IntelMQ-dev

intelmq-dev@lists.cert.at

1 participants
246 discussions

IntelMQ 3.5.0 release with new data fields
by Sebix 01 Nov '25

01 Nov '25

Dear IntelMQ community The new IntelMQ release 3.5.0 brings support for a few new data fields that many of you have requested: * severity * product.full_name, product.name, product.vendor, product.version, product.vulnerabilities (IEP009: IntelMQ Data Format: Describe product and mark vulnerabilities https://github.com/certtools/ieps/tree/main/009) * constituency (IEP008: IntelMQ Data Format: Constituency field https://github.com/certtools/ieps/tree/main/008) If you use a database to store events, update the schema of theevents table with the SQL statements shown below. If you use deb- or rpm-packages, you have two new packages available: intelmq-contrib and intelmq-autostart. The first contains stufffrom the repositories' contrib/ folder: some eventdb scripts, an example extension package, the feeds config generator, malware name mapping scripts, and systemd scripts.The autostart package contains systemd units to start IntelMQ at boot time and then run it periodically. The full list of changes is very long, belowyou can read the full list of changes. Thanks to all who contributed to this version, whether through user feedback or code. This version contains code contributions from Edvard Rejthar, Kamil Mańkowski, Karl-Johan Karlsson, Lukas Heindl, Mikk Margus Möll, Nakul Rajpal, Sebastian Wagner, Timde Boer. The 3.5.0 version is available at GitHub, PyPI andin the package repositories: https://github.com/certtools/intelmq/releases/tag/3.5.0 https://pypi.org/project/intelmq/ https://docs.intelmq.org/latest/admin/installation/linux-packages/ The complete change log: ## Requirements Python `>=3.9` is now required, which is available on all platforms supported by IntelMQ. ## Data Format To save new fields from IntelMQ Data Format in existing PostgreSQL instances, the following schema update is necessary: ```sql CREATE TYPE severity_enum AS ENUM ( 'critical', 'high', 'medium', 'low', 'info', 'undefined' ); ALTER TABLE events ADD "product.full_name" text; ALTER TABLE events ADD "product.name" text; ALTER TABLE events ADD "product.vendor" text; ALTER TABLE events ADD "product.version" text; ALTER TABLE events ADD "product.vulnerabilities" text; ALTER TABLE events ADD severity varchar(10); ALTER TABLE events ADD "constituency" text; UPDATE events SET severity = (extra ->> 'severity')::severity_enum; ``` Optionally remove the severity field from the extra fields in existing entries: ```sql UPDATE events SET extra = extra - 'severity'; ``` To switch to the more efficient data type `jsonb` instead of `json`, use the following SQL statement. Data is preserved. JSONB also has more query and data manipulation features than plain JSON. ```sql ALTER TABLE events ALTER COLUMN "extra" SET DATA TYPE jsonb; ``` ## Configuration - New parameter `stop_retry_limit` (PR#2598 by Lukas Heindl). ## Core - Drop support for Python 3.8 (fixes #2616, PR#2617 by Sebastian Wagner). - `intelmq.lib.splitreports`: Handle bot parameter `chunk_size` values empty string, due to missing parameter typing checks (PR#2604 by Sebastian Wagner). - `intelmq.lib.mixins.sql` Add Support for MySQL (PR#2625 by Karl-Johan Karlsson). - New parameter `stop_retry_limit` to gracefully handle stopping bots which take longer to shutdown(PR#2598 by Lukas Heindl, fixes #2595). - `intelmq.lib.datatypes`: Remove unneeded