IntelMQ¶

neither store nor cache

apt install python3-pip python3-dnspython python3-psutil python3-redis python3-requests python3-termstyle python3-tz python3-dateutil
apt install redis-server

apt install bash-completion jq
apt install python3-sleekxmpp python3-pymongo python3-psycopg2

yum install epel-release
yum install python36 python36-devel python36-requests
yum install gcc gcc-c++
yum install redis

dnf install epel-release
dnf install python3-dateutil python3-dns python3-pip python3-psutil python3-pytz python3-redis python3-requests redis

dnf install bash-completion jq
dnf install python3-psycopg2 python3-pymongo

zypper install python3-dateutil python3-dnspython python3-psutil python3-pytz python3-redis python3-requests python3-python-termstyle
zypper install redis

zypper in bash-completion jq
zypper in python3-psycopg2 python3-pymongo python3-sleekxmpp

sudo -i

pip3 install intelmq

useradd -d /opt/intelmq -U -s /bin/bash intelmq
sudo intelmqsetup

git clone https://github.com/certat/intelmq-docker.git --recursive

sudo docker-compose pull

cd intelmq-docker

sudo docker-compose up

sudo docker pull redis:latest

sudo docker pull certat/intelmq-full:latest

sudo docker pull certat/intelmq-nginx:latest

sudo docker network create intelmq-internal

sudo docker run -v ~/intelmq/example_config/redis/redis.conf:/redis.conf \
                --network intelmq-internal \
                --name redis \
                redis:latest

sudo docker run --network intelmq-internal \
                --name nginx \
                certat/intelmq-nginx:latest

sudo docker run -e INTELMQ_IS_DOCKER="true" \
                -e INTELMQ_PIPELINE_DRIVER="redis" \
                -e INTELMQ_PIPELINE_HOST=redis_host \
                -e INTELMQ_REDIS_CACHE_HOST=redis_host \
                -v ~/intelmq/example_config/intelmq/etc/:/opt/intelmq/etc/ \
                -v ~/intelmq/example_config/intelmq-api:/opt/intelmq-api/config \
                -v /var/log/intelmq:/opt/intelmq/var/log \
                -v ~/intelmq/lib:/opt/intelmq/var/lib \
                --network intelmq-internal \
                --name intelmq \
                certat/intelmq-full:1.0

sudo cp -R /opt/intelmq /opt/intelmq-backup

intelmqctl check
intelmqctl list queues -q

docker pull certat/intelmq-full:latest

docker pull certat/intelmq-nginx:latest

docker-compose pull

docker inspect --format '{{ index .Config.Labels "org.opencontainers.image.version" }}' intelmq-full:latest

docker-compose down

docker ps | grep certat

docker stop CONTAINER_ID

pip install -U --no-deps intelmq
sudo intelmqsetup

pip install .
sudo intelmqsetup

intelmqctl upgrade-config
intelmqctl check

intelmqctl start

systemctl enable redis.service
systemctl start redis.service

apt install supervisor python-pip
pip install supervisor_twiddler

[rpcinterface:twiddler]
supervisor.rpcinterface_factory=supervisor_twiddler.rpcinterface:make_twiddler_rpcinterface

[group:intelmq]

"process_manager": "supervisor",

{
    "example-bot": {
        "source-queue": <source queue data>,
        "destination-queues": <destination queue data>
    }
}

"source-queue": "example-bot-queue"

"deduplicator-expert": {
    "source-queue": "deduplicator-expert-queue",
    "destination-queues": [
        "taxonomy-expert-queue"
    ]
}

"cymru-whois-expert": {
    "source-queue": "cymru-whois-expert-queue",
    "destination-queues": [
        "file-output-queue",
        "misp-output-queue"
    ]
}

"destination-queues": ["taxonomy-expert-queue"]
"destination-queues": {"_default": ["taxonomy-expert-queue"]}

"destination-queues": {
    "_default": "<first destination pipeline name>",
    "_on_error": "<optional destination pipeline name in case of errors>",
    "other-path": [
        "<second destination pipeline name>",
        "<third destination pipeline name>",
        ...
        ],
    ...
    }

{
    "<bot ID>": {
        "group": "<bot type (Collector, Parser, Expert, Output)>",
        "name": "<human-readable bot name>",
        "module": "<bot code (python module)>",
        "description": "<generic description of the bot>",
        "parameters": {
            "<parameter 1>": "<value 1>",
            "<parameter 2>": "<value 2>",
            "<parameter 3>": "<value 3>"
        }
    }
}

{
    "malware-domain-list-collector": {
        "group": "Collector",
        "name": "Malware Domain List",
        "module": "intelmq.bots.collectors.http.collector_http",
        "description": "Malware Domain List Collector is the bot responsible to get the report from source of information.",
        "parameters": {
            "http_url": "http://www.malwaredomainlist.com/updatescsv.php",
            "feed": "Malware Domain List",
            "rate_limit": 3600
        }
    }
}

{
    "malware-domain-list-collector": {
        "group": "Collector",
        "name": "Malware Domain List",
        "module": "intelmq.bots.collectors.http.collector_http",
        "description": "Malware Domain List Collector is the bot responsible to get the report from source of information.",
        "enabled": false,
        "parameters": {
            "http_url": "http://www.malwaredomainlist.com/updatescsv.php",
            "feed": "Malware Domain List",
            "rate_limit": 3600
        }
    }
}

{
    "<message type>": {
        "<field 1>": {
            "description": "<field 1 description>",
            "type": "<field value type>"
        },
        "<field 2>": {
            "description": "<field 2 description>",
            "type": "<field value type>"
        }
    },
}

{
    "event": {
        "destination.asn": {
            "description": "The autonomous system number from which originated the connection.",
            "type": "Integer"
        },
        "destination.geolocation.cc": {
            "description": "Country-Code according to ISO3166-1 alpha-2 for the destination IP.",
            "regex": "^[a-zA-Z0-9]{2}$",
            "type": "String"
        },
    },
}

"blocklistde-apache-collector": {
    "name": "Generic URL Fetcher",
    "group": "Collector",
    "module": "intelmq.bots.collectors.http.collector_http",
    "description": "All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks.",
    "enabled": false,
    "run_mode": "scheduled",
    "parameters": {
        "feed": "Blocklist.de Apache",
        "provider": "Blocklist.de",
        "http_url": "https://lists.blocklist.de/lists/apache.txt",
        "ssl_client_certificate": null
    },
}

