Squelcher¶
The configuration defines a TTL based on matching fields. The bot looks in the event table if an event has been sent to the customer in the time frame defined by the TTL using the IP, classification type and classification identifier. If an event has been found, we set notify to false, otherwise to true. Only events with notify flag set to true are considered for the lookups.
Edge cases: If no ASN is present, we ignore the event and set the flag
to false. If no IP is present, but an FQDN , we always set the flag to
true. if extra._origin
equals "dnsmalware"
, the flag is always
set to false.
Information:¶
name:
squelcherlookup:
postgrespublic:
yescache (redis db):
-description:
Sets thenotify
field to true or false depending on past notifications
Configuration Parameters:¶
autocommit
: use transactions per statement (true
) or per connection (false
)configuration_path
: path to the squelcher configuration file, e.g."/opt/intelmq/etc/squelcher.conf"
database
: postgres databasehost"
postgres hostpassword
: postgres passwordport
: postgres port (usually 5432)sslmode
: e.g."require"
table
: postgres tableuser
: postgres user
Configuration syntax¶
The file must by valid JSON and must contain a list with lists
containing two dictionaries. The first is compared to the event and thus
has the same layout. The second dictionary has only one field "ttl"
with the TTL as value.
[
[
{
"source.asn": 0,
"source.network": "192.0.2.0/24",
"source.ip": "192.0.2.1",
"classification.type": "vulnerable service"
}, {
"ttl": 3600
}
]
]
The first dictionary must be a sub-set of the event -> All given fields
must exist in the event with the given values. The source.network
field is checked separately with the IP in the event (if the
source.ip
is in the given network block). The same applies to the
additional source.iprange
field (holding a list of two items, the
start and end IP address).
More examples can be found in intelmq/etc/squelcher.conf
.
Database index¶
For a good performance, create this index:
create index idx_squelch on events("source.ip", "time.source");