Merge branch 'develop' into develop

Author: Rafiot

.travis.yml

@@ -1,4 +1,4 @@
-sudo: required
+os: linux
 dist: xenial
 language: python
 env:
@@ -9,7 +9,7 @@ python:
   - 3.6
   - 3.7
   - 3.8
-matrix:
+jobs:
   include:
   - python: 3.5
     env: mode=debian
@@ -25,12 +25,12 @@ before_install:
   - if [[ -v requirements ]]; then sudo systemctl start elasticsearch; fi
 install:
   - set -e
-  - if [[ -v requirements ]]; then sudo apt-get install polipo lighttpd; fi
   - if [[ $mode == debian ]]; then sudo apt-get install dpkg-dev dh-python python-setuptools python3-setuptools python3-all debhelper quilt fakeroot dh-systemd safe-rm; pip3 install requests; pip3 install redis; pip3 install dnspython; pip3 install psutil; pip3 install python-dateutil; pip3 install termstyle; pip3 install pytz; pip3 install typing; fi
   - if [[ $requirements == true ]]; then for file in intelmq/bots/*/*/REQUIREMENTS.txt; do pip install -r $file; done; fi
   - if [[ -v requirements ]]; then pip install Cerberus!=1.3 codecov pyyaml requests_mock; fi
   - if [[ $mode == codestyle ]]; then pip install pycodestyle; fi
   - if [[ -v requirements ]]; then sudo sed -i '/^Defaults\tsecure_path.*$/ d' /etc/sudoers; fi
+  - if [[ $TRAVIS_PYTHON_VERSION < '3.6' ]]; then rm intelmq/bin/intelmq_gen_docs.py intelmq/tests/bin/test_gen_docs.py; fi  # file requires Python 3.6
   - if [[ -v requirements ]]; then sudo pip install .; fi
   - if [[ -v requirements ]]; then sudo intelmqsetup --skip-ownership; fi
 before_script:
@@ -49,17 +49,16 @@ before_script:
   - if [[ $mode == debian ]]; then tar -xzf ../intelmq_$version.orig.tar.gz; fi
   - if [[ $mode == debian ]]; then tar -xzf ../intelmq_$debversion.debian.tar.gz; fi
   - if [[ $mode == debian ]]; then popd; fi
-  - if [[ -v requirements ]]; then sudo cp intelmq/tests/assets/* /var/www/html/ && sudo touch /var/www/html/$(date +%Y).txt; fi
   - if [[ -v requirements ]]; then gpg --import intelmq/tests/assets/key-public.pgp; fi
   - if [[ $requirements == true ]]; then sudo bash -c 'echo "[rabbitmq_management]." > /etc/rabbitmq/enabled_plugins' && sudo systemctl restart rabbitmq-server; fi
 script:
-  - if [[ $requirements == true ]]; then TZ=utc INTELMQ_TEST_DATABASES=1 INTELMQ_TEST_LOCAL_WEB=1 INTELMQ_TEST_EXOTIC=1 nosetests --with-coverage --cover-package=intelmq --cover-branches; find contrib/ -name "test*.py" -exec nosetests {} \+; elif [[ $requirements == false ]]; then INTELMQ_TEST_LOCAL_WEB=1 nosetests --with-coverage --cover-package=intelmq --cover-branches; fi
+  - if [[ $requirements == true ]]; then TZ=utc INTELMQ_TEST_DATABASES=1 INTELMQ_TEST_EXOTIC=1 nosetests --with-coverage --cover-package=intelmq --cover-branches; find contrib/ -name "test*.py" -exec nosetests {} \+; elif [[ $requirements == false ]]; then nosetests --with-coverage --cover-package=intelmq --cover-branches; fi
   - if [[ $mode == codestyle ]]; then pycodestyle intelmq/{bots,lib,bin}; fi
   - if [[ $mode == debian ]]; then pushd ../build; fi
   - if [[ $mode == debian ]]; then DEB_BUILD_OPTIONS='nocheck' dpkg-buildpackage -us -uc -d; fi
   - if [[ $mode == debian ]]; then popd; fi
 services:
-  - redis-server
+  - redis
   - postgresql
   - mongodb
   - rabbitmq

CHANGELOG.md

@@ -19,19 +19,25 @@ CHANGELOG
   - `create_request_session_from_bot`: Changed bot argument to optional, uses defaults.conf as fallback, renamed to `create_request_session`. Name `create_request_session_from_bot` will be removed in version 3.0.0.
 
