Closed kodebrain closed 2 months ago
@elsif2 Could you please have a look at this? I have also got a similar report during private channels (I didn't have a time to dig into yet)
The bot downloads the latest reports by checking the past two days for availability and downloads only those that have not been fetched previously.
You can specify the types of reports to download using the types option.
Thanks @elsif2
I've been attempting to configure the bot to selectively download subsets of scan reports, instead of pulling all the reports for type scan
that can contain 1M plus events. Can it be filtered to download a specific set of reports for example scan_ssl, scan6_ssl, scan_rdpeudp, scan_http, scan6_http etc...
The specific report types I've defined in the configuration don't seem to be filtering as expected.
Could you offer any advice on how to effectively target these report types in the bot's settings?
What parameters do you have configured for the collector?
Example:
parameters:
types: [scan_ssl, scan6_ssl, scan_rdpeudp, scan_http]
Yes, that's how I defined them but when i did that way, it did not download any data so I've to apply only scan
in the types field which isn't ideal as it downloads an overwhelming volume of reports.
The following config only downloads the blocklist
and scan_rdpeudp
types on my system:
parameters:
types: [blocklist,scan_rdpeudp]
What version of IntelMQ are you running?
intelmqctl --version
3.3.0
ShadowServerAPI-Collector:
bot_id: ShadowServerAPI-Collector
enabled: true
group: Collector
module: intelmq.bots.collectors.shadowserver.collector_reports_api
name: ShadowServerAPI
parameters:
api_key: "$API_KEY_received_from_the_shadowserver_foundation"
bottype: Collector
destination_queues:
_default: [Shadowserver-Parser-queue]
http_header: {}
provider: Shadowserver
rate_limit: 86400
reports: null
secret: $SECRET_received_from_the_shadowserver_foundation"
types: blocklist
run_mode: continuous
Even when the types was set to blocklist, it still downloaded all scan reports, I will do some testing over the next few days and see if any changes The report field, not sure what values should go in there or it can be left as null
The types
parameter must be a list:
parameters:
types: [blocklist]
Hi,
By default, the bot seems to download a set of reports covering a four-day span (e.g., from "2024-02-26" to "2024-02-29"). However, I have specific requirements regarding the types of reports and the dates for which I need the data.
Could you please guide me on how to customise the bot's configuration to download only specific types of reports for a specific date or based on the current date? For example, If I am interested in fetching only the 'sinkhole', 'http_scan', 'compromised-website','honeypot_ddos' reports for the current date.
Thank you