From 5c6314c45c7d53fb923df1dfc330e885037e69c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Sun, 18 Mar 2018 23:21:29 +0100 Subject: [PATCH] new: Add email object generator --- examples/add_email_object.py | 31 ++++++++++++++++++++++++ pymisp/tools/emailobject.py | 47 ++++++++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100755 examples/add_email_object.py create mode 100644 pymisp/tools/emailobject.py diff --git a/examples/add_email_object.py b/examples/add_email_object.py new file mode 100755 index 0000000..1ff1c87 --- /dev/null +++ b/examples/add_email_object.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +from pymisp import PyMISP +from pymisp.tools import EMailObject +import traceback +from keys import misp_url, misp_key, misp_verifycert +import glob +import argparse + + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description='Extract indicators out of binaries and add MISP objects to a MISP instance.') + parser.add_argument("-e", "--event", required=True, help="Event ID to update.") + parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).") + args = parser.parse_args() + + pymisp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True) + + for f in glob.glob(args.path): + try: + eo = EMailObject(f) + except Exception as e: + traceback.print_exc() + continue + + if eo: + template_id = pymisp.get_object_template_id(eo.template_uuid) + response = pymisp.add_object(args.event, template_id, eo) + for ref in eo.ObjectReference: + r = pymisp.add_object_reference(ref) diff --git a/pymisp/tools/emailobject.py b/pymisp/tools/emailobject.py new file mode 100644 index 0000000..a2e2001 --- /dev/null +++ b/pymisp/tools/emailobject.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +from ..exceptions import InvalidMISPObject +from .abstractgenerator import AbstractMISPObjectGenerator +from io import BytesIO +import logging +from email import message_from_bytes + +logger = logging.getLogger('pymisp') + + +class EMailObject(AbstractMISPObjectGenerator): + + def __init__(self, filepath=None, pseudofile=None, standalone=True, **kwargs): + if filepath: + with open(filepath, 'rb') as f: + pseudofile = BytesIO(f.read()) + elif pseudofile and isinstance(pseudofile, BytesIO): + pseudofile = pseudofile + else: + raise InvalidMISPObject('File buffer (BytesIO) or a path is required.') + # PY3 way: + # super().__init__('file') + super(EMailObject, self).__init__('email', standalone=standalone, **kwargs) + self.__email = message_from_bytes(pseudofile.getvalue()) + self.generate_attributes() + + def generate_attributes(self): + if 'Reply-To' in self.__email: + self.add_attribute('reply-to', value=self.__email['Reply-To']) + if 'Message-ID' in self.__email: + self.add_attribute('message-id', value=self.__email['Message-ID']) + if 'To' in self.__email: + for to in self.__email['To'].split(','): + self.add_attribute('to', value=to.strip()) + if 'Cc' in self.__email: + for cc in self.__email['Cc'].split(','): + self.add_attribute('cc', value=cc.strip()) + if 'Subject' in self.__email: + self.add_attribute('subject', value=self.__email['Subject']) + if 'From' in self.__email: + for e_from in self.__email['From'].split(','): + self.add_attribute('from', value=e_from.strip()) + if 'Return-Path' in self.__email: + self.add_attribute('return-path', value=self.__email['Return-Path']) + # TODO: self.add_attribute('attachment', value=)