intelmq.bots.experts.threshold package

Submodules

intelmq.bots.experts.threshold.expert module

Threshold value expert bot

SPDX-FileCopyrightText: 2020 Linköping University <https://liu.se/> SPDX-License-Identifier: AGPL-3.0-or-later

Given a stream of messages, this bot will let through only the single one that makes the count of similar messages go above a threshold value.

This bot is not multiprocessing safe. Do not run more than one instance on the same Redis cache database.

param redis_cache_host

string

param redis_cache_port

int

param redis_cache_db

int

param redis_cache_password

string. default: {None}

param filter_type

string [“whitelist”, “blacklist”], when determining whether two messages are similar, consider either only the named fields, or all but the named fields (time.observation is always ignored).

param bypass

boolean default: False

param filter_keys

list of strings, keys to exclude or include when determining whether messages are similar. time.observation is always ignored.

param threshold

int, number of messages after which one is sent on. As long as the count is above the threshold, no new messages will be sent.

param timeout

int, number of seconds to keep counts of similar messages. After this many seconds have elapsed, the count is deleted and “threshold” number of new messages will result in a new message being sent.

param add_keys

optional, array of strings to strings, keys to add to forwarded messages. Regardless of this setting, the field “extra.count” will be set to the number of messages seen (which will be the threshold value).

intelmq.bots.experts.threshold.expert.BOT

alias of intelmq.bots.experts.threshold.expert.ThresholdExpertBot

class intelmq.bots.experts.threshold.expert.ThresholdExpertBot(bot_id: str, start: bool = False, sighup_event=None, disable_multithreading: Optional[bool] = None)

Bases: intelmq.lib.bot.Bot, intelmq.lib.mixins.cache.CacheMixin

Check if the number of similar messages during a specified time interval exceeds a set value

add_keys: dict = {'comment': 'Threshold reached'}
bypass = False
filter_keys: Iterable = ['raw', 'time.observation']
filter_type: str = 'blacklist'
init()
process()
redis_cache_db: int = 11
redis_cache_host: str = '127.0.0.1'
redis_cache_password: Optional[str] = None
redis_cache_port: int = 6379
threshold: int = 100
timeout: int = 3600

Module contents