IntelMQ Contacts is a contact database for IntelMQ with related expert bots
Project description
Two expert bots to lookup contact information in a database and apply notification rules
Part of the intelmq-cb-mailgen solution.
An overview of the setup can be gained from the IntelMQ Mailgen Docs.
Contact DB
Automatic versus manual contacts
Two types of contacts are supported. Both are modeled with a set of tables that differ in the table name and in some columns.
'Automatic' for externally maintained infos
The tables ending with _automatic
shall hold contact
information that are maintained externally to the system.
They are designed so they can be updated or reimported
in a straight forward way. Several import sources are possible.
Therefore they have columns for import_source
and import_time
in order to later decide which information to use. And there are
no fields for additional information as those informatiom may potentially
get lost or be incorrect if the contents of the database changes
during an update or re-import.
The example for an external import source is contact data from RIPE, please see README-ripe-import.md.
'Manual' to hold special cases
If the automatic contacts contain mistakes or a special case is needed, the "manual" tables (that have no additional name suffix) can be used. The information in the manual tables is to be considered the primary source and maintained within this contact database.
Those special information shall be entered by regular users of the system and should not interfere with the original external data. To keep the system robust and consistent, there are no direct links to the automatic tables.
To add special information to an already existing contact in the automatic tables, all relevant tables entries of this specific automatic contact have to be copied into the manual tables. The manual contact tables lack columns about import source, but have comment and annotations possibilities.
The comments are free-text fields that can be used to record additional information that cannot not be expressed with the existing structured fields. This allows for rare entries or to see what additional info people would like to see in the database in future version of the database schema.
The annotations can be used as general "tags" to steer behaviour of the system that can be configured on the level of administration rights, but selected on the user level. The "simple" tags are designed to best be used to denote a group of properties for sending behaviour that can be combined. It is recommended to keep the numer of tags low. The tags have to be tuned after gaining experience in production use and they will be easy to use if good tags are chosen over time.
The inhibition
-annotations expose a generic way to prevent
sending out information based on field contents of the intelmq event
to users. Which is important if no administrator is available on short notice
or the behaviour is an exception that does not indicate a change in the general
behaviour groups. The inhibition
-annotations are powerful
at the expense of being harder to use.
How to update external sources?
The manual entries have additional information to the automatic ones, but also contain copied parts of the automatic entries.
If an automatic import source is updated, the additional and copied information may be out of date and in need of change.
Example 1: the manual entry corrects a contact email address. With the next update, the email address in the RIPE database is updated to the correct one. Ideally the manual entry is deleted as it is not needed anymore. (Though it does not harm if is kept for a while.)
Example 2: again the manual entry corrects a contact email address. Now a network not is not served anymore by the same organisation coming with the RIPE database update. In this case the CIDR has to be removed from the manuel entry, because otherwise notifications will be send that should not go to the organisation anymore.
As there is no algorithmic way to know which info is better after an update and thus which kind of changes have to be made, a human has to involved.
At time of writing, this has to be done by an administrator, e.g once a week or every two weeks for each import source, like:
- Check diffs if you would import for necessary changes.
- Stop the lookup expert-bot.
- Do the manual changes (e.g. with fody).
- Completly replace the automatic tables of this source with the new version.
- Restart the lookup bot.
For RIPE there is a script that will show the difference between old and new automatic entries and which manual entries are affected by theses changes (see link to the RIPE documentation above).
Database Setup
Requires the python module psycopg2 (which is already installed if you also use the postgresql-output bot).
Requires at least Postgresql v>=9.5 (compare to intelmq-fody-backend).
The following commands assume that PostgreSQL is running and listening on the default port. They create a database called "contactdb" which matches the default configuration of the bot.
su - postgres
createdb --encoding=UTF8 --template=template0 contactdb
psql -f /usr/share/doc/intelmq-certbund-contact/sql/initdb.sql contactdb
A database user with the right to select the data in the Contact DB must be created. This is the account, which will be used in the bot's configuration for accessing the database.
createuser intelmq --pwprompt
psql -c "GRANT SELECT ON ALL TABLES IN SCHEMA public TO intelmq;" contactdb
Adding default email tags
The names, values and default values for tags directly associated with an email address have to be saved in the database. (Maybe future version of fody-backend and fody will allow editing them, but as of 2021-02-25 they don't.)
The following example adds two tag names with a few values:
INSERT INTO tag_name (tag_name, tag_name_order) VALUES ('Format', 1);
-- -> id 1
INSERT INTO tag_name (tag_name, tag_name_order) VALUES ('Constituency', 2);
-- -> id 2
COPY tag (tag_name_id, tag_value, tag_description, is_default) FROM STDIN
WITH CSV;
1,CSV_inline,CSV inline,true
1,CSV_attachment,CSV attachment,false
2,network_operators,Network Operators,true
2,government,Government,false
2,CNI,Critical National Infrastructure,false
2,CNI_energy,CNI Energy,false
\.