Dict39 alias (PR#2639 by Nakul Rajpal, fixes #2635) - `intelmq.lib.mixins.http`: Only set HTTP header 'Authorization' if username or password are set and are not both empty stringas they are by default in the Manager (fixes #2590, PR#2634 by Sebastian Wagner). - `intelmq.lib.message.Message.from_dict`: Do not modify the dict parameter by adding the `__type` field and raise an error when type is not determinable (PR#2545 by Sebastian Wagner). - `intelmq.lib.mixins.cache.CacheMixin` was extended to support temporarystoring messages in a cache queue (PR#2509 by Kamil Mankowski). ## Data Format - Implementing [IEP009](https://github.com/certtools/ieps/tree/main/009) introducingfields to identify products and vulnerabilities: `product.full_name`, `product.name`, `product.vendor`, `product.version`, `product.vulnerabilities`. To store in existing PostgreSQL instances, a schema update is necessary, see firstsection. - added `severity` field to help with triaging received events (PR#2575 by Kamil Mańkowski). To allow saving the field in PostgreSQLdatabase in existing installations, the schema update shown in the first section is necessary. - Implementing [IEP008](https://github.com/certtools/ieps/tree/main/008) introducingthe `constituency` field for easier identification in multi-constituency setups. (PR#2573 by Kamil Mańkowski). To use in current PostgreSQL installations, a schema update is necessary, see firstsection. ## Bots ## Collectors - `intelmq.bots.collectors.mail.collector_mail_attach`: Decrypt GPG attachments (PR#2623 by Edvard Rejthar). - `intelmq.bots.collectors.mail.collector_mail_attach`: Allow empty attachments (PR#2647 by Edvard Rejthar). - `intelmq.bots.collectors.shodan.collector_alert`: Added a new collector to query the Shodan Alert API (PR#2618 by Sebastian Wagner and Malawi CERT). - Remove `intelmq.bots.collectors.blueliv` as it uses an unmaintained library, does not work any moreandbreaks other CI tests (fixes #2593, PR#2632 by Sebastian Wagner). ## Parsers - `intelmq.bots.parsers.cymru.parser_cap_program`: Add mapping for TOR and ipv6-icmpprotocol (PR#2621 by Mikk Margus Möll). - Remove `intelmq.bots.parsers.blueliv` as it is obsolete with the removed collector (PR#2632 by Sebastian Wagner). - `intelmq.bots.parser.json.parser`: - Support data containing lists of JSON Events (PR#2545 by Tim de Boer). - Add default `classification.type` with value `undetermined` if input data has nowclassification itself (PR#2545 by Sebastian Wagner). ## Experts - `intelmq.bots.experts.asn_lookup.expert`: - Print URLs to stdout only in verbose mode (PR#2591 by Sebastian Wagner). - Check for database file existence and writability (fixes #2566). - Use database path matching to installation type (PR#2606 by Sebastian Wagner). - `intelmq.bots.experts.fake.expert`: - Use database path matching to installation type (PR#2606 by Sebastian Wagner). - Add new mode `random_single_value` (PR#2601 by Sebastian Wagner). - `intelmq.bots.experts.sieve.expert`: Test for textX dependency in self-check (PR#2605 by Sebastian Wagner). - `intelmq.bots.experts.trusted_introducer_lookup.expert`: Change to new TI database URL (fixes #2620, PR#2633 by Sebastian Wagner). ## Outputs - `intelmq.bots.outputs.smtp_batch.output`: - Add newparameter `additional_grouping_keys` for an enhanced email batching feature. - Add newparameter `templating` for additional template variables. - Add new parameter `allowed_fieldnames` for csvfield