0 0 * * * intelmqctl start blocklistde-apache-collector

"blocklistde-apache-parser": {
    "name": "Blocklist.de Parser",
    "group": "Parser",
    "module": "intelmq.bots.parsers.blocklistde.parser",
    "description": "Blocklist.DE Parser is the bot responsible to parse the report and sanitize the information.",
    "enabled": false,
    "run_mode": "continuous",
    "parameters": {
    },
}

intelmqctl start blocklistde-apache-parser

redis-cli FLUSHDB
redis-cli FLUSHALL

intelmqdump -h
usage:
    intelmqdump [botid]
    intelmqdump [-h|--help]

intelmqdump can inspect dumped messages, show, delete or reinject them into
the pipeline. It's an interactive tool, directly start it to get a list of
available dumps or call it with a known bot id as parameter.

positional arguments:
  botid       botid to inspect dumps of

optional arguments:
  -h, --help  show this help message and exit
  --truncate TRUNCATE, -t TRUNCATE
                        Truncate raw-data with more characters than given. 0 for no truncating. Default: 1000.

Interactive actions after a file has been selected:
- r, Recover by IDs
  > r id{,id} [queue name]
  > r 3,4,6
  > r 3,7,90 modify-expert-queue
  The messages identified by a consecutive numbering will be stored in the
  original queue or the given one and removed from the file.
- a, Recover all
  > a [queue name]
  > a
  > a modify-expert-queue
  All messages in the opened file will be recovered to the stored or given
  queue and removed from the file.
- e, Delete entries by IDs
  > e id{,id}
  > e 3,5
  The entries will be deleted from the dump file.
- d, Delete file
  > d
  Delete the opened file as a whole.
- s, Show by IDs
  > s id{,id}
  > s 0,4,5
  Show the selected IP in a readable format. It's still a raw format from
  repr, but with newlines for message and traceback.
- v, Edit by ID
  > v id
  > v 0
  > v 1,2
  Opens an editor (by calling `sensible-editor`) on the message. The modified message is then saved in the dump.
- q, Quit
  > q

$ intelmqdump
 id: name (bot id)                    content
  0: alienvault-otx-parser            1 dumps
  1: cymru-whois-expert               8 dumps
  2: deduplicator-expert              2 dumps
  3: dragon-research-group-ssh-parser 2 dumps
  4: file-output2                     1 dumps
  5: fraunhofer-dga-parser            1 dumps
  6: spamhaus-cert-parser             4 dumps
  7: test-bot                         2 dumps
Which dump file to process (id or name)? 3
Processing dragon-research-group-ssh-parser: 2 dumps
  0: 2015-09-03T13:13:22.159014 InvalidValue: invalid value u'NA' (<type 'unicode'>) for key u'source.asn'
  1: 2015-09-01T14:40:20.973743 InvalidValue: invalid value u'NA' (<type 'unicode'>) for key u'source.asn'
recover (a)ll, delete (e)ntries, (d)elete file, (q)uit, (s)how by ids, (r)ecover by ids? d
Deleted file /opt/intelmq/var/log/dragon-research-group-ssh-parser.dump

tail -f /opt/intelmq/var/log/*.log
tail -f /var/log/intelmq/*.log

pip3 uninstall intelmq
rm -r /opt/intelmq

{
    "bot-id": {
        "parameters": {
            runtime parameters...
        },
        initialization parameters...
    }
}

{
    "abusech-feodo-domains-collector": {
        "parameters": {
            "provider": "Abuse.ch",
            "name": "Abuse.ch Feodo Domains",
            "http_url": "http://example.org/feodo-domains.txt"
        },
        "name": "Generic URL Fetcher",
        "group": "Collector",
        "module": "intelmq.bots.collectors.http.collector_http",
        "description": "collect report messages from remote hosts using http protocol",
        "enabled": true,
        "run_mode": "scheduled"
    }
}

pip3 install -r intelmq/bots/collectors/xmpp/REQUIREMENTS.txt

pip3 install -r intelmq/bots/collectors/alienvault_otx/REQUIREMENTS.txt

pip3 install -r intelmq/bots/collectors/blueliv/REQUIREMENTS.txt

pip3 install -r intelmq/bots/collectors/eset/REQUIREMENTS.txt

pip3 install -r intelmq/bots/collectors/stomp/REQUIREMENTS.txt

curl -X POST http://localhost:5000/intelmq/push -H 'Content-Type: application/json' --data '{"source.ip": "127.0.0.101", "classification.type": "backdoor"}'

"columns": [
     "",
     "source.fqdn",
     "extra.http_host_header",
     "__IGNORE__"
],

"columns": ",source.fqdn,extra.http_host_header,"

"columns": "source.url|source.fqdn|source.ip"

# Host,Path
example.com,/foo/
example.net,/bar/

{"source.url": "http://{0}{1}"}

http://example.com/foo/
http://example.net/bar/

{
    "columns": [ "source.ip", "source.url", "extra.tags"],
    "data_type": "{\"extra.tags\":\"json\"}"
}

{
     "filter_text": "ipset add ",
     "filter_type": "whitelist",
     "columns": [ "__IGNORE__", "__IGNORE__", "__IGNORE__", "source.ip"]
}

{"malware_download": "malware-distribution"}

"columns": [
     "",
     "source.fqdn",
     "extra.http_host_header",
     "__IGNORE__"
],

"columns": ",source.fqdn,extra.http_host_header,"

"columns": "source.url|source.fqdn|source.ip"

"ignore_values": [
     "",
     "unknown",
     "Not listed",
 ],

"ignore_values": ",unknown,Not listed,"

"columns": [
     "source.url",
     "malware.name",
     "extra.SBL",
],
"ignore_values": [
     "",
     "unknown",
     "Not listed",
],

"attribute_name": "class",
"attribute_value": "details"

"split_column": "source.fqdn",
"split_separator": " ",
"split_index": 1,

"keys": {
    "srcip": "source.ip",
    "dstip": "destination.ip"
}

key="long value" key2="other value"

srcip=192.0.2.1 srcmac="00:00:5e:00:17:17"

pip3 install querycontacts

pip3 install pyasn

intelmq.bots.experts.asn_lookup.expert --update-database

com
at
gv.at

*.example.com

!www.example.com

"parameters": {
    "redis_cache_db": 6,
    "redis_cache_host": "127.0.0.1",
    "redis_cache_password": null,
    "redis_cache_port": 6379,
    "redis_cache_ttl": 86400,
    "filter_type": "whitelist",
    "filter_keys": "source.ip,destination.ip",
}

