mirror of
https://github.com/certat/intelmq-docker.git
synced 2025-12-06 01:02:52 +01:00
368 lines
11 KiB
YAML
368 lines
11 KiB
YAML
Deduplicator-Expert-CISA:
|
|
bot_id: Deduplicator-Expert-CISA
|
|
description: Detection and drop exact duplicate messages. Message hashes are cached
|
|
in the Redis database
|
|
enabled: true
|
|
group: Expert
|
|
groupname: experts
|
|
module: intelmq.bots.experts.deduplicator.expert
|
|
name: Deduplicator
|
|
parameters:
|
|
bypass: false
|
|
destination_queues:
|
|
_default: [Filter-Expert-timebased-queue]
|
|
filter_keys: ''
|
|
filter_type: blacklist
|
|
redis_cache_db: 6
|
|
redis_cache_host: 127.0.0.1
|
|
redis_cache_password: ''
|
|
redis_cache_port: 6379
|
|
redis_cache_ttl: 86400
|
|
run_mode: continuous
|
|
Filter-Expert-timebased:
|
|
bot_id: Filter-Expert-timebased
|
|
description: Filter events, supports named paths for splitting the message flow
|
|
enabled: true
|
|
group: Expert
|
|
module: intelmq.bots.experts.filter.expert
|
|
name: Filter
|
|
parameters:
|
|
destination_queues:
|
|
_default: [Telegram-Output-queue]
|
|
filter_action: ''
|
|
filter_key: time.source
|
|
filter_regex: ''
|
|
filter_value: ''
|
|
not_after: ''
|
|
not_before: 15 days
|
|
run_mode: continuous
|
|
GenericCsv-Parser:
|
|
bot_id: GenericCsv-Parser
|
|
description: 'Parse generic CSV data. Ignoring lines starting with character #.
|
|
URLs without protocol can be prefixed with a default value.'
|
|
enabled: true
|
|
group: Parser
|
|
groupname: parsers
|
|
module: intelmq.bots.parsers.generic.parser_csv
|
|
name: GenericCsv
|
|
parameters:
|
|
column_regex_search: ''
|
|
columns: ''
|
|
columns_required: ''
|
|
compose_fields: {}
|
|
data_type: ''
|
|
default_url_protocol: http://
|
|
delimiter: ','
|
|
destination_queues: {}
|
|
filter_text: ''
|
|
filter_type: ''
|
|
skip_header: false
|
|
time_format: ''
|
|
type: ''
|
|
type_translation: {}
|
|
run_mode: continuous
|
|
GenericCsv-Parser-2:
|
|
bot_id: GenericCsv-Parser-2
|
|
description: 'Parse generic CSV data. Ignoring lines starting with character #.
|
|
URLs without protocol can be prefixed with a default value.'
|
|
enabled: true
|
|
group: Parser
|
|
groupname: parsers
|
|
module: intelmq.bots.parsers.generic.parser_csv
|
|
name: GenericCsv
|
|
parameters:
|
|
column_regex_search: ''
|
|
columns: extra.cveID,extra.vendorProject,extra.product,extra.vulnerabilityName,time.source,extra.shortDescription,extra.requiredAction,extra.dueDate,extra.notes
|
|
compose_fields: {}
|
|
data_type: ''
|
|
default_url_protocol: http://
|
|
delimiter: ','
|
|
destination_queues:
|
|
_default: [Deduplicator-Expert-CISA-queue, Filter-Expert-timebased-queue]
|
|
filter_text: ''
|
|
filter_type: ''
|
|
skip_header: true
|
|
time_format: ''
|
|
type: ''
|
|
type_translation: {}
|
|
run_mode: continuous
|
|
HTTP-Collector:
|
|
bot_id: HTTP-Collector
|
|
description: Fetch reports from an URL
|
|
enabled: true
|
|
group: Collector
|
|
groupname: collectors
|
|
module: intelmq.bots.collectors.http.collector_http
|
|
name: HTTP
|
|
parameters:
|
|
code: ''
|
|
destination_queues:
|
|
_default: [GenericCsv-Parser-2-queue]
|
|
documentation: ''
|
|
extract_files: false
|
|
gpg_keyring: ''
|
|
http_header: {}
|
|
http_password: ''
|
|
http_url: https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
|
|
http_url_formatting: false
|
|
http_username: ''
|
|
provider: ''
|
|
rate_limit: 3600
|
|
signature_url: ''
|
|
signature_url_formatting: false
|
|
ssl_client_cert: ''
|
|
ssl_client_certificate: ''
|
|
verify_pgp_signatures: false
|
|
run_mode: continuous
|
|
NoOp-Collector:
|
|
bot_id: NoOp-Collector
|
|
description: Este bot no hace nada util
|
|
enabled: true
|
|
group: Collector
|
|
groupname: collectors
|
|
module: intelmq.bots.collectors.otherexample.collector
|
|
name: NoOp
|
|
parameters:
|
|
cantidad: 5
|
|
code: ''
|
|
destination_queues:
|
|
_default: [GenericCsv-Parser-queue]
|
|
documentation: ''
|
|
paso: step
|
|
provider: ''
|
|
rate_limit: 3600
|
|
run_mode: continuous
|
|
Telegram-Output:
|
|
bot_id: Telegram-Output
|
|
description: Send events to a REST API listener through HTTP POST
|
|
enabled: true
|
|
group: Output
|
|
groupname: outputs
|
|
module: intelmq.bots.outputs.telegram.output
|
|
name: Telegram
|
|
parameters:
|
|
chat_id: 145090811
|
|
destination_queues: {}
|
|
message: 'Nuevo CVE siendo explotado: {ev[extra.cveID]}:{ev[extra.vulnerabilityName]}.