specification. - Add new parameter `fieldnames_translation` for naming csvheaders (PR#2610 by Lukas Heindl, fixes #2586). - `intelmq.bots.outputs.sql.output`: Add Support for MySQL (PR#2625 by Karl-Johan Karlsson). ## Documentation - Fix and refresh links to mailing lists (PR#2609 by Kamil Mańkowski) - `Aggregate Bot`: Add illustration graphics (PR#2612 by Sebastian Wagner). ## Packaging - Replace `/opt/intelmq` example paths in bots with variable `VAR_STATE_PATH` for correct paths in LSB-path setups likewith packages (PR#2587 by Sebastian Wagner). - New deb-package `intelmq-contrib` with all `contrib/` scripts and documentation (PR#2614 by Sebastian Wagner). - New deb-package `intelmq-autostart` containing systemd services and timers to start all enabled IntelMQ bots at boot and periodically (PR#2638 by Sebastian Wagner). ## Tests - `intelmq.tests.lib.test_pipeline.TestAmqp.test_acknowledge`: Skip on all Python versions when running on CI (PR#2602 by Sebastian Wagner). - `.github/workflows/codespell.yml`, `debian-package.yml`, `regexploit.yml`: Upgrade to `ubuntu-latest` runners (PR#2602 by Sebastian Wagner). - `intelmq.test.test_conf`: With changed behaviourin ruamel.yaml on line wrapping since version 0.18.13, only test the parsabiltyof `runtime.yaml` (PR#2619 by Sebastian Wagner). - `intelmq.test.BotTestCase.test_static_bot_check_method`: Remove debugging stub raising for all non-empty checks (PR#2622 by Sebastian Wagner). ## Tools - `intelmq.bin.intelmq_psql_initdb`: Use `JSONB` type by default, Postgres supports it since version 9 (PR#2597 by Sebastian Wagner). - `intelmq.bin.rewrite_config_files`: Removed obsolete JSON configuration file rewriter (PR#2613 by Sebastian Wagner). - `intelmq/lib/bot_debugger.py`: Fix overwriting the runtime logging level by command line parameter (PR#2603 by Sebastian Wagner, fixes #2563). - `intelmq.bin.intelmqctl`: Fix bot log level filtering (PR#2607 by Sebastian Wagner, fixes #2596). ## Contrib - Bash Completion: Adapt to YAML-style runtime configuration (PR#2642 by Sebastian Wagner, fixes #2094). - Remove `prettyprint` script, use `jq` instead (PR#2551 by Sebastian Wagner). ## Known issues Thisis shortlist of the most important known issues. The fulllist can be retrievedfrom [GitHub](https://github.com/certtools/intelmq/labels/bug?page=2&q=is%3Aopen+…. - stomp.py 8.2.0+ breaks the version check in stomp bots (#2600). - Traceback when calling intelmqdump without write access to the log file (#2529). - pyyaml PendingDeprecationWarning: you should no longer specify 'unsafe' -> test failure (#2489). - `intelmq.parsers.html_table` may not process invalid URLs in patched Python version due to changes in `urllib` (#2382). - Breaking changes in 'rt' 3.0 library (#2367). - Type error with SQL output bot's `prepare_values` returning list instead of tuple(#2255). - `intelmq_psql_initdb` does not work for SQLite (#2202). - intelmqsetup: should install a default state file (#2175). - Misp Expert - Crash if misp event already exist(#2170). - Spamhaus CERT parser uses wrongfield (#2165). - Custom headers ignored in HTTPCollectorBot (#2150). - intelmqctl log: parsing syslog does not work (#2097). - Bots started with IntelMQ-API/Manager stop when the webserveris restarted (#952). - Corrupt dump files when interrupted during writing (#870). -- Institute for Common Good Technology gemeinnütziger Kulturverein - nonprofit cultural society https://commongoodtechnology.org/ ZVR 1510673578

