intelmq.bots.experts.idea package

Submodules

intelmq.bots.experts.idea.expert module

IDEA classification: https://idea.cesnet.cz/en/classifications

intelmq.bots.experts.idea.expert.BOT

alias of IdeaExpertBot

class intelmq.bots.experts.idea.expert.IdeaExpertBot(*args, **kwargs)

Bases: ExpertBot

Convert events into the IDEA format

TYPE_TO_CATEGORY = {'application-compromise': 'Intrusion.AppCompromise', 'blacklist': 'Other', 'brute-force': 'Attempt.Login', 'burglary': 'Intrusion', 'c2-server': 'Intrusion.Botnet', 'copyright': 'Fraud.Copyright', 'data-leak': 'Information', 'data-loss': 'Information', 'ddos': 'Availability.DDoS', 'ddos-amplifier': 'Intrusion.Botnet', 'dga-domain': 'Anomaly.Behaviour', 'dos': 'Availability.DoS', 'exploit': 'Attempt.Exploit', 'harmful-speech': 'Abusive.Harassment', 'ids-alert': 'Attempt.Exploit', 'infected-system': 'Malware', 'information-disclosure': 'Information.UnauthorizedAccess', 'malware': 'Malware', 'malware-configuration': 'Malware', 'malware-distribution': 'Malware', 'masquerade': 'Fraud.Scam', 'misconfiguration': 'Availability.Outage', 'other': 'Other', 'outage': 'Availability.Outage', 'phishing': 'Fraud.Phishing', 'potentially-unwanted-accessible': 'Vulnerable.Open', 'privileged-account-compromise': 'Intrusion.AdminCompromise', 'proxy': 'Vulnerable.Config', 'sabotage': 'Availability.Sabotage', 'scanner': 'Recon.Scanning', 'sniffing': 'Recon.Sniffing', 'social-engineering': 'Recon.SocialEngineering', 'spam': 'Abusive.Spam', 'system-compromise': 'Intrusion.AdminCompromise', 'test': 'Test', 'tor': 'Other', 'unauthorised-information-access': 'Information.UnauthorizedAccess', 'unauthorised-information-modification': 'Information.UnauthorizedModification', 'unauthorized-use-of-resources': 'Fraud.UnauthorizedUsage', 'undetermined': 'Other', 'unprivileged-account-compromise': 'Intrusion.UserCompromise', 'violence': 'Abusive.Violence', 'vulnerable-system': 'Vulnerable.Config', 'weak-crypto': 'Vulnerable.Config'}
TYPE_TO_SOURCE_TYPE = {'c2-server': 'CC', 'dga-domain': 'DGA', 'malware-configuration': 'MalwareConf', 'malware-distribution': 'Malware', 'phishing': 'Phishing', 'proxy': 'Proxy', 'tor': 'Tor'}
get_value(src, value)
init()
process()
process_dict(src, description)
process_list(src, description)
test_mode: bool = False
intelmq.bots.experts.idea.expert.addr4(s)
intelmq.bots.experts.idea.expert.addr6(s)
intelmq.bots.experts.idea.expert.quot(s)

Module contents