By default all of the bots are started when you start the whole botnet, however there is a possibility to
disable a bot. This means that the bot will not start every time you start the botnet, but you can start
and stop the bot if you specify the bot explicitly. To disable a bot, add the following to your
runtime.conf
: "enabled": false
. Be aware that this is not a normal parameter (like the others
described in this file). It is set outside of the parameters
object in runtime.conf
. Check the
User-Guide for an example.
Feed parameters: Common configuration options for all collectors
feed
: Name for the feed.code
: Code for the feed.provider
: Name of the provider of the feed.rate_limit
: time interval (in seconds) between messages processing.
HTTP parameters: Common URL fetching parameters used in multiple collectors
http_username
: username for basic authentication.http_password
: password for basic authentication.http_proxy
: proxy to use for httphttps_proxy
: proxy to use for httpshttp_user_agent
: user agent to use for the request.http_verify_cert
: path to trusted CA bundle or directory,false
to ignore verifying SSL certificates, ortrue
(default) to verify SSL certificatesssl_client_certificate
: SSL client certificate to use.http_header
: HTTP request headershttp_timeout
: Seconds for read and connect timeout. Can be one float (applies for both timeouts) or a tuple of two floats. Default: 60 seconds. See also https://requests.readthedocs.io/en/master/user/advanced/#timeouts
name:
intelmq.bots.collectors.http.collector_httplookup:
yespublic:
yescache (redis db):
nonedescription:
collect report messages from remote hosts using http protocol
- Feed parameters (see above)
- HTTP parameters (see above)
http_url
: location of information resource (e.g. https://feodotracker.abuse.ch/blocklist/?download=domainblocklist)
name:
intelmq.bots.collectors.http.collector_http_streamlookup:
yespublic:
yescache (redis db):
nonedescription:
Opens a streaming connection to the URL and sends the received lines.
- Feed parameters (see above)
- HTTP parameters (see above)
http_url
: location of HTTP streaming resourcestrip_lines
: boolean, if single lines should be stripped (removing whitespace from the beginning and the end of the line)
If the stream is interrupted, the connection will be aborted using the timeout parameter. Then, an error will be thrown and rate_limit applies if not null.
name:
intelmq.bots.collectors.mail.collector_mail_urllookup:
yespublic:
yescache (redis db):
nonedescription:
collect messages from mailboxes, extract URLs from that messages and download the report messages from the URLs.
- Feed parameters (see above)
- HTTP parameters (see above)
mail_host
: FQDN or IP of mail servermail_user
: user account of the email accountmail_password
: password associated with the user accountmail_ssl
: whether the mail account uses SSL (default:true
)folder
: folder in which to look for mails (default:INBOX
)subject_regex
: regular expression to look for a subjecturl_regex
: regular expression of the feed URL to search for in the mail body
name:
intelmq.bots.collectors.mail.collector_mail_attachlookup:
yespublic:
yescache (redis db):
nonedescription:
collect messages from mailboxes, download the report messages from the attachments.
- Feed parameters (see above)
mail_host
: FQDN or IP of mail servermail_user
: user account of the email accountmail_password
: password associated with the user accountmail_ssl
: whether the mail account uses SSL (default:true
)folder
: folder in which to look for mails (default:INBOX
)subject_regex
: regular expression to look for a subjectattach_regex
: regular expression of the name of the attachmentattach_unzip
: whether to unzip the attachment (default:true
)
name:
intelmq.bots.collectors.file.collector_filelookup:
yespublic:
yescache (redis db):
nonedescription:
collect messages from a file.
- Feed parameters (see above)
path
: path to filepostfix
: FIXMEdelete_file
: whether to delete the file after reading (default:false
)
name:
intelmq.bots.collectors.misp.collectorlookup:
yespublic:
yescache (redis db):
nonedescription:
collect messages from a MISP server.
- Feed parameters (see above)
misp_url
: url of MISP server (with trailing '/')misp_key
: MISP Authkeymisp_verify
: (default:true
)misp_tag_to_process
: MISP tag for events to be processedmisp_tag_processed
: MISP tag for processed events
name:
intelmq.bots.collectors.rt.collector_rtlookup:
yespublic:
yescache (redis db):
nonedescription:
Request Tracker Collector fetches attachments from an RTIR instance and optionally decrypts them with gnupg.