1 0

Viriback is offline?
by Mika Silander 01 Nov '25

01 Nov '25

Hi, The Viriback C2 tracker feed seems to be offline (https://tracker.viriback.com/) for the moment. Anyone knows if it is gone permanently? Br, Mika The information in this email may be confidential and is intended solely for the use of the individual or entity to whom it is intended. If you are not the intended recipient of this message, please delete the message and notify the sender immediately. For information on how we process personal data and our contact information, please see CSC's website: Privacy<https://csc.fi/en/privacy> T?m?n s?hk?postin tiedot voivat olla luottamuksellisia ja ne on tarkoitettu yksinomaan sen henkil?n tai yhteis?n k?ytt??n, jolle ne on osoitettu. Jos et ole viestiss? tarkoitettu vastaanottaja, tuhoa viesti ja ilmoita asiasta v?litt?m?sti viestin l?hett?j?lle. Tietoja henkil?tietojen ja yhteystietojen k?sittelyst? l?yd?t CSC:n verkkosivuilta: Tietosuoja<https://csc.fi/tietosuoja>

2 3

Proposed mapping for notifications of high severity events
by elsif 06 Oct '25

06 Oct '25

Hello, Below is the proposed mapping for a new report that we are developing to send advance notice of high severity events before the nightly report run. | Field | Description | ----- | ----------- | timestamp | Timestamp when the IP was seen in UTC+0 | type | Event type | protocol | Packet type of the connection traffic (UDP/TCP) | ip | IP of the device | port | port of the IP connection | asn | ASN of the device | geo | Country of the device | region | Region of the device | city | City of the device | hostname | Reverse DNS of the device IP | hostname_source | Source of the hostname | naics | North American Industry Classification System Code | sector | Sector to which the IP in question belongs; e.g. Communications, Commercial | device_vendor | Source device vendor | device_type | Source device type | device_model | Source device model | severity | Severity level | dst_ip | Destination IP | dst_port | Destination port of the IP connection | dst_asn | ASN of the destination IP | dst_geo | Country of the destination IP | dst_region | Region of the destination IP | dst_city | City of the destination IP | dst_hostname | Reverse DNS of the destination IP | dst_naics | North American Industry Classification System Code | dst_sector | Sector to which the IP in question belongs; e.g. Communications, Commercial | domain_name | Domain name referenced in the request | public_source | Source of the event data | infection | Description of the malware/infection | family | Malware family or campaign associated with the event | tag | Event attributes | application | Application name associated with the event | version | Software version associated with the event | event_id | Unique identifier assigned to the event | ssl_cipher | SSL cipher | detail | Additional details about the event Regards, Jason -- { "constant_fields" : { "classification.taxonomy" : "other", "classification.type" : "other" }, "feed_name" : "Alert", "file_name" : "alert", "optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "extra.", "type", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "src_isp_name", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "extra.", "src_county", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "domain_name", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "ssl_cipher", "validate_to_none" ], [ "extra.", "detail", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }

1 0

Proposed mapping for Badsecrets (IPv4 and IPv6)
by elsif 09 Sep '25

09 Sep '25

Hello, Below is the proposed mapping for a new report as documented at https://www.shadowserver.org/what-we-do/network-reporting/badsecrets-report/. Please let me know if you have any changes before September 13th. Regards, Jason { "constant_fields" : { "classification.identifier" : "badsecret", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "http" }, "feed_name" : "IPv6-Badsecrets", "file_name" : "scan6_badsecrets", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "badsecret_location", "validate_to_none" ], [ "extra.", "badsecret_module", "validate_to_none" ], [ "extra.", "badsecret_type", "validate_to_none" ], [ "extra.", "badsecret_product", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "request_path", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/badsecrets-report/" } { "constant_fields" : { "classification.identifier" : "badsecret", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "http" }, "feed_name" : "Badsecrets", "file_name" : "scan_badsecrets", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "badsecret_location", "validate_to_none" ], [ "extra.", "badsecret_module", "validate_to_none" ], [ "extra.", "badsecret_type", "validate_to_none" ], [ "extra.", "badsecret_product", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "request_path", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/badsecrets-report/" }

4 7

Proposed mapping for Accessible GPRS Tunneling Protocol (GTP)
by elsif 09 Sep '25

09 Sep '25

Hello, Below is the proposed mapping for a new report as documented at https://www.shadowserver.org/what-we-do/network-reporting/accessible-gprs-t…. Please let me know if you have any changes before August 26th. Regards, Jason { "constant_fields" : { "classification.identifier" : "accessible-gtp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "Accessible-GPRS-Tunneling-Protocol-GTP", "file_name" : "scan_gtp", "optional_fields" : [ [ "extra.", "teid", "convert_int" ], [ "extra.", "sequence", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "message_type", "validate_to_none" ], [ "extra.", "message_type_text", "validate_to_none" ], [ "extra.", "message_length", "convert_int" ], [ "extra.", "recovery", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "raw_response", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-gprs-t…" }