"parameters": {
    "redis_cache_db": 6,
    "redis_cache_host": "127.0.0.1",
    "redis_cache_password": null,
    "redis_cache_port": 6379,
    "redis_cache_ttl": 86400,
    "filter_type": "blacklist",
    "filter_keys": "source.ip,destination.ip",
}

redis-cli -n 6
flushdb

"columns": [
     "malware.name",
     "extra.tags"
],

intelmq.bots.experts.maxmind_geoip.expert --update-database

[
    {
        "rulename": "Standard Protocols http",
        "if": {
            "source.port": "^(80|443)$"
        },
        "then": {
            "protocol.application": "http"
        }
    },
    {
        "rulename": "Spamhaus Cert conficker",
        "if": {
            "malware.name": "^conficker(ab)?$"
        },
        "then": {
            "classification.identifier": "conficker"
        }
    },
    {
        "rulename": "bitdefender",
        "if": {
            "malware.name": "bitdefender-(.*)$"
        },
        "then": {
            "malware.name": "{matches[malware.name][1]}"
        }
    },
    {
        "rulename": "urlzone",
        "if": {
            "malware.name": "^urlzone2?$"
        },
        "then": {
            "classification.identifier": "urlzone"
        }
    },
    {
        "rulename": "default",
        "if": {
            "feed.name": "^Spamhaus Cert$"
        },
        "then": {
            "classification.identifier": "{msg[malware.name]}"
        }
    }
]

intelmq.bots.experts.recordedfuture_iprisk.expert --update-database

pip3 install -r intelmq/bots/experts/sieve/REQUIREMENTS.txt

if :exists source.fqdn {
  keep  // aborts processing of subsequent rules and forwards the event.
}

if :notexists source.abuse_contact || source.abuse_contact =~ '.*@example.com' {
  drop  // aborts processing of subsequent rules and drops the event.
}

if source.ip << '192.0.0.0/24' {
    add! comment = 'bogon' // sets the field comment to this value and overwrites existing values
    path 'other-path' // the message is sent to the given path
}

if classification.type == ['phishing', 'malware'] && source.fqdn =~ '.*\.(ch|li)$' {
  add! comment = 'domainabuse'
  keep
} elif classification.type == 'scanner' {
  add! comment = 'ignore'
  drop
} else {
  remove comment
}

if EXPRESSION {
    ACTIONS
} elif EXPRESSION {
    ACTIONS
} else {
    ACTIONS
}

$ intelmq.bots.experts.sieve.validator
usage: intelmq.bots.experts.sieve.validator [-h] sievefile

Validates the syntax of sievebot files.

positional arguments:
  sievefile   Sieve file

optional arguments:
  -h, --help  show this help message and exit

"search_parameters": {
    "source.ip": "ip"
}

"result_fields": {
    "username": "source.account"
}

index="dhcp" ipv4address="$ip$" | ... | fields _time username ether

"add_keys": {
    "classification.type": "spam",
    "comment": "Started more than 10 SMTP connections"
}

intelmq.bots.experts.tor_nodes.expert --update-database

'never' --> intelmq
'daily' --> intelmq-2018-02-02
'weekly' --> intelmq-2018-42
'monthly' --> intelmq-2018-02
'yearly' --> intelmq-2018

> curl -XGET 'http://localhost:9200/intelmq/events/_search?pretty=True'

pip3 install pymongo>=2.7.1

createuser --no-superuser --no-createrole --no-createdb --encrypted --pwprompt intelmq

createdb --encoding='utf-8' --owner=intelmq intelmq-events

psql -h localhost intelmq-events intelmq </tmp/initdb.sql

sqlite3 your-db.db
sqlite> .read /tmp/initdb.sql

{"raw": "MjAxNi8wNC8yNV8xMTozOSxzY2hpenppbm8ub21hcmF0aG9uLmNvbS9na0NDSnVUSE0vRFBlQ1pFay9XdFZOSERLbC1tWFllRk5Iai8sODUuMjUuMTYwLjExNCxzdGF0aWMtaXAtODUtMjUtMTYwLTExNC5pbmFkZHIuaXAtcG9vbC5jb20uLEFuZ2xlciBFSywtLDg5NzI=", "source": {"asn": 8972, "ip": "85.25.160.114", "url": "http://schizzino.omarathon.com/gkCCJuTHM/DPeCZEk/WtVNHDKl-mXYeFNHj/", "reverse_dns": "static-ip-85-25-160-114.inaddr.ip-pool.com"}, "classification": {"type": "malware"}, "event_description": {"text": "Angler EK"}, "feed": {"url": "http://www.malwaredomainlist.com/updatescsv.php", "name": "Malware Domain List", "accuracy": 100.0}, "time": {"observation": "2016-04-29T10:59:34+00:00", "source": "2016-04-25T11:39:00+00:00"}}

Apr 29 11:01:29 header example {"raw": "MjAxNi8wNC8yNV8xMTozOSxzY2hpenppbm8ub21hcmF0aG9uLmNvbS9na0NDSnVUSE0vRFBlQ1pFay9XdFZOSERLbC1tWFllRk5Iai8sODUuMjUuMTYwLjExNCxzdGF0aWMtaXAtODUtMjUtMTYwLTExNC5pbmFkZHIuaXAtcG9vbC5jb20uLEFuZ2xlciBFSywtLDg5NzI=", "source": {"asn": 8972, "ip": "85.25.160.114", "url": "http://schizzino.omarathon.com/gkCCJuTHM/DPeCZEk/WtVNHDKl-mXYeFNHj/", "reverse_dns": "static-ip-85-25-160-114.inaddr.ip-pool.com"}, "classification": {"type": "malware"}, "event_description": {"text": "Angler EK"}, "feed": {"url": "http://www.malwaredomainlist.com/updatescsv.php", "name": "Malware Domain List", "accuracy": 100.0}, "time": {"observation": "2016-04-29T10:59:34+00:00", "source": "2016-04-25T11:39:00+00:00"}}

Apr 29 11:17:47 localhost IntelMQ-event|source.ip: 85.25.160.114|time.source:2016-04-25T11:39:00+00:00|feed.url:http://www.malwaredomainlist.com/updatescsv.php|time.observation:2016-04-29T11:17:44+00:00|source.reverse_dns:static-ip-85-25-160-114.inaddr.ip-pool.com|feed.name:Malware Domain List|event_description.text:Angler EK|source.url:http://schizzino.omarathon.com/gkCCJuTHM/DPeCZEk/WtVNHDKl-mXYeFNHj/|source.asn:8972|classification.type:malware|feed.accuracy:100.0

pip3 install -r intelmq/bots/collectors/xmpp/REQUIREMENTS.txt

> intelmqctl start file-output
Starting file-output...
file-output is running.

