Shadowserver API bot about intelmq HOT 8 CLOSED

@elsif2 Could you please have a look at this? I have also got a similar report during private channels (I didn't have a time to dig into yet)

from intelmq.

The bot downloads the latest reports by checking the past two days for availability and downloads only those that have not been fetched previously.

You can specify the types of reports to download using the types option.

from intelmq.

Thanks @elsif2
I've been attempting to configure the bot to selectively download subsets of scan reports, instead of pulling all the reports for type scan that can contain 1M plus events. Can it be filtered to download a specific set of reports for example scan_ssl, scan6_ssl, scan_rdpeudp, scan_http, scan6_http etc...
The specific report types I've defined in the configuration don't seem to be filtering as expected.
Could you offer any advice on how to effectively target these report types in the bot's settings?

from intelmq.

What parameters do you have configured for the collector?

Example:

    parameters:
        types: [scan_ssl, scan6_ssl, scan_rdpeudp, scan_http]

from intelmq.

Yes, that's how I defined them but when i did that way, it did not download any data so I've to apply only scan in the types field which isn't ideal as it downloads an overwhelming volume of reports.

from intelmq.

The following config only downloads the blocklist and scan_rdpeudp types on my system:

 parameters:
   types: [blocklist,scan_rdpeudp]

What version of IntelMQ are you running?

from intelmq.

intelmqctl --version
3.3.0

ShadowServerAPI-Collector:
  bot_id: ShadowServerAPI-Collector
  enabled: true
  group: Collector
  module: intelmq.bots.collectors.shadowserver.collector_reports_api
  name: ShadowServerAPI
  parameters:
    api_key: "$API_KEY_received_from_the_shadowserver_foundation"
    bottype: Collector
    destination_queues:
      _default: [Shadowserver-Parser-queue]
    http_header: {}
    provider: Shadowserver
    rate_limit: 86400
    reports: null
    secret: $SECRET_received_from_the_shadowserver_foundation"
    types: blocklist
  run_mode: continuous

Even when the types was set to blocklist, it still downloaded all scan reports, I will do some testing over the next few days and see if any changes
The report field, not sure what values should go in there or it can be left as null

from intelmq.

The types parameter must be a list:

parameters:
      types: [blocklist]

from intelmq.