new: Add email object generator

2018-03-18 23:21:29 +01:00 · 2018-03-18 23:21:29 +01:00 · 5c6314c45c
parent fdd9833cd0
commit 5c6314c45c
2 changed files with 78 additions and 0 deletions
--- a/examples/add_email_object.py
+++ b/examples/add_email_object.py
@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+from pymisp import PyMISP
+from pymisp.tools import EMailObject
+import traceback
+from keys import misp_url, misp_key, misp_verifycert
+import glob
+import argparse
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Extract indicators out of binaries and add MISP objects to a MISP instance.')
+    parser.add_argument("-e", "--event", required=True, help="Event ID to update.")
+    parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).")
+    args = parser.parse_args()
+
+    pymisp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True)
+
+    for f in glob.glob(args.path):
+        try:
+            eo = EMailObject(f)
+        except Exception as e:
+            traceback.print_exc()
+            continue
+
+        if eo:
+            template_id = pymisp.get_object_template_id(eo.template_uuid)
+            response = pymisp.add_object(args.event, template_id, eo)
+            for ref in eo.ObjectReference:
+                r = pymisp.add_object_reference(ref)
--- a/pymisp/tools/emailobject.py
+++ b/pymisp/tools/emailobject.py
@ -0,0 +1,47 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from ..exceptions import InvalidMISPObject
+from .abstractgenerator import AbstractMISPObjectGenerator
+from io import BytesIO
+import logging
+from email import message_from_bytes
+
+logger = logging.getLogger('pymisp')
+
+
+class EMailObject(AbstractMISPObjectGenerator):
+
+    def __init__(self, filepath=None, pseudofile=None, standalone=True, **kwargs):
+        if filepath:
+            with open(filepath, 'rb') as f:
+                pseudofile = BytesIO(f.read())
+        elif pseudofile and isinstance(pseudofile, BytesIO):
+            pseudofile = pseudofile
+        else:
+            raise InvalidMISPObject('File buffer (BytesIO) or a path is required.')
+        # PY3 way:
+        # super().__init__('file')
+        super(EMailObject, self).__init__('email', standalone=standalone, **kwargs)
+        self.__email = message_from_bytes(pseudofile.getvalue())
+        self.generate_attributes()
+
+    def generate_attributes(self):
+        if 'Reply-To' in self.__email:
+            self.add_attribute('reply-to', value=self.__email['Reply-To'])
+        if 'Message-ID' in self.__email:
+            self.add_attribute('message-id', value=self.__email['Message-ID'])
+        if 'To' in self.__email:
+            for to in self.__email['To'].split(','):
+                self.add_attribute('to', value=to.strip())
+        if 'Cc' in self.__email:
+            for cc in self.__email['Cc'].split(','):
+                self.add_attribute('cc', value=cc.strip())
+        if 'Subject' in self.__email:
+            self.add_attribute('subject', value=self.__email['Subject'])
+        if 'From' in self.__email:
+            for e_from in self.__email['From'].split(','):
+                self.add_attribute('from', value=e_from.strip())
+        if 'Return-Path' in self.__email:
+            self.add_attribute('return-path', value=self.__email['Return-Path'])
+        # TODO: self.add_attribute('attachment', value=)