> intelmqctl start file-output
file-output is running.

> intelmqctl stop file-output
Stopping file-output...
file-output is stopped.

> intelmqctl stop file-output
file-output was NOT RUNNING.

> intelmqctl stop file-output
file-output is still running

> intelmqctl status file-output
file-output is stopped.
> intelmqctl start file-output
Starting file-output...
file-output is running.
> intelmqctl status file-output
file-output is running.

> intelmqctl restart file-output
Stopping file-output...
file-output is stopped.
Starting file-output...
file-output is running.

> intelmqctl reload file-output
Reloading file-output ...
file-output is running.

> intelmqctl reload file-output
file-output was NOT RUNNING.

> intelmqctl run file-output
file-output: RestAPIOutputBot initialized with id file-output and version 3.5.2 as process 12345.
file-output: Bot is starting.
file-output: Loading source pipeline and queue 'file-output-queue'.
file-output: Connected to source queue.
file-output: No destination queues to load.
file-output: Bot initialization completed.
file-output: Waiting for incoming message.

> intelmqctl run file-output --help

> intelmqctl run file-output
Main instance of the bot is running in the background. You may want to launch: intelmqctl stop file-output

> intelmqctl run file-output console
*** Using console ipdb. Please use 'self' to access to the bot instance properties. ***
ipdb> self. ...

> intelmqctl run file-output console pudb

> intelmqctl run file-output message get
file-output: Waiting for a message to get...
{
    "classification.type": "c&c",
    "feed.url": "https://example.com",
    "raw": "1233",
    "source.ip": "1.2.3.4",
    "time.observation": "2017-05-17T22:00:33+00:00",
    "time.source": "2017-05-17T22:00:32+00:00"
}

> intelmqctl run file-output message send '{"time.observation": "2017-05-17T22:00:33+00:00", "time.source": "2017-05-17T22:00:32+00:00"}'
file-output: Bot has no destination queues.

> intelmqctl run file-output process
file-output: Bot is starting.
file-output: Bot initialization completed.
file-output: Processing...
file-output: Waiting for incoming message.
file-output: Received message {'raw': '1234'}.

> intelmqctl run file-output process -d
file-output:  * Dryrun only, no message will be really sent through.
...
file-output: DRYRUN: Message would be acknowledged now!

> intelmqctl run file-output process -m '{"source.ip":"1.2.3.4"}'
file-output:  * Message from cli will be used when processing.
...

> intelmqctl status file-output
file-output is stopped.
> intelmqctl disable file-output
> intelmqctl status file-output
file-output is disabled.

> intelmqctl status file-output
file-output is disabled.
> intelmqctl enable file-output
> intelmqctl status file-output
file-output is stopped.

> intelmqctl start
Starting abusech-domain-parser...
abusech-domain-parser is running.
Starting abusech-feodo-domains-collector...
abusech-feodo-domains-collector is running.
Starting deduplicator-expert...
deduplicator-expert is running.
file-output is disabled.
Botnet is running.

> intelmqctl stop
Stopping Botnet...
Stopping abusech-domain-parser...
abusech-domain-parser is stopped.
Stopping abusech-feodo-domains-collector...
abusech-feodo-domains-collector is stopped.
Stopping deduplicator-expert...
deduplicator-expert is stopped.
Stopping file-output...
file-output is stopped.
Botnet is stopped.

> intelmqctl status
abusech-domain-parser is running.
abusech-feodo-domains-collector is running.
deduplicator-expert is running.
file-output is disabled.

> intelmqctl status
abusech-domain-parser is running.
abusech-feodo-domains-collector is running.
deduplicator-expert is running.
file-output is running.

> intelmqctl status
abusech-domain-parser is stopped.
abusech-feodo-domains-collector is stopped.
deduplicator-expert is stopped.
file-output is disabled.

> intelmqctl status
file-output is stopped.
malware-domain-list-collector is stopped.
malware-domain-list-parser is stopped.
> intelmqctl disable file-output
> intelmqctl status
file-output is disabled.
malware-domain-list-collector is stopped.
malware-domain-list-parser is stopped.
> intelmqctl enable file-output
> intelmqctl status
file-output is stopped.
malware-domain-list-collector is stopped.
malware-domain-list-parser is stopped.

> intelmqctl list queues
abusech-domain-parser-queue - 0
abusech-domain-parser-queue-internal - 0
deduplicator-expert-queue - 0
deduplicator-expert-queue-internal - 0
file-output-queue - 234
file-output-queue-internal - 0

> intelmqctl list queues -q
file-output-queue - 234

> intelmqctl list queues --sum
42

redis-cli -n 2
keys * # lists all existing non-empty queues
llen [queue-name] # shows the length of the queue [queue-name]
lindex [queue-name] [index] # show the [index]'s message of the queue [queue-name]
del [queue-name] # remove the queue [queue-name]

"intelmqctl_check_orphaned_queues_ignore": ["Taichung-Parser"],

intelmq.lib.exceptions.PipelineError: pipeline failed - ConnectionError('Error 13 connecting to unix socket: /var/run/redis/redis.sock. Permission denied.',)

unixsocketperm 770

usermod -aG redis intelmq

intelmq.lib.exceptions.InvalidValue: invalid value '2017-03-06T07:36:29' () for key 'time.source'

UPDATE events SET raw = NULL WHERE "time.source" < '2018-07-01';

hug -m intelmq_api.serve

INTELMQ_API_CONFIG=/etc/intelmq/api-config.json hug -m intelmq_api.serve

{
    "intelmq_ctl_cmd": ["sudo", "-u", "intelmq", "intelmqctl"],
    "allowed_path": "/opt/intelmq/var/lib/bots/",
    "session_store": "/etc/intelmq/api-session.sqlite",
    "session_duration": 86400,
    "allow_origins": ["*"]
}

intelmq-api-adduser --user <username> --password <password>

setenforce 0

intelmq_manager.runctl.IntelMQCtlError: <ERROR_MESSAGE>

Alias /intelmq-manager /usr/share/intelmq_manager/html/

<Directory /usr/share/intelmq_manager/html>
    <IfModule mod_headers.c>
    Header set Content-Security-Policy "script-src 'self'"
    Header set X-Content-Security-Policy "script-src 'self'"
    </IfModule>
</Directory>