- Feed parameters (see above)
- HTTP parameters (see above)
uri
: url of the REST interface of the RTuser
: RT usernamepassword
: RT passwordsearch_owner
: owner of the ticket to search for (default:nobody
)search_queue
: queue of the ticket to search for (default:Incident Reports
)search_status
: status of the ticket to search for (default:new
)search_subject_like
: part of the subject of the ticket to search for (default:Report
)set_status
: status to set the ticket to after processing (default:open
)take_ticket
: whether to take the ticket (default:true
)url_regex
: regular expression of an URL to search for in the ticketattachment_regex
: regular expression of an attachment in the ticketunzip_attachment
: whether to unzip a found attachment
name:
intelmq.bots.collectors.xmpp.collectorlookup:
yespublic:
yescache (redis db):
nonedescription:
This bot can connect to an XMPP Server and one room, in order to receive reports from it. TLS is used by default. rate_limit is ineffective here. Bot can either pass the body or the whole event.
- Feed parameters (see above)
xmpp_server
: FIXMExmpp_user
: FIXMExmpp_password
: FIXMExmpp_room
: FIXMExmpp_room_nick
: FIXMExmpp_room_passsword
: FIXMEca_certs
: FIXME (default:/etc/ssl/certs/ca-certificates.crt
)strip_message
: FIXME (default:true
)pass_full_xml
: FIXME (default:false
)
name:
intelmq.bots.collectors.alienvault_otx.collectorlookup:
yespublic:
yescache (redis db):
nonedescription:
collect report messages from Alien Vault OTX API
- Feed parameters (see above)
api_key
: location of information resource (e.g. FIXME)
name:
lookup:
public:
cache (redis db):
description:
<parameter>
: <text>
name:
abusixlookup:
dnspublic:
yescache (redis db):
5description:
FIXMEnotes
: https://abusix.com/contactdb.html
FIXME
name:
ASN lookuplookup:
local databasepublic:
yescache (redis db):
nonedescription:
IP to ASN
FIXME
name:
certat-contactlookup:
httpspublic:
yescache (redis db):
nonedescription:
https://contacts.cert.at offers an IP address to national CERT contact (and cc) mapping. See https://contacts.cert.at for more info.
filter
: (true/false) act as a a filter for AT.overwrite_cc
: set to true if you want to overwrite any potentially existing cc fields in the event.
name:
cymru-whoislookup:
cymru dnspublic:
yescache (redis db):
5description:
IP to geolocation, ASN, BGP prefix
FIXME
name:
deduplicatorlookup:
redis cachepublic:
yescache (redis db):
6description:
message deduplicator
Please check this README file.
name:
filterlookup:
nonepublic:
yescache (redis db):
nonedescription:
filter messages (drop or pass messages) FIXME
FIXME
name:
maxmind-geoiplookup:
local databasepublic:
yescache (redis db):
nonedescription:
IP to geolocation
FIXME
name:
reverse-dnslookup:
dnspublic:
yescache (redis db):
8description:
IP to domain
FIXME
name:
ripencc-abuse-contactlookup:
https apipublic:
yescache (redis db):
9description:
IP to abuse contact
FIXME
name:
taxonomylookup:
local configpublic:
yescache (redis db):
nonedescription:
use eCSIRT taxonomy to classify events (classification type to classification taxonomy)
FIXME
name:
tor-nodeslookup:
local databasepublic:
yescache (redis db):
nonedescription:
check if IP is tor node
FIXME
name:
modifylookup:
local configpublic:
yescache (redis db):
nonedescription:
modify expert bot allows you to change arbitrary field values of events just using a configuration file
The modify expert bot allows you to change arbitrary field values of events just using a configuration file. Thus it is possible to adapt certain values or adding new ones only by changing JSON-files without touching the code of many other bots.
