Is it possible to set a field in the properties file?

[Kick Megatron]

HI, I use the below field to store the infection type, which I also use with reporting (statistics). 

parser.item.additionalItem.infection

The infection type however is not always available in the line to parse (like shadowserver-cc-ip.properties).

Is it possible to set such a field with a static value, like

*.item.additionalItem.infection == ‘Botnet-CC'

Thanks,

Kick

[Tor Johnson]

> Is it possible to set such a field with a static value

Yes, with a field "rewriter" you can. It can replace an
empty string with a static string, e.g. 'Botnet-CC'.

The syntax for rewriters are the following [1]:

<attribute name>:<from>--><replace with>

For example, this will rewrite "http" to "hxxp" [2]:

# Rewrite malicious links (http --> hxxp and https --> hxxps)
export.rewriters.0=url:(?i)(h)tt(ps{0,1}://.+)-->$1xx$2

In your case the expression will be the following:

export.rewriters.0=additionalItem_infection:^$-->Botnet-CC

Disclaimer: I have not tested it but it should work -- as developers say :)

This property can be handy if you need to trim whitespaces:

# Remove leading and trailing whitespaces from parsed value.
parser.trimValue=true

[1] https://github.com/cert-se/megatron-java/blob/master/conf/dev/megatron-globals.properties
[2] https://github.com/cert-se/megatron-java/blob/master/conf/job-type/brobot.properties

/Tor