Content-Security-Policy: script-src 'self'
X-Content-Security-Policy: script-src 'self'

bot-id: logstash-output
redis_server_ip: 10.10.10.10
redis_server_port: 6379
redis_db: 4
redis_queue: logstash-queue

input {
  redis {
    host => "10.10.10.10"
    port => 6379
    db => 4
    data_type => "list"
    key => "logstash-queue"
  }
}

filter {
  mutate {
    lowercase => ["source.geolocation.city", "classification.identifier"]
    remove_field => ["__type", "@version"]
  }
  date {
    match => ["time.observation", "ISO8601"]
  }
}

output {
  elasticsearch {
    hosts => ["http://10.10.10.11:9200", "http://10.10.10.12:9200"]
    index => "intelmq-%{+YYYY.MM}"
  }
}

sudo -s

git clone https://github.com/<your username>/intelmq.git /opt/dev_intelmq
cd /opt/dev_intelmq

pip3 install -e .

useradd -d /opt/intelmq -U -s /bin/bash intelmq

intelmqsetup

su - intelmq

intelmqctl start spamhaus-drop-collector

tail -f /opt/intelmq/var/log/spamhaus-drop-collector.log

sudo -s

cd /opt/dev_intelmq
## necessary for pip metadata update and new executables:
pip3 install -e .
## only necessary if it's not a link yet
cp -fs /opt/dev_intelmq/intelmq/bots/BOTS /opt/intelmq/etc/BOTS

find /opt/intelmq/ -type d -exec chmod 0770 {} \+
find /opt/intelmq/ -type f -exec chmod 0660 {} \+
chown -R intelmq.intelmq /opt/intelmq
## if you use the intelmq manager (adapt the webservers' group if needed):
chown intelmq.www-data /opt/intelmq/etc/*.conf

su - intelmq

intelmqctl start <bot_id>

pip3 install Cerberus PyYAML

cd /opt/dev_intelmq
sudo -u intelmq python3 -m unittest {discover|filename}  # or
sudo -u intelmq nosetests3 [filename]  # alternatively nosetests or nosetests-3.8 depending on your installation, or
sudo -u intelmq python3 setup.py test  # uses a build environment (no external dependencies)

INTELMQ_TEST_DATABASES=1 INTELMQ_TEST_EXOTIC=1 nosetests3

intelmq/
  lib/
    bot.py
    cache.py
    message.py
    pipeline.py
    utils.py
  bots/
    collector/
      <bot name>/
            collector.py
    parser/
      <bot name>/
            parser.py
    expert/
      <bot name>/
            expert.py
    output/
      <bot name>/
            output.py
    BOTS
  /conf
    pipeline.conf
    runtime.conf
    defaults.conf

/intelmq/bots/parser/abusech/parser_domain.py
/intelmq/bots/parser/abusech/parser_ip.py
/intelmq/bots/parser/abusech/parser_ransomware.py

/intelmq/bots/parser/abusech/parser_malicious_url.py

intelmq/bots/parser/taichung/parser.py
intelmq/bots/parser/cymru/parser_full_bogons.py
intelmq/bots/parser/abusech/parser_ransomware.py

> git remote add upstream https://github.com/certtools/intelmq.git

> git checkout develop
> git pull upstream develop
> git push origin develop

> git checkout develop
> git checkout -b bugfix
# your work
> git commit

> git checkout maintenance
> git checkout -b new-feature
# your work
> git commit

> git checkout develop
> git pull upstream develop
> git push origin develop

> git checkout bugfix
> git rebase develop

> git checkout bugfix
> git merge develop

$ sudo -i intelmq
$ intelmqctl run file-output  # if configured
$ intelmq.bots.outputs.file.output file-output

"""Parse data from example.com, be a nice ExampleParserBot.

Document possible necessary configurations.
"""
import sys

# imports for additional libraries and intelmq
from intelmq.lib.bot import Bot

class ExampleParserBot(Bot):
    def process(self):
        report = self.receive_message()

        event = self.new_event(report)  # copies feed.name, time.observation
        ... # implement the logic here
        event.add('source.ip', '127.0.0.1')
        event.add('extra', {"os.name": "Linux"})

        self.send_message(event)
        self.acknowledge_message()

BOT = ExampleParserBot

<timestamp> - <bot id> - <log level> - <log message>

pip3 install -r docs/requirements.txt

cd docs
make html

pip3 install --pre intelmq

### Configuration

### Core

### Development

### Harmonization

### Bots
#### Collectors

#### Parsers

#### Experts

#### Outputs

### Documentation

### Packaging

### Tests

### Tools

### Contrib

### Known issues

### Requirements

### Tools

### Harmonization

### Configuration

### Libraries

### Postgres databases

feed name	file name
Accessible-ADB	scan_adb
Accessible-AFP	scan_afp
Accessible-ARD	scan_ard
Accessible-Cisco-Smart-Install	cisco_smart_install
Accessible-CoAP	scan_coap
Accessible-CWMP	scan_cwmp
Accessible-MS-RDPEUDP	scan_msrdpeudp
Accessible-FTP	scan_ftp
Accessible-Hadoop	scan_hadoop
Accessible-HTTP	scan_http
Accessible-Radmin	scan_radmin
Accessible-RDP	scan_rdp
Accessible-Rsync	scan_rsync
Accessible-SMB	scan_smb
Accessible-Telnet	scan_telnet
Accessible-Ubiquiti-Discovery-Service	scan_ubiquiti
Accessible-VNC	scan_vnc
Blacklisted-IP (deprecated)	blacklist
Blocklist	blocklist
Compromised-Website	compromised_website
DNS-Open-Resolvers	scan_dns
Honeypot-Amplification-DDoS-Events	event4_honeypot_ddos_amp
Honeypot-Brute-Force-Events	event4_honeypot_brute_force
Honeypot-Darknet	event4_honeypot_darknet
HTTP-Scanners	hp_http_scan
ICS-Scanners	hp_ics_scan
IP-Spoofer-Events	event4_ip_spoofer
NTP-Monitor	scan_ntpmonitor
NTP-Version	scan_ntp
Open-Chargen	scan_chargen
Open-DB2-Discovery-Service	scan_db2
Open-Elasticsearch	scan_elasticsearch
Open-IPMI	scan_ipmi
Open-IPP	scan_ipp
Open-LDAP	scan_ldap
Open-LDAP-TCP	scan_ldap_tcp
Open-mDNS	scan_mdns
Open-Memcached	scan_memcached
Open-MongoDB	scan_mongodb
Open-MQTT	scan_mqtt
Open-MSSQL	scan_mssql
Open-NATPMP	scan_nat_pmp
Open-NetBIOS-Nameservice	scan_netbios
Open-Netis	netis_router
Open-Portmapper	scan_portmapper
Open-QOTD	scan_qotd
Open-Redis	scan_redis
Open-SNMP	scan_snmp
Open-SSDP	scan_ssdp
Open-TFTP	scan_tftp
Open-XDMCP	scan_xdmcp
Outdated-DNSSEC-Key	outdated_dnssec_key
Outdated-DNSSEC-Key-IPv6	outdated_dnssec_key_v6
Sandbox-URL	cwsandbox_url
Sinkhole-DNS	sinkhole_dns
Sinkhole-Events	event4_sinkhole/event6_sinkhole
Sinkhole-HTTP-Events	event4_sinkhole_http/event6_sinkhole_http
Sinkhole-Events-HTTP-Referer	event4_sinkhole_http_referer/event6_sinkhole_http_referer
Spam-URL	spam_url
SSL-FREAK-Vulnerable-Servers	scan_ssl_freak
SSL-POODLE-Vulnerable-Servers	scan_ssl_poodle
Vulnerable-Exchange-Server *	scan_exchange
Vulnerable-ISAKMP	scan_isakmp
Vulnerable-HTTP	scan_http

