intelmq.bots.parsers.dataplane package

Submodules

intelmq.bots.parsers.dataplane.parser module

IntelMQ Dataplane Parser

intelmq.bots.parsers.dataplane.parser.BOT

alias of intelmq.bots.parsers.dataplane.parser.DataplaneParserBot

class intelmq.bots.parsers.dataplane.parser.DataplaneParserBot(bot_id: str, start: bool = False, sighup_event=None, disable_multithreading: Optional[bool] = None)

Bases: intelmq.lib.bot.ParserBot

Parse the Dataplane feeds

CATEGORY = {'sipinvitation': {'classification.type': 'brute-force', 'event_description.text': 'Address has been seen initiating a SIP INVITE operation to a remote host. The source report lists hosts that are suspicious of more than just port scanning. The host may be SIP client cataloging or conducting various forms of telephony abuse.', 'protocol.application': 'sip'}, 'sipquery': {'classification.type': 'brute-force', 'event_description.text': 'Address has been seen initiating a SIP OPTIONS query to a remote host. The source report lists hosts that are suspicious of more than just port scanning. The host may be SIP server cataloging or conducting various forms of telephony abuse.', 'protocol.application': 'sip'}, 'sipregistration': {'classification.type': 'brute-force', 'event_description.text': 'Address has been seen initiating a SIP REGISTER operation to a remote host. The source report lists hosts that are suspicious of more than just port scanning. The host may be SIP client cataloging or conducting various forms of telephony abuse.', 'protocol.application': 'sip'}, 'sshclient': {'classification.type': 'scanner', 'event_description.text': 'Address has been seen initiating an SSH connection to a remote host. The source report lists hosts that are suspicious of more than just port scanning.  The host may be SSH server cataloging or conducting authentication attack attempts.', 'protocol.application': 'ssh'}, 'sshpwauth': {'classification.type': 'brute-force', 'event_description.text': 'Address has been seen attempting to remotely login to a host using SSH password authentication. The source report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks.', 'protocol.application': 'ssh'}}
FILE_FORMAT = [('source.asn', <function DataplaneParserBot.<lambda>>), ('source.as_name', <function DataplaneParserBot.<lambda>>), ('source.ip', <function DataplaneParserBot.<lambda>>), ('time.source', <function DataplaneParserBot.<lambda>>)]
parse_line(line, report)

A generator which can yield one or more messages contained in line.

Report has the full message, thus you can access some metadata. Override for your use.

Module contents