Add new DataPlane.org VNC RFB feed

certtools / intelmq

IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol.

https://docs.intelmq.org/latest/

GNU Affero General Public License v3.0

975 stars 296 forks source link

Add new DataPlane.org VNC RFB feed #941

Open jtkristoff opened 7 years ago

jtkristoff commented 7 years ago

There is a new DataPlane.org feed you may wish to add to your collection of existing DataPlane.org feeds. I had intended to fork and send a pull request with the required changes, but this project requires a fair number of changes to just add one new feed file to the collection. I suspect you may have this automated already so I stopped trying to do it all by hand. The feed in question can be fetched from here:

DataPlane.org VNC RFB feed

aaronkaplan commented 7 years ago

Thanks John!

I think we will be able to use the generic csv parser + http collector for this.

On 05 Apr 2017, at 10:47, John Kristoff notifications@github.com wrote:

There is a new DataPlane.org feed you may wish to add to your collection of existing DataPlane.org feeds. I had intended to fork and send a pull request with the required changes, but this project requires a fair number of changes to just add one new feed file to the collection. I suspect you may have this automated already so I stopped trying to do it all by hand. The feed in question can be fetched from here:

• DataPlane.org VNC RFB feed — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

jtkristoff commented 7 years ago

You may wish to incorporate three additional new DNS-based feeds along with the original VNC feed request:

ghost commented 7 years ago

See also #384 Removed the milestone: if someone needs it, please document it, no ETA needed.

but this project requires a fair number of changes to just add one new feed file to the collection.

What changes do you need? The feed seems easily parseable with our generic csv parser, along with a http collector. So it's just a matter of configuration and which can/should be documented in docs/Feeds.md

jtkristoff commented 7 years ago

What changes do you need?

When I look at #808 it looks like a lot of changes and work for a merge. I don't know your project well enough so I'll let someone else more familiar with intelmq to submit a pull request for all that is required, I just wanted to bring to your attention some new feeds if you wanted them.

navtej commented 7 years ago

is possible to use generic csv parser to handle dataplane feeds. You can use something similar to

           "default_url_protocol": "http://",
            "skip_header": false,
            "delimiter": "|",
            "columns": "source.asn|__IGNORE__,source.as_name|__IGNORE__,source.ip,time.source,extra.tags"