 ### Development
+- `intelmq.bin.intelmq_gen_docs`: Add bot name to the `Feeds.md` documentation (PR#1617 by Birger Schacht).
 
 ### Harmonization
 
 ### Bots
 #### Collectors
 - `intelmq.bots.collectors.eset.collector`: Added (PR#1554 by Mikk Margus Möll).
-- `intelmq.bots.collectors.http.collector_http`: Added PGP signature check functionality (PR#1602 by sinus-x).
+- `intelmq.bots.collectors.http.collector_http`:
+  - Added PGP signature check functionality (PR#1602 by sinus-x).
+  - If status code is not 2xx, the request's and response's headers and body are logged in debug logging level (#1615).
 
 #### Parsers
 - `intelmq.bots.parsers.eset.parser`: Added (PR#1554 by Mikk Margus Möll).
   - Ignore invalid "NXDOMAIN" IP addresses (PR#1573 by Mikk Margus Möll).
 - `intelmq.bots.parsers.hphosts`: Removed, feed is unavailable (#1559).
-- `intelmq.bots.parsers.cznic.parser_haas`: Added (PR#1560 by Filip Pokorný and Edvard Rejthar)
+- `intelmq.bots.parsers.cznic.parser_haas`: Added (PR#1560 by Filip Pokorný and Edvard Rejthar).
+- `intelmq.bots.parsers.cznic.parser_proki`: Added (PR#1599 by sinus-x).
+- `intelmq.bots.parsers.key_value.parser`: Added (PR#1607 by Karl-Johan Karlsson).
+- `intelmq.bots.parsers.generic.parser_csv`: Added new parameter `compose_fields`.
 
 #### Experts
 - `intelmq.bots.experts.rfc1918.expert`:
@@ -56,6 +62,7 @@ CHANGELOG
   - Added `--update-database` option. (PR#1524 by Filip Pokorný)
   - Added `api_token` parameter. (PR#1524 by Filip Pokorný)
   - The script `update-rfiprisk-data` is now deprecated and will be removed in version 3.0.
+- Added `intelmq.bots.experts.threshold` (PR#1608 by Karl-Johan Karlsson).
 
 #### Outputs
 
@@ -64,6 +71,8 @@ CHANGELOG
   - Add ESET URL and Domain feeds
   - Remove unavailable *HPHosts Hosts file* feed (#1559).
   - Added CZ.NIC HaaS feed (PR#1560 by Filip Pokorný and Edvard Rejthar).
+  - Added CZ.NIC Proki feed (PR#1599 by sinus-x).
+  - Added CERT-BUND CB-Report Malware infections feed (PR#1598 by sinus-x).
 - Bots:
   - Enhanced documentation of RFC1918 Expert.
   - Updated documentation for Maxmind GeoIP, ASN Lookup, TOR Nodes and Recorded Future experts to reflect new `--update-database` option.  (PR#1524 by Filip Pokorný)
@@ -74,6 +83,15 @@ CHANGELOG
 
 ### Tests
 - Added tests for `intelmq.lib.exceptions.PipelineError`.
+- `intelmq.tests.bots.collectors.http_collector.test_collector`: Use requests_mock to mock all requests and do not require a local webserver.
+- `intelmq.tests.bots.outputs.restapi.test_output`:
+  - Use requests_mock to mock all requests and do not require a local webserver.
+  - Add a test for checking the response status code.
+- `intelmq.tests.bots.collectors.mail.test_collector_url`: Use requests_mock to mock all requests and do not require a local webserver.
+- `intelmq.tests.bots.experts.ripe.test_expert`: Use requests_mock to mock all requests and do not require a local webserver.
+- The test flag (environment variable) `INTELMQ_TEST_EXOTIC` is no longer used.
+- Travis:
+  - Remove installation of local web-server (not necessary anymore) and HTTP proxy (no tests anymore).
 
 ### Tools
 - `intelmqdump`:
@@ -113,6 +131,9 @@ CHANGELOG
 - `intelmq/bots/parsers/danger_rulez/parser`: correctly skip malformed rows by defining variables before referencing (PR#1601 by Tomas Bellus).
 