|
|
Agregado {ev[time.source]}. Detalles: Producto{ev[extra.product]} '
|
|
token: 5985070241:AAFhp3Hrl-_sv67lZoibhW2uBTqpPfBRJiE
|
|
run_mode: continuous
|
|
cymru-whois-expert:
|
|
bot_id: cymru-whois-expert
|
|
description: Cymru Whois (IP to ASN) is the bot responsible to add network information
|
|
to the events (BGP, ASN, AS Name, Country, etc..).
|
|
enabled: true
|
|
group: Expert
|
|
groupname: experts
|
|
module: intelmq.bots.experts.cymru_whois.expert
|
|
name: Cymru Whois
|
|
parameters:
|
|
destination_queues:
|
|
_default: [file-output-einar-queue]
|
|
overwrite: true
|
|
redis_cache_db: 5
|
|
redis_cache_host: 127.0.0.1
|
|
redis_cache_password: null
|
|
redis_cache_port: 6379
|
|
redis_cache_ttl: 86400
|
|
run_mode: continuous
|
|
deduplicator-expert:
|
|
bot_id: deduplicator-expert
|
|
description: Deduplicator is the bot responsible for detection and removal of duplicate
|
|
messages. Messages get cached for <redis_cache_ttl> seconds. If found in the cache,
|
|
it is assumed to be a duplicate.
|
|
enabled: true
|
|
group: Expert
|
|
groupname: experts
|
|
module: intelmq.bots.experts.deduplicator.expert
|
|
name: Deduplicator
|
|
parameters:
|
|
destination_queues:
|
|
_default: [taxonomy-expert-queue]
|
|
filter_keys: raw,time.observation
|
|
filter_type: blacklist
|
|
redis_cache_db: 6
|
|
redis_cache_host: 127.0.0.1
|
|
redis_cache_port: 6379
|
|
redis_cache_ttl: 86400
|
|
run_mode: continuous
|
|
feodo-tracker-browse-collector:
|
|
bot_id: feodo-tracker-browse-collector
|
|
description: Generic URL Fetcher is the bot responsible to get the report from an
|
|
URL.
|
|
enabled: true
|
|
group: Collector
|
|
groupname: collectors
|
|
module: intelmq.bots.collectors.http.collector_http
|
|
name: URL Fetcher
|
|
parameters:
|
|
destination_queues:
|
|
_default: [feodo-tracker-browse-parser-queue]
|
|
extract_files: false
|
|
http_password: null
|
|
http_url: https://feodotracker.abuse.ch/browse
|
|
http_url_formatting: false
|
|
http_username: null
|
|
name: Feodo Tracker Browse
|
|
provider: Abuse.ch
|
|
rate_limit: 86400
|
|
ssl_client_certificate: null
|
|
run_mode: continuous
|
|
feodo-tracker-browse-parser:
|
|
bot_id: feodo-tracker-browse-parser
|
|
description: HTML Table Parser is a bot configurable to parse different html table
|
|
data.
|
|
enabled: true
|
|
group: Parser
|
|
groupname: parsers
|
|
module: intelmq.bots.parsers.html_table.parser
|
|
name: HTML Table
|
|
parameters:
|
|
attribute_name: ''
|
|
attribute_value: ''
|
|
columns: time.source,source.ip,malware.name,status,source.as_name,source.geolocation.cc
|
|
default_url_protocol: http://
|
|
destination_queues:
|
|
_default: [deduplicator-expert-queue]
|
|
ignore_values: ',,,,,'
|
|
skip_table_head: true
|
|
split_column: ''
|
|
split_index: 0
|
|
split_separator: ''
|
|
table_index: 0
|
|
time_format: null
|
|
type: c2-server
|
|
run_mode: continuous
|
|
file-output-einar:
|
|
bot_id: file-output-einar
|
|
description: File is the bot responsible to send events to a file.
|
|
enabled: true
|
|
group: Output
|
|
groupname: outputs
|
|
module: intelmq.bots.outputs.file.output
|
|
name: File
|
|
parameters:
|
|
destination_queues: {}
|
|
file: /opt/intelmq/var/lib/bots/file-output/events.txt
|
|
hierarchical_output: false
|
|
single_key: ''
|
|
run_mode: continuous
|
|
gethostbyname-1-expert:
|
|
bot_id: gethostbyname-1-expert
|
|
description: fqdn2ip is the bot responsible to parsing the ip from the fqdn.
