOjy/z2iN2A== + =wjkM + -----END PGP PUBLIC KEY BLOCK----- + ``` + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://www.turris.cz/greylist-data/greylist-latest.csv + name: Greylist + provider: __PROVIDER__ + rate_limit: 43200 + signature_url: https://www.turris.cz/greylist-data/greylist-latest.csv.asc + verify_pgp_signatures: false + parser: + module: intelmq.bots.parsers.turris.parser + parameters: + revision: 2018-01-20 + documentation: https://project.turris.cz/en/greylist public: yes Malc0de: Bind Format: @@ -1008,6 +1073,50 @@ providers: revision: 2018-01-20 documentation: http://www.blocklist.de/en/export.html public: yes + CERT-Bund: + CB-Report Malware infections via IMAP: + description: CERT-Bund sends reports for the malware-infected hosts. + additional_information: Traffic from malware related hosts contacting + command-and-control servers is caught and sent to national CERT teams. + There are two e-mail feeds with identical CSV structure -- one reports on + general malware infections, the other on the Avalanche botnet. + bots: + collector: + module: intelmq.bots.collectors.mail.collector_mail_attach + parameters: + mail_host: __HOST__ + mail_password: __PASSWORD__ + mail_ssl: true + mail_user: __USERNAME__ + attach_regex: events.csv + extract_files: false + rate_limit: 86400 + subject_regex: ^\\[CB-Report#.* Malware infections (\\(Avalanche\\) )?in country + folder: INBOX + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.generic.parser_csv + parameters: + skip_header: true + default_url_protocol: http:// + time_format: from_format|%Y-%m-%d %H:%M:%S + delimiter: "," + columns: + - source.asn + - source.ip + - time.source + - classification.type + - malware.name + - source.port + - destination.ip + - destination.port + - destination.fqdn + - protocol.transport + type: infected-system + revision: 2020-08-20 + documentation: + public: no CERT.PL: N6 Stomp Stream: description: N6 Collector - CERT.pl's N6 Collector - N6 feed via STOMP interface. @@ -1081,7 +1190,7 @@ providers: http_url: http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&domain= http_timeout_sec: 120 http_user_agent: "{{ your user agent }}" - rate_limit: 129600 + rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: @@ -1101,7 +1210,7 @@ providers: http_url: http://support.clean-mx.de/clean-mx/xmlphishing?response=alive&domain= http_timeout_sec: 120 http_user_agent: "{{ your user agent }}" - rate_limit: 129600 + rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: @@ -1205,10 +1314,12 @@ providers: revision: 2018-01-20 documentation: https://osint.bambenekconsulting.com/feeds/ public: yes - DynDNS: - Infected Domains: - description: DynDNS ponmocup. List of ponmocup malware redirection domains and - infected web-servers. See also http://security-research.dyndns.org/pub/botnet-links.html + cAPTure: + Ponmocup Domains CIF Format: + description: List of ponmocup malware redirection domains and infected web-servers from cAPTure. + See also http://security-research.dyndns.org/pub/botnet-links.htm + and http://c-apt-ure.blogspot.com/search/label/ponmocup + The data in the CIF format is not equal to the Shadowserver CSV format. Reasons are unknown. additional_information: bots: collector: @@ -1216,7 +1327,7 @@ providers: parameters: http_url: http://security-research.dyndns.org/pub/malware-feeds/ponmocup-infected-domains-CIF-latest.txt rate_limit: 10800 - name: __FEED__ + name: Infected Domains provider: __PROVIDER__ parser: module: intelmq.bots.parsers.dyn.parser @@ -1224,6 +1335,40 @@ providers: revision: 2018-01-20 documentation: http://security-research.dyndns.org/pub/malware-feeds/ public: yes + Ponmocup Domains Shadowserver Format: + description: List of ponmocup malware redirection domains and infected web-servers from cAPTure. + See also http://security-research.dyndns.org/pub/botnet-links.htm + and http://c-apt-ure.blogspot.com/search/label/ponmocup + The data in the Shadowserver CSV is not equal to the CIF format format. Reasons are unknown. + additional_information: + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: http://security-research.dyndns.org/pub/malware-feeds/ponmocup-infected-domains-shadowserver.csv + rate_limit: 10800 + name: Infected Domains + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.generic.parser_csv + parameters: + columns: + - time.source + - source.ip + - source.fqdn + - source.urlpath + - source.port + - protocol.application + - extra.tag + - extra.redirect_target + - extra.category + compose_fields: {"source.url": "http://{0}{1}"} + skip_header: true + delimiter: "," + type: malware-distribution + revision: 2020-07-08 + documentation: http://security-research.dyndns.org/pub/malware-feeds/ + public: yes DShield: Suspicious Domains: description: There are many suspicious domains on the internet. In an effort @@ -1236,7 +1381,7 @@ providers: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.dshield.org/feeds/suspiciousdomains_High.txt - rate_limit: 129600 + rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: @@ -1255,7 +1400,7 @@ providers: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://www.dshield.org/block.txt - rate_limit: 129600 + rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: @@ -1272,7 +1417,7 @@ providers: module: intelmq.bots.collectors.http.collector_http parameters: http_url: https://dshield.org/asdetailsascii.html?as={{ AS Number }} - rate_limit: 129600 + rate_limit: 86400 name: __FEED__ provider: __PROVIDER__ parser: @@ -1356,6 +1501,28 @@ providers: revision: 2018-01-20 documentation: https://www.shadowserver.org/what-we-do/network-reporting/ public: no + Via API: + description: Shadowserver sends out a variety of reports to subscribers, see documentation. + additional_information: This configuration fetches user-configurable reports from the Shadowserver Reports API. For a list of reports, have a look at the Shadowserver collector and parser documentation. + bots: + collector: + module: intelmq.bots.collectors.shadowserver.collector_reports_api + parameters: + country: + api_key: + secret: + types: + rate_limit: 86400 + redis_cache_db: 12 + redis_cache_host: 127.0.0.1 + redis_cache_port: 6379 + redis_cache_ttl: 864000 + parser: + module: intelmq.bots.parsers.shadowserver.parser_json + parameters: + revision: 2020-01-08 + documentation: https://www.shadowserver.org/what-we-do/network-reporting/api-documentation/ + public: no Fraunhofer: DGA Archive: description: Fraunhofer DGA collector fetches data from Fraunhofer's domain @@ -1417,7 +1584,7 @@ providers: documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange public: no CTIP via Interflow: - description: Collects CTIP (Sinkhole data) files from the Interflow API.The feed is available via Microsoft’s Government Security Program (GSP). + description: Collects the CTIP Infected feed (Sinkhole data for your country) files from the Interflow API.The feed is available via Microsoft’s Government Security Program (GSP). additional_information: Depending on the file sizes you may need to increase the parameter 'http_timeout_sec' of the collector. As many IPs occur very often in the data, you may want to use a deduplicator specifically for the feed. bots: collector: @@ -1436,8 +1603,8 @@ providers: revision: 2018-03-06 documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange public: no - CTIP via Azure: - description: Collects CTIP (Sinkhole data) files from a shared Azure Storage. The feed is available via Microsoft’s Government Security Program (GSP). + CTIP Infected via Azure: + description: Collects the CTIP (Sinkhole data) from a shared Azure Storage. The feed is available via Microsoft’s Government Security Program (GSP). additional_information: The cache is needed for memorizing which files have already been processed, the TTL should be higher than the oldest file available in the storage (currently the last three days are available). The connection string contains endpoint as well as authentication information. bots: collector: @@ -1458,6 +1625,28 @@ providers: revision: 2020-05-29 documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange public: no + CTIP C2 via Azure: + description: Collects the CTIP C2 feed from a shared Azure Storage. The feed is available via Microsoft’s Government Security Program (GSP). + additional_information: The cache is needed for memorizing which files have already been processed, the TTL should be higher than the oldest file available in the storage (currently the last three days are available). The connection string contains endpoint as well as authentication information. + bots: + collector: + module: intelmq.bots.collectors.microsoft.collector_azure + parameters: + connection_string: "{{your connection string}}" + container_name: "ctip-c2" + name: __FEED__ + provider: __PROVIDER__ + rate_limit: 3600 + redis_cache_db: 5 + redis_cache_host: 127.0.0.1 + redis_cache_port: 6379 + redis_cache_ttl: 864000 + parser: + module: intelmq.bots.parsers.microsoft.parser_ctip + parameters: + revision: 2020-05-29 + documentation: https://docs.microsoft.com/en-us/security/gsp/informationsharingandexchange + public: no Threatminer: Recent domains: description: Latest malicious domains. @@ -1595,7 +1784,7 @@ providers: DailyIOC: description: Daily IOC from tweets and articles additional_information: | - collector's `extra_fields` parameter may be any of fields from the github [content API response](https://developer.github.com/v3/repos/contents/) + collector's `extra_fields` parameter may be any of fields from the github `content API response `_ bots: collector: module: intelmq.bots.collectors.github_api.collector_github_contents_api @@ -1612,7 +1801,7 @@ providers: public: yes CZ.NIC: HaaS: - description: SSH attackers against HaaS (Honeypot as a Sevice) provided by CZ.NIC, z.s.p.o. The dump is published once a day. + description: SSH attackers against HaaS (Honeypot as a Service) provided by CZ.NIC, z.s.p.o. The dump is published once a day. bots: collector: module: intelmq.bots.collectors.http.collector_http @@ -1628,6 +1817,24 @@ providers: revision: 2020-07-22 documentation: https://haas.nic.cz/ public: yes + Proki: + description: Aggregation of various sources on malicious IP addresses (malware spreaders or C&C servers). + bots: + collector: + module: intelmq.bots.collectors.http.collector_http + parameters: + http_url: https://proki.csirt.cz/api/1/__APIKEY__/data/day/{time[%Y/%m/%d]} + http_url_formatting: + days: -1 + rate_limit: 86400 + name: __FEED__ + provider: __PROVIDER__ + parser: + module: intelmq.bots.parsers.cznic.parser_proki + parameters: + revision: 2020-08-17 + documentation: https://csirt.cz/en/proki/ + public: no ESET: ETI Domains: description: Domain data from ESET's TAXII API. diff --git a/example_config/intelmq/etc/harmonization.conf b/example_config/intelmq/etc/harmonization.conf index a173a29..f4d637d 100644 --- a/example_config/intelmq/etc/harmonization.conf +++ b/example_config/intelmq/etc/harmonization.conf @@ -1,16 +1,16 @@ { "event": { "classification.identifier": { - "description": "The lowercase identifier defines the actual software or service (e.g. 'heartbleed' or 'ntp_version') or standardized malware name (e.g. 'zeus'). Note that you MAY overwrite this field during processing for your individual setup. This field is not standardized across IntelMQ setups/users.", + "description": "The lowercase identifier defines the actual software or service (e.g. ``heartbleed`` or ``ntp_version``) or standardized malware name (e.g. ``zeus``). Note that you MAY overwrite this field during processing for your individual setup. This field is not standardized across IntelMQ setups/users.", "type": "String" }, "classification.taxonomy": { - "description": "We recognize the need for the CSIRT teams to apply a static (incident) taxonomy to abuse data. With this goal in mind the type IOC will serve as a basis for this activity. Each value of the dynamic type mapping translates to a an element in the static taxonomy. The European CSIRT teams for example have decided to apply the eCSIRT.net incident classification. The value of the taxonomy key is thus a derivative of the dynamic type above. For more information about check [ENISA taxonomies](http://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/incident-handling-process/incident-taxonomy/existing-taxonomies).", + "description": "We recognize the need for the CSIRT teams to apply a static (incident) taxonomy to abuse data. With this goal in mind the type IOC will serve as a basis for this activity. Each value of the dynamic type mapping translates to a an element in the static taxonomy. The European CSIRT teams for example have decided to apply the eCSIRT.net incident classification. The value of the taxonomy key is thus a derivative of the dynamic type above. For more information about check `ENISA taxonomies `_.", "length": 100, "type": "LowercaseString" }, "classification.type": { - "description": "The abuse type IOC is one of the most crucial pieces of information for any given abuse event. The main idea of dynamic typing is to keep our ontology flexible, since we need to evolve with the evolving threatscape of abuse data. In contrast with the static taxonomy below, the dynamic typing is used to perform business decisions in the abuse handling pipeline. Furthermore, the value data set should be kept as minimal as possible to avoid \u201ctype explosion\u201d, which in turn dilutes the business value of the dynamic typing. In general, we normally have two types of abuse type IOC: ones referring to a compromised resource or ones referring to pieces of the criminal infrastructure, such as a command and control servers for example.", + "description": "The abuse type IOC is one of the most crucial pieces of information for any given abuse event. The main idea of