 #### Experts
+- `intelmq.bots.experts.cymru_whois`:
+  - Fix cache key calculation which previously led to duplicate keys and therefore wrong results in rare cases. The cache key calculation is intentionally not backwards-compatible (#1592, PR#1606).
+  - The bot now caches and logs (as level INFO) empty responses from Cymru (PR#1606).
 
 #### Outputs
 - `intelmq.bots.outputs.rt`: Added Request Tracker output bot (PR#1589 by Marius Urkis).

NEWS.md

@@ -39,6 +39,11 @@ See the changelog for a full list of changes.
 2.2.2 Bugfix release (unreleased)
 ---------------------------------
 
+### Bots
+#### Cymru Whois Lookup
+The cache key calculation has been fixed. It previously led to duplicate keys for different IP addresses and therefore wrong results in rare cases. The cache key calculation is intentionally not backwards-compatible. Therefore, this bot may take longer processing events than usual after applying this update.
+More details can be found in [issue #1592](https://github.com/certtools/intelmq/issues/1592).
+
 ### Requirements
 
 ### Tools

contrib/eventdb/apply_mapping_eventdb.py

@@ -55,9 +55,9 @@ def eventdb_apply(malware_name_column, malware_family_column, host, port,
 
     cur.execute('SELECT DISTINCT "classification.identifier", "malware.name" FROM {table} '
                 'WHERE "classification.taxonomy" = \'malicious code\' {where}'
-            ''.format(table=table, where=where))
+                ''.format(table=table, where=where))
     if dry_run:
-        execute = lambda x, y: print(cur.mogrify(x, y).decode())
+        execute = lambda x, y: print(cur.mogrify(x, y).decode())  # noqa: E731
     else:
         execute = cur.execute
     for (identifier, malware_name) in cur.fetchall():
@@ -76,7 +76,7 @@ def eventdb_apply(malware_name_column, malware_family_column, host, port,
                         'AND "classification.identifier" IS DISTINCT FROM %s AND '
                         '"classification.taxonomy" = \'malicious code\' {where}'
                         ''.format(table=table, where=where),
-                        (rule[1],  malware_name, rule[1]))
+                        (rule[1], malware_name, rule[1]))
                 break
         else:
             print('missing mapping for', repr(malware_name))

contrib/malware_name_mapping/download_mapping.py

@@ -19,9 +19,9 @@
 URL_MALPEDIA = 'https://raw.githubusercontent.com/certtools/malware_name_mapping/master/malpedia.csv'
 URL_MISP = 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/threat-actor.json'
 
-REGEX_FROM_HUMAN = re.compile(r"((?P<res1>[a-z])(?=[A-Z])|"  #  "fooBar"
-                               r"(?P<res2>.)(\\ )(?=[^\]])|"  #  "foo bar" but not "foo[-_ ]?bar"
-                               r"(?P<res3>[^\[-])\\-(?=[^-]))")  #  "foo-bar" but not "foo[-_ ]?bar"
+REGEX_FROM_HUMAN = re.compile(r"((?P<res1>[a-z])(?=[A-Z])|"  # "fooBar"
+                              r"(?P<res2>.)(\\ )(?=[^\]])|"  # "foo bar" but not "foo[-_ ]?bar"
+                              r"(?P<res3>[^\[-])\\-(?=[^-]))")  # "foo-bar" but not "foo[-_ ]?bar"
 IDENTIFIER_FROM_HUMAN = re.compile(r"[^a-z0-9]+")
 
 
@@ -75,7 +75,7 @@ def generate_regex_from_human(*values):
     return "^(%s)$" % "|".join(newvalues)
 
 
-def download(url: str=URL, add_default=False, params=None, include_malpedia=False,
+def download(url: str = URL, add_default=False, params=None, include_malpedia=False,
              include_misp=False, mwnmp_ignore_adware=False):
     download = requests.get(url)
     download.raise_for_status()
@@ -96,7 +96,7 @@ def download(url: str=URL, add_default=False, params=None, include_malpedia=Fals
             names = [actor["value"]] + actor.get("meta", {}).get("synonyms", [])
             identifier = ("%s-generic"
                           "" % IDENTIFIER_FROM_HUMAN.sub("-",
-                                                        actor["value"].lower()))
+                                                         actor["value"].lower()))
             rule_name = "misp-threat-actors-%s" % identifier
 
             rules.append(generate_rule(generate_regex_from_human(*names),

contrib/malware_name_mapping/test_download_mapping.py

@@ -69,7 +69,7 @@ def test_download_add_default_constant(self):
                            'then': {'classification.identifier': 'constant'}}]
                          )
 