|
|
enabled: true
|
|
group: Expert
|
|
groupname: experts
|
|
module: intelmq.bots.experts.gethostbyname.expert
|
|
name: Gethostbyname
|
|
parameters:
|
|
destination_queues:
|
|
_default: [cymru-whois-expert-queue]
|
|
run_mode: continuous
|
|
gethostbyname-2-expert:
|
|
bot_id: gethostbyname-2-expert
|
|
description: fqdn2ip is the bot responsible to parsing the ip from the fqdn.
|
|
enabled: true
|
|
group: Expert
|
|
groupname: experts
|
|
module: intelmq.bots.experts.gethostbyname.expert
|
|
name: Gethostbyname
|
|
parameters:
|
|
destination_queues:
|
|
_default: [cymru-whois-expert-queue]
|
|
run_mode: continuous
|
|
global: {destination_pipeline_broker: redis, destination_pipeline_host: redis, process_manager: intelmq,
|
|
source_pipeline_broker: redis, source_pipeline_host: redis, ssl_ca_certificate: null,
|
|
statistics_database: 3, statistics_host: 127.0.0.1, statistics_password: null, statistics_port: 6379}
|
|
malc0de-parser:
|
|
bot_id: malc0de-parser
|
|
description: Malc0de Parser is the bot responsible to parse the IP Blacklist and
|
|
either Windows Format or Bind Format reports and sanitize the information.
|
|
enabled: true
|
|
group: Parser
|
|
groupname: parsers
|
|
module: intelmq.bots.parsers.malc0de.parser
|
|
name: Malc0de
|
|
parameters:
|
|
destination_queues:
|
|
_default: [deduplicator-expert-queue]
|
|
run_mode: continuous
|
|
malc0de-windows-format-collector:
|
|
bot_id: malc0de-windows-format-collector
|
|
description: ''
|
|
enabled: true
|
|
group: Collector
|
|
groupname: collectors
|
|
module: intelmq.bots.collectors.http.collector_http
|
|
name: Malc0de Windows Format
|
|
parameters:
|
|
destination_queues:
|
|
_default: [malc0de-parser-queue]
|
|
http_password: null
|
|
http_url: https://malc0de.com/bl/BOOT
|
|
http_username: null
|
|
name: Windows Format
|
|
provider: Malc0de
|
|
rate_limit: 10800
|
|
ssl_client_certificate: null
|
|
run_mode: continuous
|
|
spamhaus-drop-collector:
|
|
bot_id: spamhaus-drop-collector
|
|
description: ''
|
|
enabled: true
|
|
group: Collector
|
|
groupname: collectors
|
|
module: intelmq.bots.collectors.http.collector_http
|
|
name: Spamhaus Drop
|
|
parameters:
|
|
destination_queues:
|
|
_default: [spamhaus-drop-parser-queue]
|
|
http_password: null
|
|
http_url: https://www.spamhaus.org/drop/drop.txt
|
|
http_username: null
|
|
name: Drop
|
|
provider: Spamhaus
|
|
rate_limit: 3600
|
|
ssl_client_certificate: null
|
|
run_mode: continuous
|
|
spamhaus-drop-parser:
|
|
bot_id: spamhaus-drop-parser
|
|
description: Spamhaus Drop Parser is the bot responsible to parse the DROP, EDROP,
|
|
DROPv6, and ASN-DROP reports and sanitize the information.
|
|
enabled: true
|
|
group: Parser
|
|
groupname: parsers
|
|
module: intelmq.bots.parsers.spamhaus.parser_drop
|
|
name: Spamhaus Drop
|
|
parameters:
|
|
destination_queues:
|
|
_default: [deduplicator-expert-queue]
|
|
run_mode: continuous
|
|
taxonomy-expert:
|
|
bot_id: taxonomy-expert
|
|
description: Taxonomy is the bot responsible to apply the eCSIRT Taxonomy to all
|
|
events.
|
|
enabled: true
|
|
group: Expert
|
|
groupname: experts
|
|
module: intelmq.bots.experts.taxonomy.expert
|
|
name: Taxonomy
|
|
parameters:
|
|
destination_queues:
|
|
_default: [url2fqdn-expert-queue]
|
|
run_mode: continuous
|
|
url2fqdn-expert:
|
|
bot_id: url2fqdn-expert
|
|
description: url2fqdn is the bot responsible to parsing the fqdn from the url.
|
|
enabled: true
|
|
group: Expert
|
|
groupname: experts
|
|
module: intelmq.bots.experts.url2fqdn.expert
|
|
name: URL2FQDN
|
|
parameters:
|
|
destination_queues:
|
|
_default: [gethostbyname-1-expert-queue, gethostbyname-2-expert-queue]
|
|
load_balance: true
|
|
overwrite: false
|
|
run_mode: continuous
|