feed name	successor feed name	file name
Amplification-DDoS-Victim	Honeypot-Amplification-DDoS-Events	`ddos_amplification`
CAIDA-IP-Spoofer	IP-Spoofer-Events	`caida_ip_spoofer`
Darknet	Honeypot-Darknet	`darknet`
Drone	Sinkhole-Events	`botnet_drone`
Drone-Brute-Force	Honeypot-Brute-Force-Events, Sinkhole-HTTP-Events	`drone_brute_force`
Microsoft-Sinkhole	Sinkhole-HTTP-Events	`microsoft_sinkhole`
Sinkhole-HTTP-Drone	Sinkhole-HTTP-Events	`sinkhole_http_drone`
IPv6-Sinkhole-HTTP-Drone	Sinkhole-HTTP-Events	`sinkhole6_http`

action	match	_default	action_other	filter_match	filter_no_match
keep	✓	✓	✗	✓	✗
keep	✗	✗	✓	✗	✓
drop	✓	✗	✓	✓	✗
drop	✗	✓	✗	✗	✓

Taxonomy	Type	Description
abusive content	spam	Or ‘Unsolicited Bulk Email’, this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content.
abusive-content	harmful-speech	Discreditation or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.
abusive-content	violence	Child pornography, glorification of violence, etc.
availability	ddos	Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks.
availability	dos	Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down.
availability	outage	Outage caused e.g. by air condition failure or natural disaster.
availability	sabotage	Physical sabotage, e.g cutting wires or malicious arson.
fraud	copyright	Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez).
fraud	masquerade	Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it.
fraud	phishing	Masquerading as another entity in order to persuade the user to reveal private credentials.
fraud	unauthorized-use-of-resources	Using resources for unauthorized purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.
information content security	Unauthorised-information-acces	Unauthorized access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.
information content security	Unauthorised-information-modification	Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data.
information content security	data-loss	Loss of data, e.g. caused by harddisk failure or physical theft.
information content security	dropzone	This IOC refers to place where the compromised machines store the stolen user data. Not in ENISA eCSIRT-II taxonomy.
information content security	leak	IOCs relating to leaked credentials or personal data. Not in ENISA eCSIRT-II taxonomy.
information-gathering	scanner	Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, …), port scanning.
information-gathering	sniffing	Observing and recording of network traffic (wiretapping).
information-gathering	social-engineering	Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol.
intrusion attempts	brute-force	Multiple login attempts (Guessing / cracking of passwords, brute force).
intrusion attempts	exploit	An attack using an unknown exploit.
intrusion attempts	ids-alert	IOCs based on a sensor network. This is a generic IOC denomination, should it be difficult to reliably denote the exact type of activity involved for example due to an anecdotal nature of the rule that triggered the alert.
intrusions	application-compromise	Compromise of an application by exploiting (un)known software vulnerabilities, e.g. SQL injection.
intrusions	backdoor	This refers to hosts, which have been compromised and backdoored with a remote administration software or Trojan in the traditional sense. Not in ENISA eCSIRT-II taxonomy.
intrusions	burglary	Physical intrusion, e.g. into corporate building or data center.
intrusions	compromised	This IOC refers to compromised system. Not in ENISA eCSIRT-II taxonomy.
intrusions	defacement	This IOC refers to hacktivism related activity. Not in ENISA eCSIRT-II taxonomy.
intrusions	privileged-account-compromise	Compromise of a system where the attacker gained administrative privileges.
intrusions	unauthorized-command	The possibly infected device sent unauthorized commands to a remote device with malicious intent. Not in ENISA eCSIRT-II taxonomy.
intrusions	unauthorized-login	A possibly infected device logged in to a remote device without authorization. Not in ENISA eCSIRT-II taxonomy.
intrusions	unprivileged-account-compromise	Compromise of a system using an unprivileged (user/service) account.
malicious code	c2server	This is a command and control server in charge of a given number of botnet drones.
malicious code	dga domain	DGA Domains are seen various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. Not in ENISA eCSIRT-II taxonomy.
malicious code	infected-system	This is a compromised machine, which has been observed to make a connection to a command and control server.
malicious code	malware	A URL is the most common resource with reference to malware binary distribution. Not in ENISA eCSIRT-II taxonomy.
malicious code	malware-configuration	This is a resource which updates botnet drones with a new configuration.
malicious code	malware-distribution	URI used for malware distribution, e.g. a download URL included in fake invoice malware spam.
malicious code	ransomware	This IOC refers to a specific type of compromised machine, where the computer has been hijacked for ransom by the criminals. Not in ENISA eCSIRT-II taxonomy and deprecated, use ‘infected system instead’.
other	blacklist	Some sources provide blacklists, which clearly refer to abusive behavior, such as spamming, but fail to denote the exact reason why a given identity has been blacklisted. The reason may be that the justification is anecdotal or missing entirely. This type should only be used if the typing fits the definition of a blacklist, but an event specific denomination is not possible for one reason or another.
other	other	All incidents which don’t fit in one of the given categories should be put into this class.
other	proxy	This refers to the use of proxies from inside your network. Not in ENISA eCSIRT-II taxonomy.
other	tor	This IOC refers to incidents related to TOR network infrastructure. Not in ENISA eCSIRT-II taxonomy.
other	unknown	Unknown classification. Not in ENISA eCSIRT-II taxonomy.
test	test	Meant for testing.
vulnerable	ddos-amplifier	Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled.
vulnerable	information-disclosure	Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.
vulnerable	potentially-unwanted-accessible	Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC.
vulnerable	vulnerable client	This attribute refers to a badly configured or vulnerable clients, which may be vulnerable and can be compromised by a third party. For example, not-up-to-date clients or client which are misconfigured, such as clients querying public domains for WPAD configurations. In addition, to specify the vulnerability and its potential abuse, one should use the classification.identifier, description and other attributes for that purpose respectively. Not in ENISA eCSIRT-II taxonomy.
vulnerable	vulnerable service	This attribute refers to a badly configured or vulnerable network service, which may be abused by a third party. For example, these services relate to open proxies, open dns resolvers, network time servers (NTP) or character generation services (chargen), simple network management services (SNMP). In addition, to specify the network service and its potential abuse, one should use the protocol, destination port and description attributes for that purpose respectively. Not in ENISA eCSIRT-II taxonomy.
vulnerable	vulnerable-system	A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, etc.
vulnerable	weak-crypto	Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks.