The configuration is called modify.conf
and looks like this:
[
{
"rulename": "Standard Protocols http",
"if": {
"source.port": "^(80|443)$"
},
"then": {
"protocol.application": "http"
}
},
{
"rule": "Spamhaus Cert conficker",
"if": {
"malware.name": "^conficker(ab)?$"
},
"then": {
"classification.identifier": "conficker"
}
},
{
"rule": "bitdefender",
"if": {
"malware.name": "bitdefender-(.*)$"
},
"then": {
"malware.name": "{matches[malware.name][1]}"
}
},
{
"rule": "urlzone",
"if": {
"malware.name": "^urlzone2?$"
},
"then": {
"classification.identifier": "urlzone"
}
},
{
"rule": "default",
"if": {
"feed.name": "^Spamhaus Cert$"
},
"then": {
"classification.identifier": "{msg[malware.name]}"
}
}
]
In our example above we have five groups labeled Standard Protocols http
,
Spamhaus Cert conficker
, bitdefender
, urlzone
and default
.
All sections will be considered, in the given order (from top to bottom).
Each rule consists of conditions and actions. Conditions and actions are dictionaries holding the field names of events and regex-expressions to match values (selection) or set values (action). All matching rules will be applied in the given order. The actions are only performed if all selections apply.
If the value for a condition is an empty string, the bot checks if the field does not exist. This is useful to apply default values for empty fields.
You can set the value of the field to a string literal or number.
In addition you can use the standard Python string format syntax
to access the values from the processed event as msg
and the match groups
of the conditions as matches
, see the bitdefender example above.
Note that matches
will also contain the match groups
from the default conditions if there were any.
We have an event with feed.name = Spamhaus Cert
and malware.name = confickerab
. The expert loops over all sections in the file and eventually enters section Spamhaus Cert
. First, the default condition is checked, it matches! Ok, going on. Otherwise the expert would have selected a different section that has not yet been considered. Now, go through the rules, until we hit the rule conficker
. We combine the conditions of this rule with the default conditions, and both rules match! So we can apply the action: classification.identifier
is set to conficker
, the trivial name.
Assume we have an event with feed.name = Spamhaus Cert
and malware.name = feodo
. The default condition matches, but no others. So the default action is applied. The value for classification.identifier
will be set to feodo
by {msg[malware.name]}
.
If the rule is a string, a regex-search is performed, also for numeric values (str()
is called on them). If the rule is numeric for numeric values, a simple comparison is done. If other types are mixed, a warning will be thrown.
name:
filelookup:
nopublic:
yescache (redis db):
nonedescription:
output messages (reports or events) to file
file
: file path of output file
name:
mongodblookup:
nopublic:
yescache (redis db):
nonedescription:
MongoDB is the bot responsible to send events to a MongoDB database
collection
: MongoDB collectiondatabase
: MongoDB databasehost
: MongoDB host (FQDN or IP)port
: MongoDB porthierarchical_output
: Boolean (default true) as mongodb does not allow saving keys with dots, we split the dictionay in sub-dictionaries.
pip3 install pymongo>=2.7.1
name:
postgresqllookup:
nopublic:
yescache (redis db):
nonedescription:
PostgreSQL is the bot responsible to send events to a PostgreSQL Databasenotes
: When activating autocommit, transactions are not used: http://initd.org/psycopg/docs/connection.html#connection.autocommit
The parameters marked with 'PostgreSQL' will be sent to libpq via psycopg2. Check the [libpq parameter documentation] (https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS) for the versions you are using.
autocommit
: psycopg's autocommit mode, optional, default Trueconnect_timeout
: PostgreSQL connect_timeout, optional, default 5 secondsdatabase
: PostgreSQL databasehost
: PostgreSQL hostport
: PostgreSQL portuser
: PostgreSQL userpassword
: PostgreSQL passwordsslmode
: PostgreSQL sslmodetable
: name of the database table into which events are to be inserted
See REQUIREMENTS.txt from your installation.
See outputs/postgresql/README.md from your installation.
name:
restapilookup:
nopublic:
yescache (redis db):
nonedescription:
REST API is the bot responsible to send events to a REST API listener through POST
auth_token
: the user name / http header keyauth_token_name
: the password / http header valueauth_type
: one of:"http_basic_auth"
,"http_header"
hierarchical_output
: booleanhost
: destination URLuse_json
: boolean
name:
tcplookup:
nopublic:
yescache (redis db):
nonedescription:
TCP is the bot responsible to send events to a tcp port (Splunk, ElasticSearch, etc..)
ip
: IP of destination serverhierarchical_output
: true for a nested JSON, false for a flat JSON.port
: port of destination serverseparator
: separator of messages