Merge pull request #2621 from monoidic/develop

sebix · web-flow · commit 479114d4d53d · 2025-07-08T09:31:45.000+02:00
ENH: add tor mapping and ipv6-icmp protocol to cymru parser
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,6 +26,7 @@ Please refer to the [NEWS](NEWS.md) for a list of changes which have an affect o
 #### Collectors
 
 #### Parsers
+- `intelmq.bots.parsers.cymru.parser_cap_program`: Add mapping for TOR and ipv6-icmp protocol (PR#2621 by Mikk Margus Möll).
 
 #### Experts
 - `intelmq.bots.experts.asn_lookup.expert`: Print URLs to stdout only in verbose mode (PR#2591 by Sebastian Wagner).
diff --git a/intelmq/bots/parsers/cymru/parser_cap_program.py b/intelmq/bots/parsers/cymru/parser_cap_program.py
@@ -36,13 +36,16 @@
     'conficker': {'classification.type': 'infected-system',
                   'classification.identifier': 'conficker',
                   'malware.name': 'conficker'},
+    'tor': {'classification.type': 'tor',
+            'classification.identifier': 'tor'},
 }
 PROTOCOL_MAPPING = {  # TODO: use `getent protocols <number>`, maybe in harmonization
     '1': 'icmp',
     '6': 'tcp',
     '11': 'nvp-ii',
     '17': 'udp',
     '47': 'gre',
+    '58': 'ipv6-icmp',
     '59': 'ipv6-nonxt',
 }
 BOGUS_HOSTNAME_PORT = re.compile('hostname: ([^:]+)port: ([0-9]+)')
diff --git a/intelmq/tests/bots/parsers/cymru/certname_20190327.txt b/intelmq/tests/bots/parsers/cymru/certname_20190327.txt
@@ -36,3 +36,4 @@ proxy|172.16.0.21|64496|2020-12-14 08:28:01|httpconnect-51915; additional_asns:
 bruteforce|172.16.0.21|64496|2021-03-09 00:11:21|destination_port_numbers: 22;port: 16794;protocol: 6;|Example AS Name, AT
 bot|172.16.0.21|64496|2019-03-22 18:18:52|family: Conficker;hostname: 172.16.0.21|Example AS Name, AT
 bot|172.16.0.21|64496|2019-03-22 20:18:52|family: Conficker;hostname: 21-0-16-172.example.tld|Example AS Name, AT
+tor|172.16.0.21|64496|2025-07-06 00:15:03|port: 36004;|Example AS Name, AT
diff --git a/intelmq/tests/bots/parsers/cymru/test_cap_program_new.py b/intelmq/tests/bots/parsers/cymru/test_cap_program_new.py
@@ -244,11 +244,17 @@
      'source.fqdn': '21-0-16-172.example.tld',
      'source.geolocation.cc': 'AT',
      },
+     {
+     'time.source': '2025-07-06T00:15:03+00:00',
+      'classification.type': 'tor',
+      'classification.identifier': 'tor',
+      'source.port': 36004,
+     },
 ]
 
 # The number of events a single line in the raw data produces
 NUM_EVENTS = (1, 1, 1, 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
-              1, 1, 10, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1)
+              1, 1, 10, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1)
 RAWS = []
 for i, line in enumerate(RAW_LINES[3:]):
     for count in range(NUM_EVENTS[i]):