3 2

Proposed mapping for Accessible ISAKMP (IPv4 and IPv6)
by elsif 05 Sep '25

05 Sep '25

Hello, Below is the proposed mapping for a new report as documented at https://www.shadowserver.org/what-we-do/network-reporting/accessible-isakmp…. Please let me know if you have any changes before September 11th. Regards, Jason { "constant_fields" : { "classification.identifier" : "accessible-ike", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "ipsec" }, "feed_name" : "Accessible-ISAKMP", "file_name" : "population_isakmp", "optional_fields" : [ [ "extra.", "spi_size", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "initiator_spi", "validate_to_none" ], [ "extra.", "responder_spi", "validate_to_none" ], [ "extra.", "next_payload", "validate_to_none" ], [ "extra.", "exchange_type", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "message_id", "validate_to_none" ], [ "extra.", "next_payload2", "validate_to_none" ], [ "extra.", "domain_of_interpretation", "validate_to_none" ], [ "extra.", "protocol_id", "validate_to_none" ], [ "extra.", "notify_message_type", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-isakmp…" } { "constant_fields" : { "classification.identifier" : "accessible-ike", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "ipsec" }, "feed_name" : "IPv6-Accessible-ISAKMP", "file_name" : "population6_isakmp", "optional_fields" : [ [ "extra.", "spi_size", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "initiator_spi", "validate_to_none" ], [ "extra.", "responder_spi", "validate_to_none" ], [ "extra.", "next_payload", "validate_to_none" ], [ "extra.", "exchange_type", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "message_id", "validate_to_none" ], [ "extra.", "next_payload2", "validate_to_none" ], [ "extra.", "domain_of_interpretation", "validate_to_none" ], [ "extra.", "protocol_id", "validate_to_none" ], [ "extra.", "notify_message_type", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-isakmp…" }

2 2

Proposed mapping for Accessible NTRIP
by elsif 27 Aug '25

27 Aug '25

Hello, Below is the proposed mapping for a new report as documented at https://www.shadowserver.org/what-we-do/network-reporting/accessible-ntrip-…. Please let me know if you have any changes before September 2nd. Regards, Jason { "constant_fields" : { "classification.identifier" : "accessible-ntrip", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "ntrip" }, "feed_name" : "Accessible-NTRIP", "file_name" : "population_ntrip", "optional_fields" : [ [ "extra.", "authentication", "convert_bool" ], [ "extra.", "fee", "convert_bool" ], [ "extra.", "bit_rate", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "ntrip", "validate_to_none" ], [ "extra.", "ntrip_code", "validate_to_none" ], [ "extra.", "ntrip_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "connection", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "ntrip_version", "validate_to_none" ], [ "extra.", "ntrip_date", "validate_to_none" ], [ "extra.", "ntrip_type", "validate_to_none" ], [ "extra.", "mount_point", "validate_to_none" ], [ "extra.", "identifier", "validate_to_none" ], [ "extra.", "format", "validate_to_none" ], [ "extra.", "format_details", "validate_to_none" ], [ "extra.", "carrier", "validate_to_none" ], [ "extra.", "nav_system", "validate_to_none" ], [ "extra.", "network", "validate_to_none" ], [ "extra.", "ntrip_country", "validate_to_none" ], [ "extra.", "ntrip_latitude", "validate_to_none" ], [ "extra.", "ntrip_longitude", "validate_to_none" ], [ "extra.", "nmea", "validate_to_none" ], [ "extra.", "solution", "validate_to_none" ], [ "extra.", "generator", "validate_to_none" ], [ "extra.", "compression", "validate_to_none" ], [ "extra.", "misc", "validate_to_none" ], [ "extra.", "header_base64", "validate_to_none" ], [ "extra.", "body_base64", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-ntrip-…" }