Type	Source	Destination	Local	Possible identifiers
backdoor	backdoored device
blacklist	blacklisted device
brute-force	attacker	target
c2server	(sinkholed) c&c server			zeus, palevo, feodo
compromised	server
ddos	attacker	target
defacement	defaced website
dga domain	infected device
dropzone	server hosting stolen data
exploit	hosting server
ids-alert	triggering device
infected system	infected device	contacted c2c server
malware	infected device		internal at source	zeus, palevo, feodo
malware configuration	infected device
other
phishing	phishing website
proxy	server allowing policy and security bypass
ransomware	infected device
scanner	scanning device	scanned device		http,modbus,wordpress
spam	infected device	targeted server	internal at source
test
unknown
vulnerable service	vulnerable device			heartbleed, openresolver, snmp
vulnerable client	vulnerable device			wpad

Category	Key	Terminology
Feed	feed	Should
Classification	classification.type	Should
Classification	classification.taxonomy	Should
Time	time.source	Should
Time	time.observation	Should
Identity	source.ip	Should*
Identity	source.fqdn	Should*
Identity	source.url	Should*
Identity	source.account	Should*

Section	Name	Type	Description
Classification	classification.identifier	String	The lowercase identifier defines the actual software or service (e.g. `heartbleed` or `ntp_version`) or standardized malware name (e.g. `zeus`). Note that you MAY overwrite this field during processing for your individual setup. This field is not standardized across IntelMQ setups/users.
Classification	classification.taxonomy	LowercaseString	We recognize the need for the CSIRT teams to apply a static (incident) taxonomy to abuse data. With this goal in mind the type IOC will serve as a basis for this activity. Each value of the dynamic type mapping translates to a an element in the static taxonomy. The European CSIRT teams for example have decided to apply the eCSIRT.net incident classification. The value of the taxonomy key is thus a derivative of the dynamic type above. For more information about check ENISA taxonomies.
Classification	classification.type	ClassificationType	The abuse type IOC is one of the most crucial pieces of information for any given abuse event. The main idea of dynamic typing is to keep our ontology flexible, since we need to evolve with the evolving threatscape of abuse data. In contrast with the static taxonomy below, the dynamic typing is used to perform business decisions in the abuse handling pipeline. Furthermore, the value data set should be kept as minimal as possible to avoid type explosion, which in turn dilutes the business value of the dynamic typing. In general, we normally have two types of abuse type IOC: ones referring to a compromised resource or ones referring to pieces of the criminal infrastructure, such as a command and control servers for example.
	comment	String	Free text commentary about the abuse event inserted by an analyst.
Destination	destination.abuse_contact	LowercaseString	Abuse contact for destination address. A comma separated list.
Destination	destination.account	String	An account name or email address, which has been identified to relate to the destination of an abuse event.
Destination	destination.allocated	DateTime	Allocation date corresponding to BGP prefix.
Destination	destination.as_name	String	The autonomous system name to which the connection headed.
Destination	destination.asn	ASN	The autonomous system number to which the connection headed.
Destination	destination.domain_suffix	FQDN	The suffix of the domain from the public suffix list.
Destination	destination.fqdn	FQDN	A DNS name related to the host from which the connection originated. DNS allows even binary data in DNS, so we have to allow everything. A final point is stripped, string is converted to lower case characters.
Destination Geolocation	destination.geolocation.cc	UppercaseString	Country-Code according to ISO3166-1 alpha-2 for the destination IP.
Destination Geolocation	destination.geolocation.city	String	Some geolocation services refer to city-level geolocation.
Destination Geolocation	destination.geolocation.country	String	The country name derived from the ISO3166 country code (assigned to cc field).
Destination Geolocation	destination.geolocation.latitude	Float	Latitude coordinates derived from a geolocation service, such as MaxMind geoip db.
Destination Geolocation	destination.geolocation.longitude	Float	Longitude coordinates derived from a geolocation service, such as MaxMind geoip db.
Destination Geolocation	destination.geolocation.region	String	Some geolocation services refer to region-level geolocation.
Destination Geolocation	destination.geolocation.state	String	Some geolocation services refer to state-level geolocation.
Destination	destination.ip	IPAddress	The IP which is the target of the observed connections.
Destination	destination.local_hostname	String	Some sources report a internal hostname within a NAT related to the name configured for a compromized system
Destination	destination.local_ip	IPAddress	Some sources report a internal (NATed) IP address related a compromized system. N.B. RFC1918 IPs are OK here.
Destination	destination.network	IPNetwork	CIDR for an autonomous system. Also known as BGP prefix. If multiple values are possible, select the most specific.
Destination	destination.port	Integer	The port to which the connection headed.
Destination	destination.registry	Registry	The IP registry a given ip address is allocated by.
Destination	destination.reverse_dns	FQDN	Reverse DNS name acquired through a reverse DNS query on an IP address. N.B. Record types other than PTR records may also appear in the reverse DNS tree. Furthermore, unfortunately, there is no rule prohibiting people from writing anything in a PTR record. Even JavaScript will work. A final point is stripped, string is converted to lower case characters.
Destination	destination.tor_node	Boolean	If the destination IP was a known tor node.
Destination	destination.url	URL	A URL denotes on IOC, which refers to a malicious resource, whose interpretation is defined by the abuse type. A URL with the abuse type phishing refers to a phishing resource.
Destination	destination.urlpath	String	The path portion of an HTTP or related network request.
Event_Description	event_description.target	String	Some sources denominate the target (organization) of a an attack.
Event_Description	event_description.text	String	A free-form textual description of an abuse event.
Event_Description	event_description.url	URL	A description URL is a link to a further description of the the abuse event in question.