-    maxDiff=None
+    maxDiff = None
 
 
 class TestParser(unittest.TestCase):

contrib/systemd/systemd.py

@@ -1,5 +1,6 @@
 #!/usr/bin/python3
 # -*- coding: utf-8 -*-
+# flake8: noqa
 import collections
 import grp
 import json

docs/Bots.md

@@ -36,6 +36,7 @@
   - [Cymru CAP Program](#cymru-cap-program)
   - [Cymru Full Bogons](#cymru-full-bogons)
   - [HTML Table Parser](#html-table-parser)
+  - [Key-Value Parser](#key-value-parser)
   - [Twitter](#twitter)
   - [Shadowserver](#shadowserver)
   - [Shodan](#shodan)
@@ -74,6 +75,7 @@
   - [RipeNCC Abuse Contact](#ripencc-abuse-contact)
   - [Sieve](#sieve)
   - [Taxonomy](#taxonomy)
+  - [Threshold](#threshold)
   - [Tor Nodes](#tor-nodes)
   - [Url2FQDN](#url2fqdn)
   - [Wait](#wait)
@@ -267,6 +269,12 @@ Zipped files are automatically extracted if detected.
 
 For extracted files, every extracted file is sent in its own report. Every report has a field named `extra.file_name` with the file name in the archive the content was extracted from.
 
+#### HTTP Response status code checks
+
+If the HTTP response' status code is not 2xx, this is treated as error.
+
+In Debug logging level, the request's and response's headers and body are logged for further inspection.
+
 * * *
 
 ### Generic URL Stream Fetcher
@@ -979,6 +987,8 @@ Events with the Malware "TestSinkholingLoss" are ignored, as they are for the fe
 
 * `use_malware_familiy_as_classification_identifier`: default: `true`. Use the `malw.family` field as `classification.type`. If `false`, check if the same as `malw.variant`. If it is the same, it is ignored. Otherwise saved as `extra.malware.family`.
 
+* * *
+
 ### Generic CSV Parser
 
 Lines starting with `'#'` will be ignored. Headers won't be interpreted.
@@ -1011,6 +1021,22 @@ Lines starting with `'#'` will be ignored. Headers won't be interpreted.
         - parse a value and ignore if it fails  `"columns": "source.url|__IGNORE__"`
 
  * `"column_regex_search"`: Optional. A dictionary mapping field names (as given per the columns parameter) to regular expression. The field is evaluated using `re.search`. Eg. to get the ASN out of `AS1234` use: `{"source.asn": "[0-9]*"}`. Make sure to properly escape any backslashes in your regular expression (See also [#1579](https://github.com/certtools/intelmq/issues/1579).
+ * `"compose_fields"`: Optional, dictionary. Create fields from columns, e.g. with data like this:
+   ```csv
+   # Host,Path
+   example.com,/foo/
+   example.net,/bar/
+   ```
+   using this compose_fields parameter:
+   ```json
+   {"source.url": "http://{0}{1}"}
+   ```
+   You get:
+   ```
+   http://example.com/foo/
+   http://example.net/bar/
+   ```
+   in the respective `source.url` fields. The value in the dictionary mapping is formatted whereas the columns are available with their index.
  * `"default_url_protocol"`: For URLs you can give a default protocol which will be pretended to the data.
  * `"delimiter"`: separation character of the CSV, e.g. `","`
  * `"skip_header"`: Boolean, skip the first line of the file, optional. Lines starting with `#` will be skipped additionally, make sure you do not skip more lines than needed!
@@ -1225,6 +1251,45 @@ Parses breaches and pastes and creates one event per e-mail address. The e-mail
 