2 1

Shadowserver: proposed mapping change for blocklist.source
by elsif 18 Jul '25

18 Jul '25

Hello, I would like to propose a change to the mapping of the 'source' field in the blocklist report which is currently mapped to 'extra.source' in IntelMQ to 'extra.source_name'. This change is necessary to avoid conflicts with the elasticsearch mapping of the 'extra.source' field where it is commonly an object instead of a string. Reports details can be found here: https://www.shadowserver.org/what-we-do/network-reporting/blocklist-report/ Regards, Jason

2 2

Problem installing intelmq-manager 3.3.0-1 to Ubuntu 24 LTS
by Mika Silander 04 Apr '25

04 Apr '25

Hi, I'm trying to set up intelmq-manager to a fresh Ubuntu 24 LTS but I keep bumping into this: E: Failed to fetch http://some-mirror-host-name-here/pub/opensuse/repositories/home%3A/sebix%3… File has unexpected size (3960404 != 3960834). Mirror sync in progress? [IP: some-mirror-hosts-IP-here 80] Hashes of expected file: - SHA256:5269aabe03adb09d03df161294dd41fe1798f3e9b4fefbb88647e13672093cbe - SHA1:2c028c8bf346d0591747d00cad5501b6e18a7e79 [weak] - MD5Sum:fbcee8e105b081b5c5edf635f5c15626 [weak] - Filesize:3960834 [weak] It's quite seldom I've encountered a mismatch in file size checks so is the package somehow broken or have I missed something? Br, Mika The information in this email may be confidential and is intended solely for the use of the individual or entity to whom it is intended. If you are not the intended recipient of this message, please delete the message and notify the sender immediately. For information on how we process personal data and our contact information, please see CSC's website: Privacy<https://csc.fi/en/privacy> T?m?n s?hk?postin tiedot voivat olla luottamuksellisia ja ne on tarkoitettu yksinomaan sen henkil?n tai yhteis?n k?ytt??n, jolle ne on osoitettu. Jos et ole viestiss? tarkoitettu vastaanottaja, tuhoa viesti ja ilmoita asiasta v?litt?m?sti viestin l?hett?j?lle. Tietoja henkil?tietojen ja yhteystietojen k?sittelyst? l?yd?t CSC:n verkkosivuilta: Tietosuoja<https://csc.fi/tietosuoja>

1 0

A question on Shadowserver's Sinkhole HTTP Referer Events feed
by Mika Silander 02 Apr '25

02 Apr '25

Hi, We received one sinkhole http referer event that got flagged as not belonging to our constituency. At a closer look, it turned out that intelmq's destination.ip field (see event4_sinkhole_http_referer in https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/inte…<https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/inte…>) contains the IP the malware tried to access (?) and then the IP of the machine possibly infected by the malware ended up in extra.http_referer_ip. Everything fine and coherent with the feed's documentation, no complaints. To deduce to whom in our constituency an event belongs, we have a bot that first looks at the source.ip field and if this does not match, then we try the destination.ip field. This heuristic works fine with all feeds but in the above case it fails. Is there a chance the report field http_referer_ip gets mapped one day in intelmq.json to intelmq's source.ip field (like in the majority of other feeds) instead of extra.http_referer_ip? Just asking since I'd like to keep things simpler and avoid work-arounds. Br, Mika The information in this email may be confidential and is intended solely for the use of the individual or entity to whom it is intended. If you are not the intended recipient of this message, please delete the message and notify the sender immediately. For information on how we process personal data and our contact information, please see CSC's website: Privacy<https://csc.fi/en/privacy> T?m?n s?hk?postin tiedot voivat olla luottamuksellisia ja ne on tarkoitettu yksinomaan sen henkil?n tai yhteis?n k?ytt??n, jolle ne on osoitettu. Jos et ole viestiss? tarkoitettu vastaanottaja, tuhoa viesti ja ilmoita asiasta v?litt?m?sti viestin l?hett?j?lle. Tietoja henkil?tietojen ja yhteystietojen k?sittelyst? l?yd?t CSC:n verkkosivuilta: Tietosuoja<https://csc.fi/tietosuoja>

5 5

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

IntelMQ-dev