----------
Configuration
* The deduplicator expert requires a new parameter `filter_type`, the old previous default was `blacklist`. The key `ignore_keys` has been renamed to `filter_keys`.
* The tor_nodes expert has a new parameter `overwrite`, which is by default `false`.
* The configuration format of the modify expert has been change to a list-based syntax.
Old format:
{
"Blocklist.de": {
"__default": [{
"feed.name": "^BlockList\\.de$",
"classification.identifier": ""
}, {
}]
},
...
}
new format:
[
{
"rulename": "Blocklist.de __default",
"if": {
"classification.identifier": "",
"feed.name": "^BlockList\\.de$"
},
"then": {}
},
...
]
Libraries
The built-in Alienvault OTX API library has been removed, install the library from github instead. See the [README.md](intelmq/bots/collectors/alienvault_otx/README.md) for details.
Postgres databases
Use the following statement carefully to upgrade your database.
Take care that no data will be lost, the statement may not be complete!
Also note that size constraints have changed!
SQL
ALTER TABLE events
ADD COLUMN "feed.documentation" text;
UPDATE events
SET "source.local_hostname"="destination.local_hostname",
"destination.local_hostname"=DEFAULT
WHERE "feed.name"='Open-LDAP' AND "source.local_hostname" IS NULL;
UPDATE events
SET "feed.url" = substring("feed.url" from 1 for 37)
WHERE SUBSTRING("feed.url" from 1 for 38) = 'https://prod.cyberfeed.net/stream?key='
UPDATE events
SET "feed.url" = regexp_replace("feed.url", 'receipt=([^&])*', '')
WHERE substring("feed.url" from 1 for 43) = 'https://lists.malwarepatrol.net/cgi/getfile'
UPDATE events
SET "feed.url" = substring("feed.url" from 1 for 36)
WHERE SUBSTRING("feed.url" from 1 for 37) = 'https://data.phishtank.com/data/'
UPDATE events
SET "classification.taxonomy" = lower("classification.taxonomy")
WHERE "classification.taxonomy" IS NOT NULL;