	event_hash	UppercaseString	Computed event hash with specific keys and values that identify a unique event. At present, the hash should default to using the SHA1 function. Please note that for an event hash to be able to match more than one event (deduplication) the receiver of an event should calculate it based on a minimal set of keys and values present in the event. Using for example the observation time in the calculation will most likely render the checksum useless for deduplication purposes.
	extra	JSONDict	All anecdotal information, which cannot be parsed into the data harmonization elements. E.g. os.name, os.version, etc. Note: this is only intended for mapping any fields which can not map naturally into the data harmonization. It is not intended for extending the data harmonization with your own fields.
Feed	feed.accuracy	Accuracy	A float between 0 and 100 that represents how accurate the data in the feed is
Feed	feed.code	String	Code name for the feed, e.g. DFGS, HSDAG etc.
Feed	feed.documentation	String	A URL or hint where to find the documentation of this feed.
Feed	feed.name	String	Name for the feed, usually found in collector bot configuration.
Feed	feed.provider	String	Name for the provider of the feed, usually found in collector bot configuration.
Feed	feed.url	URL	The URL of a given abuse feed, where applicable
Malware Hash	malware.hash.md5	String	A string depicting an MD5 checksum for a file, be it a malware sample for example.
Malware Hash	malware.hash.sha1	String	A string depicting a SHA1 checksum for a file, be it a malware sample for example.
Malware Hash	malware.hash.sha256	String	A string depicting a SHA256 checksum for a file, be it a malware sample for example.
Malware	malware.name	LowercaseString	The malware name in lower case.
Malware	malware.version	String	A version string for an identified artifact generation, e.g. a crime-ware kit.
Misp	misp.attribute_uuid	LowercaseString	MISP - Malware Information Sharing Platform & Threat Sharing UUID of an attribute.
Misp	misp.event_uuid	LowercaseString	MISP - Malware Information Sharing Platform & Threat Sharing UUID.
	output	JSON	Event data converted into foreign format, intended to be exported by output plugin.
Protocol	protocol.application	LowercaseString	e.g. vnc, ssh, sip, irc, http or smtp.
Protocol	protocol.transport	LowercaseString	e.g. tcp, udp, icmp.
	raw	Base64	The original line of the event from encoded in base64.
	rtir_id	Integer	Request Tracker Incident Response ticket id.
	screenshot_url	URL	Some source may report URLs related to a an image generated of a resource without any metadata. Or an URL pointing to resource, which has been rendered into a webshot, e.g. a PNG image and the relevant metadata related to its retrieval/generation.
Source	source.abuse_contact	LowercaseString	Abuse contact for source address. A comma separated list.
Source	source.account	String	An account name or email address, which has been identified to relate to the source of an abuse event.
Source	source.allocated	DateTime	Allocation date corresponding to BGP prefix.
Source	source.as_name	String	The autonomous system name from which the connection originated.
Source	source.asn	ASN	The autonomous system number from which originated the connection.
Source	source.domain_suffix	FQDN	The suffix of the domain from the public suffix list.
Source	source.fqdn	FQDN	A DNS name related to the host from which the connection originated. DNS allows even binary data in DNS, so we have to allow everything. A final point is stripped, string is converted to lower case characters.
Source Geolocation	source.geolocation.cc	UppercaseString	Country-Code according to ISO3166-1 alpha-2 for the source IP.
Source Geolocation	source.geolocation.city	String	Some geolocation services refer to city-level geolocation.
Source Geolocation	source.geolocation.country	String	The country name derived from the ISO3166 country code (assigned to cc field).
Source Geolocation	source.geolocation.cymru_cc	UppercaseString	The country code denoted for the ip by the Team Cymru asn to ip mapping service.
Source Geolocation	source.geolocation.geoip_cc	UppercaseString	MaxMind Country Code (ISO3166-1 alpha-2).
Source Geolocation	source.geolocation.latitude	Float	Latitude coordinates derived from a geolocation service, such as MaxMind geoip db.
Source Geolocation	source.geolocation.longitude	Float	Longitude coordinates derived from a geolocation service, such as MaxMind geoip db.
Source Geolocation	source.geolocation.region	String	Some geolocation services refer to region-level geolocation.
Source Geolocation	source.geolocation.state	String	Some geolocation services refer to state-level geolocation.
Source	source.ip	IPAddress	The ip observed to initiate the connection
Source	source.local_hostname	String	Some sources report a internal hostname within a NAT related to the name configured for a compromised system
Source	source.local_ip	IPAddress	Some sources report a internal (NATed) IP address related a compromised system. N.B. RFC1918 IPs are OK here.
Source	source.network	IPNetwork	CIDR for an autonomous system. Also known as BGP prefix. If multiple values are possible, select the most specific.
Source	source.port	Integer	The port from which the connection originated.
Source	source.registry	Registry	The IP registry a given ip address is allocated by.
Source	source.reverse_dns	FQDN	Reverse DNS name acquired through a reverse DNS query on an IP address. N.B. Record types other than PTR records may also appear in the reverse DNS tree. Furthermore, unfortunately, there is no rule prohibiting people from writing anything in a PTR record. Even JavaScript will work. A final point is stripped, string is converted to lower case characters.
Source	source.tor_node	Boolean	If the source IP was a known tor node.
Source	source.url	URL	A URL denotes an IOC, which refers to a malicious resource, whose interpretation is defined by the abuse type. A URL with the abuse type phishing refers to a phishing resource.
Source	source.urlpath	String	The path portion of an HTTP or related network request.
	status	String	Status of the malicious resource (phishing, dropzone, etc), e.g. online, offline.
Time	time.observation	DateTime	The time the collector of the local instance processed (observed) the event.
Time	time.source	DateTime	The time of occurrence of the event as reported the feed (source).
	tlp	TLP	Traffic Light Protocol level of the event.

IntelMQ¶

User guide¶

Introduction¶

About¶

Usage¶

IntelMQ Manager¶

Contribute¶