dynamic typing is to keep our ontology flexible, since we need to evolve with the evolving threatscape of abuse data. In contrast with the static taxonomy below, the dynamic typing is used to perform business decisions in the abuse handling pipeline. Furthermore, the value data set should be kept as minimal as possible to avoid *type explosion*, which in turn dilutes the business value of the dynamic typing. In general, we normally have two types of abuse type IOC: ones referring to a compromised resource or ones referring to pieces of the criminal infrastructure, such as a command and control servers for example.", "type": "ClassificationType" }, "comment": { @@ -356,7 +356,7 @@ "type": "DateTime" }, "time.source": { - "description": "The time of occurence of the event as reported the feed (source).", + "description": "The time of occurrence of the event as reported the feed (source).", "type": "DateTime" }, "tlp": { diff --git a/example_config/intelmq/etc/pipeline.conf b/example_config/intelmq/etc/pipeline.conf index 17982d6..1571db7 100644 --- a/example_config/intelmq/etc/pipeline.conf +++ b/example_config/intelmq/etc/pipeline.conf @@ -1,15 +1,15 @@ { "cymru-whois-expert": { - "source-queue": "cymru-whois-expert-queue", "destination-queues": [ "file-output-queue" - ] + ], + "source-queue": "cymru-whois-expert-queue" }, "deduplicator-expert": { - "source-queue": "deduplicator-expert-queue", "destination-queues": [ "taxonomy-expert-queue" - ] + ], + "source-queue": "deduplicator-expert-queue" }, "feodo-tracker-browse-collector": { "destination-queues": [ @@ -17,31 +17,31 @@ ] }, "feodo-tracker-browse-parser": { - "source-queue": "feodo-tracker-browse-parser-queue", "destination-queues": [ "deduplicator-expert-queue" - ] + ], + "source-queue": "feodo-tracker-browse-parser-queue" }, "file-output": { "source-queue": "file-output-queue" }, "gethostbyname-1-expert": { - "source-queue": "gethostbyname-1-expert-queue", "destination-queues": [ "cymru-whois-expert-queue" - ] + ], + "source-queue": "gethostbyname-1-expert-queue" }, "gethostbyname-2-expert": { - "source-queue": "gethostbyname-2-expert-queue", "destination-queues": [ "cymru-whois-expert-queue" - ] + ], + "source-queue": "gethostbyname-2-expert-queue" }, "malc0de-parser": { - "source-queue": "malc0de-parser-queue", "destination-queues": [ "deduplicator-expert-queue" - ] + ], + "source-queue": "malc0de-parser-queue" }, "malc0de-windows-format-collector": { "destination-queues": [ @@ -54,10 +54,10 @@ ] }, "malware-domain-list-parser": { - "source-queue": "malware-domain-list-parser-queue", "destination-queues": [ "deduplicator-expert-queue" - ] + ], + "source-queue": "malware-domain-list-parser-queue" }, "spamhaus-drop-collector": { "destination-queues": [ @@ -65,22 +65,22 @@ ] }, "spamhaus-drop-parser": { - "source-queue": "spamhaus-drop-parser-queue", "destination-queues": [ "deduplicator-expert-queue" - ] + ], + "source-queue": "spamhaus-drop-parser-queue" }, "taxonomy-expert": { - "source-queue": "taxonomy-expert-queue", "destination-queues": [ "url2fqdn-expert-queue" - ] + ], + "source-queue": "taxonomy-expert-queue" }, "url2fqdn-expert": { - "source-queue": "url2fqdn-expert-queue", "destination-queues": [ "gethostbyname-1-expert-queue", "gethostbyname-2-expert-queue" - ] + ], + "source-queue": "url2fqdn-expert-queue" } -} \ No newline at end of file +} diff --git a/example_config/intelmq/etc/runtime.conf b/example_config/intelmq/etc/runtime.conf index 1c0ba94..13bde6a 100644 --- a/example_config/intelmq/etc/runtime.conf +++ b/example_config/intelmq/etc/runtime.conf @@ -10,6 +10,7 @@ "parameters": { "overwrite": true, "redis_cache_db": 5, + "redis_cache_host": "127.0.0.1", "redis_cache_password": null, "redis_cache_port": 6379, "redis_cache_ttl": 86400 @@ -28,6 +29,7 @@ "filter_keys": "raw,time.observation", "filter_type": "blacklist", "redis_cache_db": 6, + "redis_cache_host": "127.0.0.1", "redis_cache_port": 6379, "redis_cache_ttl": 86400 }, @@ -50,9 +52,7 @@ "rate_limit": 86400, "ssl_client_certificate": null }, - "run_mode": "continuous", - "groupname": "collectors", - "bot_id": "feodo-tracker-browse-collector" + "run_mode": "continuous" }, "feodo-tracker-browse-parser": { "description": "HTML Table Parser is a bot configurable to parse different html table data.", @@ -74,9 +74,7 @@ "time_format": null, "type": "c2server" }, - "run_mode": "continuous", - "groupname": "parsers", - "bot_id": "feodo-tracker-browse-parser" + "run_mode": "continuous" }, "file-output": { "bot_id": "file-output", @@ -227,4 +225,4 @@ }, "run_mode": "continuous" } -} \ No newline at end of file +}