(Tags for emails have been added with release 0.9.4 in 2019-05.)
Schema Updates
When upgrading to new version take a look at UPDATE.mg.
Adding New Contacts
Contacts can be added to the database directly using SQL. Though most users are expected to use a frontend application like Fody.
When put into the tables for manual contacts, the entries
will take precedence over contacts which
were imported automatically, i.e. by ripe_import.py
.
Connect to the database:
su - postgres
psql contactdb
Add a contact:
-- 1. Prepare contact information
\set asn 3320
-- unique name of the organization:
\set org_name 'org1'
\set org_comment 'Example comment on organization.'
\set contact_email 'test@example.com'
\set contact_comment 'Test comment on contact.'
-- set the notification interval in seconds
-- an interval of -1 means no notifications will be generated
\set notification_interval 0
-- 2. Add new contact
BEGIN TRANSACTION;
INSERT INTO autonomous_system (number) VALUES (:asn);
WITH new_org AS (
INSERT INTO organisation (name,comment)
VALUES (:'org_name',:'org_comment')
RETURNING id
),
new_contact AS (
INSERT INTO contact (email,format_id,comment)
VALUES (:'contact_email', 2, :'contact_comment')
RETURNING id
),
new_ota AS (
INSERT INTO organisation_to_asn (organisation_id,asn_id,notification_interval)
VALUES (
(SELECT id from new_org), :asn, :notification_interval
)
)
INSERT INTO role (organisation_id,contact_id) VALUES (
(SELECT id from new_org),
(SELECT id from new_contact)
)
;
COMMIT TRANSACTION;
Example change tags
If we call the simple text annotations tags, how could we change a tag that has already be used?
Of course the notification rules may have to be changed (see mailgen documentation) and possibly the list of known tags that the fody-backend sends to fody.
For example the following sql command on database contactdb
change the tag whitelist-malware
to Whitelist:Malware
:
BEGIN;
UPDATE autonomous_system_annotation
SET annotation = '{"tag": "Whitelist:Malware"}'
WHERE annotation ->> 'tag' = 'whitelist-malware';
UPDATE organisation_annotation
SET annotation = '{"tag": "Whitelist:Malware"}'
WHERE annotation ->> 'tag' = 'whitelist-malware';
UPDATE network_annotation
SET annotation = '{"tag": "Whitelist:Malware"}'
WHERE annotation ->> 'tag' = 'whitelist-malware';
UPDATE fqdn_annotation
SET annotation = '{"tag": "Whitelist:Malware"}'
WHERE annotation ->> 'tag' = 'whitelist-malware';
COMMIT;
Suppress notification of contacts based upon certain criteria:
It ist possible to suppress the notification of contacts based upon certain criteria. Such can be: AS-number, IP addresses, FQDN, or Organisations.
To suppress notifications for such an Object, one has to create an annotation to such an Object.
Remember: It's up to the Rule Expert
to determine if such an annotation is
evaluated or not.
Generating a graphic which visualizes the schema of the ContactDB
You can use postgresql-autodoc
to do this. PG autodoc is available on both
debian and ubuntu via apt.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file intelmq_certbund_contact-0.9.8.tar.gz
.
File metadata
- Download URL: intelmq_certbund_contact-0.9.8.tar.gz
- Upload date:
- Size: 48.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/6.0.0 pkginfo/1.9.6 requests/2.28.2 requests-toolbelt/0.9.1 tqdm/4.64.1 CPython/3.8.16
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | a4800e4ab395f43e9cbf36e688b671883f3baca8410e8106ad0e8fef505e0b93 |
|
MD5 | b7a0913407cd3963534fbda56b523476 |
|
BLAKE2b-256 | ef2e1564eead66decb0c13f69deceb932ec28ecebcc6eb5da960d66fd60f5cda |
File details
Details for the file intelmq_certbund_contact-0.9.8-py3-none-any.whl
.
File metadata
- Download URL: intelmq_certbund_contact-0.9.8-py3-none-any.whl
- Upload date:
- Size: 54.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/6.0.0 pkginfo/1.9.6 requests/2.28.2 requests-toolbelt/0.9.1 tqdm/4.64.1 CPython/3.8.16
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 9f25f44a20648dc8315ee3e1b632a891e3f325fed9b6cb9b30e74d4ae40d3a2b |
|
MD5 | 448e9f54737cbf614122440c0e9bd1a1 |
|
BLAKE2b-256 | 9a7ecfd9766363e5bb514b9e92221fb8b358b1f8f46e6c29757190728e5f0fdf |