intelmq
intelmq copied to clipboard
certtools
IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol.
For the Sanbox-URL feed you can get more data for the event by querying their API: https://www.shadowserver.org/wiki/pmwiki.php/Services/Sandbox-URL
currently the generic db lookup can only check for equality (`=`), but e.g. postgres supports other comparators too, e.g. the contains or equals operator `
In DEBUG they do not log very much what they are doing (connecting, searching, iterating etc).
The maxmind geoip download script should verify if the downloaded file is valid. See https://lists.cert.at/pipermail/intelmq-dev/2017-July/000215.html and previous ```python python3 -c "import maxminddb; maxminddb.open_database('GeoLite2-City.mmdb')" ```
Current situation: If one or two of `classification.type` and `classification.taxonomy` are missing, it adds the other or both. If both exist, the bot does nothing. But there are for sure...
Currently it is not possible to check both for non-existence and a value with just one rule, e.g.: ```json "if": { "classification.identifier": "^(|botnet)$" } ``` Events with a non-existent `classification.identifier`...
Instead of printing 'is_valid returned False.' if the validation failed, we could print an error message produced by the harmonization class itself. This would be much more helpful.
See the thread _Destination host in malware feeds_ on intelmq-dev: https://lists.cert.at/pipermail/intelmq-dev/2017-April/000182.html https://lists.cert.at/pipermail/intelmq-dev/2017-June/000203.html
0.0.0.0 itself is a non-routable metaddress ([Wikipedia](https://en.wikipedia.org/wiki/0.0.0.0)), so it shouldn't be valid. For the other addresses it's more complicated, [RFC 5735](https://tools.ietf.org/html/rfc5735): > 0.0.0.0/8 - Addresses in this block refer to...
We currently have two config files which do overlap each other. In the future * the number of rules will increase (e.g. with a more complete malware name-family mapping) and...