intelmq.bots.parsers.dataplane package

Submodules

intelmq.bots.parsers.dataplane.parser module

IntelMQ Dataplane Parser

intelmq.bots.parsers.dataplane.parser.BOT

alias of intelmq.bots.parsers.dataplane.parser.DataplaneParserBot

class intelmq.bots.parsers.dataplane.parser.DataplaneParserBot(bot_id: str, start: bool = False, sighup_event=None, disable_multithreading: bool = None)

Bases: intelmq.lib.bot.ParserBot

Parse the Dataplane feeds

CATEGORY = {'sipinvitation': {'classification.type': 'brute-force', 'protocol.application': 'sip', 'event_description.text': 'Address has been seen initiating a SIP INVITE operation to a remote host. The source report lists hosts that are suspicious of more than just port scanning. The host may be SIP client cataloging or conducting various forms of telephony abuse.'}, 'sipquery': {'classification.type': 'brute-force', 'protocol.application': 'sip', 'event_description.text': 'Address has been seen initiating a SIP OPTIONS query to a remote host. The source report lists hosts that are suspicious of more than just port scanning. The host may be SIP server cataloging or conducting various forms of telephony abuse.'}, 'sipregistration': {'classification.type': 'brute-force', 'protocol.application': 'sip', 'event_description.text': 'Address has been seen initiating a SIP REGISTER operation to a remote host. The source report lists hosts that are suspicious of more than just port scanning. The host may be SIP client cataloging or conducting various forms of telephony abuse.'}, 'sshclient': {'classification.type': 'scanner', 'protocol.application': 'ssh', 'event_description.text': 'Address has been seen initiating an SSH connection to a remote host. The source report lists hosts that are suspicious of more than just port scanning. The host may be SSH server cataloging or conducting authentication attack attempts.'}, 'sshpwauth': {'classification.type': 'brute-force', 'protocol.application': 'ssh', 'event_description.text': 'Address has been seen attempting to remotely login to a host using SSH password authentication. The source report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks.'}}
FILE_FORMAT = [('source.asn', <function DataplaneParserBot.<lambda>>), ('source.as_name', <function DataplaneParserBot.<lambda>>), ('source.ip', <function DataplaneParserBot.<lambda>>), ('time.source', <function DataplaneParserBot.<lambda>>)]
parse_line(line, report)

Module contents