kamil-certat
commented
2 months ago @elsif2 Could you please have a look at this? I have also got a similar report during private channels (I didn't have a time to dig into yet)
Closed kodebrain closed 2 months ago
kamil-certat
commented
2 months ago @elsif2 Could you please have a look at this? I have also got a similar report during private channels (I didn't have a time to dig into yet)
elsif2
commented
2 months ago The bot downloads the latest reports by checking the past two days for availability and downloads only those that have not been fetched previously.
You can specify the types of reports to download using the types option.
kodebrain
commented
2 months ago Thanks @elsif2
I've been attempting to configure the bot to selectively download subsets of scan reports, instead of pulling all the reports for type scan that can contain 1M plus events. Can it be filtered to download a specific set of reports for example scan_ssl, scan6_ssl, scan_rdpeudp, scan_http, scan6_http etc...
The specific report types I've defined in the configuration don't seem to be filtering as expected.
Could you offer any advice on how to effectively target these report types in the bot's settings?
elsif2
commented
2 months ago What parameters do you have configured for the collector?
Example:
parameters:
types: [scan_ssl, scan6_ssl, scan_rdpeudp, scan_http]Yes, that's how I defined them but when i did that way, it did not download any data so I've to apply only scan in the types field which isn't ideal as it downloads an overwhelming volume of reports.
elsif2
commented
2 months ago The following config only downloads the blocklist and scan_rdpeudp types on my system:
parameters:
types: [blocklist,scan_rdpeudp]What version of IntelMQ are you running?
kodebrain
commented
2 months ago intelmqctl --version
3.3.0
ShadowServerAPI-Collector:
bot_id: ShadowServerAPI-Collector
enabled: true
group: Collector
module: intelmq.bots.collectors.shadowserver.collector_reports_api
name: ShadowServerAPI
parameters:
api_key: "$API_KEY_received_from_the_shadowserver_foundation"
bottype: Collector
destination_queues:
_default: [Shadowserver-Parser-queue]
http_header: {}
provider: Shadowserver
rate_limit: 86400
reports: null
secret: $SECRET_received_from_the_shadowserver_foundation"
types: blocklist
run_mode: continuousEven when the types was set to blocklist, it still downloaded all scan reports, I will do some testing over the next few days and see if any changes The report field, not sure what values should go in there or it can be left as null
elsif2
commented
2 months ago The types parameter must be a list:
parameters:
types: [blocklist]
Hi,
By default, the bot seems to download a set of reports covering a four-day span (e.g., from "2024-02-26" to "2024-02-29"). However, I have specific requirements regarding the types of reports and the dates for which I need the data.
Could you please guide me on how to customise the bot's configuration to download only specific types of reports for a specific date or based on the current date? For example, If I am interested in fetching only the 'sinkhole', 'http_scan', 'compromised-website','honeypot_ddos' reports for the current date.
Thank you