intelmq.bots.parsers.dataplane package¶
Submodules¶
intelmq.bots.parsers.dataplane.parser module¶
IntelMQ Dataplane Parser
-
intelmq.bots.parsers.dataplane.parser.
BOT
¶ alias of
intelmq.bots.parsers.dataplane.parser.DataplaneParserBot
-
class
intelmq.bots.parsers.dataplane.parser.
DataplaneParserBot
(bot_id: str, start: bool = False, sighup_event=None, disable_multithreading: bool = None)¶ Bases:
intelmq.lib.bot.ParserBot
Parse the Dataplane feeds
-
CATEGORY
= {'sipinvitation': {'classification.type': 'brute-force', 'protocol.application': 'sip', 'event_description.text': 'Address has been seen initiating a SIP INVITE operation to a remote host. The source report lists hosts that are suspicious of more than just port scanning. The host may be SIP client cataloging or conducting various forms of telephony abuse.'}, 'sipquery': {'classification.type': 'brute-force', 'protocol.application': 'sip', 'event_description.text': 'Address has been seen initiating a SIP OPTIONS query to a remote host. The source report lists hosts that are suspicious of more than just port scanning. The host may be SIP server cataloging or conducting various forms of telephony abuse.'}, 'sipregistration': {'classification.type': 'brute-force', 'protocol.application': 'sip', 'event_description.text': 'Address has been seen initiating a SIP REGISTER operation to a remote host. The source report lists hosts that are suspicious of more than just port scanning. The host may be SIP client cataloging or conducting various forms of telephony abuse.'}, 'sshclient': {'classification.type': 'scanner', 'protocol.application': 'ssh', 'event_description.text': 'Address has been seen initiating an SSH connection to a remote host. The source report lists hosts that are suspicious of more than just port scanning. The host may be SSH server cataloging or conducting authentication attack attempts.'}, 'sshpwauth': {'classification.type': 'brute-force', 'protocol.application': 'ssh', 'event_description.text': 'Address has been seen attempting to remotely login to a host using SSH password authentication. The source report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks.'}}¶
-
FILE_FORMAT
= [('source.asn', <function DataplaneParserBot.<lambda>>), ('source.as_name', <function DataplaneParserBot.<lambda>>), ('source.ip', <function DataplaneParserBot.<lambda>>), ('time.source', <function DataplaneParserBot.<lambda>>)]¶
-
parse_line
(line, report)¶
-