BUG: cymru cap parser: add support for 2 protocols

Sebastian Wagner · Sebastian Wagner · commit cae9f499d63f · 2020-11-18T11:38:01.000+01:00
47 (GRE) and 59 (IPv6-NoNxt)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,7 @@ CHANGELOG
 #### Collectors
 
 #### Parsers
+- `intelmq.bots.parsers.cymru.parser_cap_program`: Add support for protocols 47 (GRE) and 59 (IPv6-NoNxt).
 
 #### Experts
 
diff --git a/intelmq/bots/parsers/cymru/parser_cap_program.py b/intelmq/bots/parsers/cymru/parser_cap_program.py
@@ -35,11 +35,13 @@
 }
 MAPPING_COMMENT = {'bruteforce': ('classification.identifier', 'protocol.application'),
                    'phishing': ('source.url', )}
-PROTOCOL_MAPPING = {  # TODO: use getent in harmonization
+PROTOCOL_MAPPING = {  # TODO: use `getent protocols <number>`, maybe in harmonization
     '1': 'icmp',
     '6': 'tcp',
     '11': 'nvp-ii',
     '17': 'udp',
+    '47': 'gre',
+    '59': 'ipv6-nonxt',
 }
 BOGUS_HOSTNAME_PORT = re.compile('hostname: ([^:]+)port: ([0-9]+)')
 DESTINATION_PORT_NUMBERS_TOTAL = re.compile(r' \(total_count:\d+\)$')
diff --git a/intelmq/tests/bots/parsers/cymru/certname_20190327.txt b/intelmq/tests/bots/parsers/cymru/certname_20190327.txt
@@ -30,3 +30,5 @@ phishing|172.16.0.21|64496|2019-10-23 12:46:18||Example AS Name, AT
 darknet|172.16.0.21|64496|2020-01-10 09:17:17|destination_port_numbers: 0;protocol: 11;|Example AS Name, AT
 conficker|172.16.0.21|64496|2020-05-08 09:13:34|srcport: 1997; destaddr: 172.16.0.22;|Example AS Name, AT
 scanner|172.16.0.21|64496|2020-07-09 03:40:15|username: pm;|Example AS Name, AT
+darknet|172.16.0.21|64496|2020-10-08 02:21:26|protocol: 47;|Example AS Name, AT
+darknet|172.16.0.21|64496|2020-10-15 09:22:10|protocol: 59;|Example AS Name, AT
diff --git a/intelmq/tests/bots/parsers/cymru/test_cap_program_new.py b/intelmq/tests/bots/parsers/cymru/test_cap_program_new.py
@@ -203,11 +203,21 @@
            'time.source': '2020-07-09T03:40:15+00:00',
            'source.account': 'pm',
            },
+          {'classification.type': 'scanner',
+           'classification.identifier': 'darknet',
+           'time.source': '2020-10-08T02:21:26+00:00',
+           'protocol.transport': 'gre',
+           },
+          {'classification.type': 'scanner',
+           'classification.identifier': 'darknet',
+           'time.source': '2020-10-15T09:22:10+00:00',
+           'protocol.transport': 'ipv6-nonxt',
+           },
           ]
 
 # The number of events a single line in the raw data produces
-NUM_EVENTS = [1, 1, 1, 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
-              1, 1, 10, 1, 1, 1, 1, 1]
+NUM_EVENTS = (1, 1, 1, 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+              1, 1, 10, 1, 1, 1, 1, 1, 1, 1)
 RAWS = []
 for i, line in enumerate(RAW_LINES[3:]):
     for count in range(NUM_EVENTS[i]):
