-
Notifications
You must be signed in to change notification settings - Fork 297
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
lib, bots, doc: STOMP/*n6*-related fixes/enhancements, also ad security
SSL-related changes -- regarding `intelmq.lib.mixins.StompMixin` and, therefore, also the *STOMP collector* bot (`StompCollectorBot` defined in `intelmq.bots.collectors.stomp.collector`) and the *STOMP output* bot (`StompOutputBot` defined in `intelmq.bots.outputs.stomp.output`) -- have been made: * *Security*-focused: fixed certain security problems which were caused by the fact that certain versions of the `stomp.py` library we need to be compatible with use the `ssl` module's tools in such ways that suffer from certain *security weaknesses*. In particular, `stomp.py` in versions `< 4.1.12` uses a deprecated helper: `ssl.wrap_socket()`; and, on the other hand, `stomp.py >=8.0, <8.1` mistakenly creates an `SSLContext` instance with the `check_hostname` flag unset; in both cases, an important negative effect is that the hostname of the STOMP server is *not* checked during the TLS handshake (making all STOMP communication vulnerable to certain kinds of attacks...). Also, there are weaknesses (caused either by `stomp.py` or by older, yet still supported by IntelMQ, Python versions) of using too old versions of the TLS protocol (namely: 1.0 and 1.1 -- today considered insecure). * *Admin convenience*-focused: from now on, for each of the STOMP bots, you can set the `ssl_ca_certificate` config param to an empty string -- dictating that the SSL tools employed by the `stomp.py`'s machinery will attempt to load the system’s default CA certificates. Thanks to that, administrators of the given IntelMQ instance can be relieved of of the fuss with manual updates of the CA certificate(s) file -- *if* the certificate of the STOMP server can be verified using some of the publicly available CA certificates which are part of nearly all mainstream operating system distributions (this will be the case with the server certificate of the new variant of the *n6* Stream API, that is, the variant with STOMP-login-and-passcode-based authentication). An important part of the implementation of the aforementioned changes is a non-public class, `intelmq.lib.mixins.stomp._StompPyDedicatedSSLProxy` -- which implements a kind of transparent proxy object that wraps the `ssl` attribute of the `stomp.transport` module (originaly set to the `ssl` module object), replacing some of the `ssl` module's tools with their patched variants (note that the `ssl` module itself and all its members are left untouched). The parts of the IntelMQ's documentation related to those STOMP bots + integration with *n6* (including the CERT.PL's "N6 Stomp Stream" feed description) have been appropriately updated and slightly improved; also, the changelog has been updated.
- Loading branch information
Showing
6 changed files
with
406 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1153,14 +1153,36 @@ providers: | |
Note that 'rate_limit' does not apply to this bot, as it is waiting for messages | ||
on a stream. | ||
additional_information: Contact CERT.pl to get access to the feed. | ||
Note that the configuration parameter values suggested here are | ||
proper to the new *n6* Stream API variant (with authentication | ||
based on 'username' and 'password'); for this variant, typically | ||
you can leave the 'ssl_ca_certificate' parameter's value empty - | ||
then the system's default CA certificates will be used; however, | ||
if that does not work, you need to set 'ssl_ca_certificate' to | ||
the path to a file containing CA certificates eligible to verify | ||
"*.cert.pl" server certificates (to be found among the publicly | ||
available CA certs distributed with modern web browsers/OSes). | ||
Also, note that the 'server' parameter's value (for the *new API | ||
variant*) suggested here, "n6stream-new.cert.pl", is a temporary | ||
domain; ultimately, it will be changed back to "stream.cert.pl". | ||
When it comes to the *old API variant* (turned off in November | ||
2023!), you need to have the 'server' parameter set to the name | ||
"n6stream.cert.pl", 'auth_by_ssl_client_certificate' set to | ||
true, 'ssl_ca_certificate' set to the path to a file containing | ||
the *n6*'s legacy self-signed CA certificate (which is stored in | ||
file "intelmq/bots/collectors/stomp/ca.pem"), and the parameters | ||
'ssl_client_certificate' and 'ssl_client_certificate_key' set to | ||
the paths to your-*n6*-client-specific certificate and key files | ||
(note that the 'username' and 'password' parameters are then | ||
irrelevant and can be omitted). | ||
bots: | ||
collector: | ||
module: intelmq.bots.collectors.stomp.collector | ||
parameters: | ||
exchange: "{insert your STOMP *destination* to subscribe to, as given by CERT.pl, e.g. /exchange/my.example.org/*.*.*.*}" | ||
server: n6stream.cert.pl | ||
server: "n6stream-new.cert.pl" | ||
port: 61614 | ||
ssl_ca_certificate: "{insert path to CA file for CERT.pl's n6}" | ||
ssl_ca_certificate: "" | ||
auth_by_ssl_client_certificate: false | ||
username: "{insert your *n6* login, e.g. [email protected]}" | ||
password: "{insert your *n6* API key}" | ||
|
@@ -1169,7 +1191,7 @@ providers: | |
parser: | ||
module: intelmq.bots.parsers.n6.parser_n6stomp | ||
parameters: | ||
revision: 2023-09-23 | ||
revision: 2023-10-08 | ||
documentation: https://n6.readthedocs.io/usage/streamapi/ | ||
public: false | ||
AlienVault: | ||
|
Oops, something went wrong.