 * * *
 
+### Key-Value Parser
+
+#### Information:
+* `name:` intelmq.bots.parsers.key_value.parser
+* `lookup:` no
+* `public:` no
+* `cache (redis db):` none
+* `description:` Parses text lines in key=value format, for example FortiGate firewall logs.
+
+#### Configuration Parameters:
+
+* `pair_separator`: String separating key=value pairs, default "` `" (space).
+* `kv_separator`: String separating key and value, default `=`.
+* `keys`: Array of string->string, names of keys to propagate mapped to IntelMQ event fields. Example:
+   ```json
+   "keys": {
+       "srcip": "source.ip",
+       "dstip": "destination.ip"
+   }
+   ```
+   The value mapped to `time.source` is parsed. If the value is numeric, it is interpreted. Otherwise, or if it fails, it is parsed fuzzy with dateutil.
+   If the value cannot be parsed, a warning is logged per line.
+* `strip_quotes`: Boolean, remove opening and closing quotes from values, default true.
+
+#### Parsing limitations
+
+The input must not have (quoted) occurrences of the separator in the values. For example, this is not parsable (with space as separator):
+
+```
+key="long value" key2="other value"
+```
+
+In firewall logs like FortiGate, this does not occur. These logs usually look like:
+```
+srcip=192.0.2.1 srcmac="00:00:5e:00:17:17"
+```
+
+* * *
+
 ### McAfee Advanced Threat Defense File
 
 #### Information:
@@ -2500,6 +2565,42 @@ For brevity, "type" means `classification.type` and "taxonomy" means `classifica
 
 * * *
 
+### Threshold
+
+#### Information:
+
+* **Cache parameters** (see in section [common parameters](#common-parameters))
+* `name`: threshold
+* `lookup`: redis cache
+* `public`: no
+* `cache (redis db)`: 11
+* `description`: Check if the number of similar messages during a specified time interval exceeds a set value.
+
+#### Configuration Parameters:
+
+* `filter_keys`: String, comma-separated list of field names to consider or ignore when determining which messages are similar.
+* `filter_type`: String, `whitelist` (consider only the fields in `filter_keys`) or `blacklist` (consider everything but the fields in `filter_keys`).
+* `timeout`: Integer, number of seconds before threshold counter is reset.
+* `threshold`: Integer, number of messages required before propagating one. In forwarded messages, the threshold is saved in the message as `extra.count`.
+* `add_keys`: Array of string->string, optional, fields and values to add (or update) to propagated messages. Example:
+   ```json
+   "add_keys": {
+       "classification.type": "spam",
+       "comment": "Started more than 10 SMTP connections"
+   }
+   ```
+
+#### Limitations
+
+This bot has certain limitations and is not a true threshold filter (yet). It works like this:
+1. Every incoming message is hashed according to the `filter_*` parameters.
+2. The hash is looked up in the cache and the count is incremented by 1, and the TTL of the key is (re-)set to the timeout.
+3. If the new count matches the threshold exactly, the message is forwarded. Otherwise it is dropped.
+
+Please note: Even if a message is sent, any further identical messages are dropped, if the time difference to the last message is less than the timeout! The counter is not reset if the threshold is reached.
+
+* * *
+
 ### Tor Nodes
 
 #### Information:

docs/Developers-Guide.md

@@ -195,14 +195,13 @@ There are a bunch of environment variables which switch on/off some tests:
 * `INTELMQ_TEST_DATABASES`: databases such as postgres, elasticsearch, mongodb are not tested by default, set to 1 to test those bots. These tests need preparation, e.g. running databases with users and certain passwords etc. Have a look at the `.travis.yml` in IntelMQ's repository for steps to set databases up.
 * `INTELMQ_SKIP_INTERNET`: tests requiring internet connection will be skipped if this is set to 1.
 * `INTELMQ_SKIP_REDIS`: redis-related tests are ran by default, set this to 1 to skip those.
-* `INTELMQ_TEST_LOCAL_WEB`: tests which connect to local web servers or proxies are active when set to 1. Running these tests assume a local webserverserving certain files and/or proxy. Example preparation steps can be found in `.travis.yml` again.
 * `INTELMQ_TEST_EXOTIC`: some bots and tests require libraries which may not be available, those are skipped by default. To run them, set this to 1.
 * `INTELMQ_TEST_REDIS_PASSWORD`: Set this value to the password for the local redis database if needed.
 
 For example, to run all tests you can use:
 
 ```bash
-INTELMQ_TEST_DATABASES=1 INTELMQ_TEST_LOCAL_WEB=1 INTELMQ_TEST_EXOTIC=1 nosetests3
+INTELMQ_TEST_DATABASES=1 INTELMQ_TEST_EXOTIC=1 nosetests3
 ```
 
 ### Configuration test files