mail_to_misp/mail_to_misp_config.py-example

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys
import os

misp_url = 'YOUR_MISP_URL'
misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web interface under the automation section
misp_verifycert = True
m2m_key = 'YOUSETYOURKEYHERE'
m2m_auto_distribution = '3' # 3 = All communities
m2m_attachment_keyword = 'attachment:benign'

debug = False
nameservers = ['149.13.33.69']
email_subject_prefix = b'M2M - '
attach_original_mail = True

# Paths (should be automatic)
bindir = os.path.dirname(os.path.realpath(__file__))
cfgdir = os.path.dirname(os.path.realpath(__file__))
scriptname = 'mail_to_misp.py'
binpath = os.path.join(bindir, scriptname)

# for the SPAM trap
smtp_addr = "127.0.0.1"
smtp_port = 25

excludelist = ('google.com', 'microsoft.com')
externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')
internallist = ('internal.system.local')
noidsflaglist = (   'myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip.com', 'ipecho.net', 
                    'api.ipify.org', 'checkip.amazonaws.com', 'whatismyipaddress.com', 'google.com', 
                    'dropbox.com'
                )

# Stop parsing when this term is found
stopword = 'Whois & IP Information'

# Ignore lines in body of message containing:
ignorelist = (".*From: .*\n?", ".*Sender: .*\n?", ".*Received: .*\n?", ".*Sender IP: .*\n?",
                    ".*Reply-To: .*\n?", ".*Registrar WHOIS Server: .*\n?", ".*Registrar: .*\n?",
                    ".*Domain Status: .*\n?", ".*Registrant Email: .*\n?", ".*IP Location: .*\n?",
                    ".*X-Get-Message-Sender-Via: .*\n?", ".*X-Authenticated-Sender: .*\n")

# Ignore (don't add) attributes that are on server side warning list
enforcewarninglist=True

# Add a sighting for each value
sighting=True
sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER"

# Remove "[tags]", "Re: ", "Fwd: " from subject
removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")

# TLP tag setup
# Tuples contain different variations of spelling
tlptags = { 'tlp:amber': [ 'tlp:amber', 'tlp: amber', 'tlp amber' ],
            'tlp:green': [ 'tlp:green', 'tlp: green', 'tlp green' ],
            'tlp:white': [ 'tlp:white', 'tlp: white', 'tlp white' ]
          }
tlptag_default = sorted(tlptags.keys())[0]

malwaretags = { 'locky':    [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"' ],
                'jaff':     [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Jaff"' ],
                'dridex':   [ 'misp-galaxy:tool="dridex"' ],
                'netwire':  [ 'Netwire RAT' ],
                'Pony':     [ 'misp-galaxy:tool="Hancitor"' ],
                'ursnif':   [ 'misp-galaxy:tool="Snifula"' ],
                'NanoCore': [ 'misp-galaxy:tool="NanoCoreRAT"' ],
                'trickbot': [ 'misp-galaxy:tool="Trick Bot"' ]
              }

# Tags to be set depending on the presence of other tags
dependingtags = { 'tlp:white': [ 'circl:osint-feed' ]
                }

# Known identifiers for forwarded messages 
forward_identifiers = { '-------- Forwarded Message --------', 'Begin forwarded message:' }

# Tags to add when hashes are found (e.g. to do automatic expansion)
hash_only_tags = { 'TODO:VT-ENRICHMENT' }

# If an attribute is on any MISP server side `warning list`, skip the creation of the attribute
skip_item_on_warninglist = True
fixes 2017-06-01 17:00:32 +02:00			`#!/usr/bin/env python3`
debug print removed 2017-05-30 12:21:40 +02:00			`# -- coding: utf-8 --`
added forgotten imports 2017-06-01 16:19:58 +02:00			`import sys`
			`import os`
initial commit 2017-04-27 13:58:49 +02:00
			`misp_url = 'YOUR_MISP_URL'`
			`misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web interface under the automation section`
			`misp_verifycert = True`
Feature request #14 - auto publish when key is given 2018-04-03 11:09:54 +02:00			`m2m_key = 'YOUSETYOURKEYHERE'`
			`m2m_auto_distribution = '3' # 3 = All communities`
added feature #14 (2): configurable attachment upload 2018-04-03 11:46:04 +02:00			`m2m_attachment_keyword = 'attachment:benign'`
initial commit 2017-04-27 13:58:49 +02:00
set debug to False by default 2017-05-23 15:19:31 +02:00			`debug = False`
initial commit 2017-04-27 13:58:49 +02:00			`nameservers = ['149.13.33.69']`
logging via syslog 2017-05-30 11:24:30 +02:00			`email_subject_prefix = b'M2M - '`
optionally add original mail to MISP 2017-05-31 15:45:53 +02:00			`attach_original_mail = True`
initial commit 2017-04-27 13:58:49 +02:00
introduction of fake-smtp 2017-06-01 15:07:51 +02:00			`# Paths (should be automatic)`
			`bindir = os.path.dirname(os.path.realpath(__file__))`
			`cfgdir = os.path.dirname(os.path.realpath(__file__))`
			`scriptname = 'mail_to_misp.py'`
			`binpath = os.path.join(bindir, scriptname)`

			`# for the SPAM trap`
			`smtp_addr = "127.0.0.1"`
			`smtp_port = 25`

refactored to be more reliable (e.g. charset detection) 2017-05-31 14:52:47 +02:00			`excludelist = ('google.com', 'microsoft.com')`
			`externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')`
			`internallist = ('internal.system.local')`
			`noidsflaglist = ( 'myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip.com', 'ipecho.net',`
			`'api.ipify.org', 'checkip.amazonaws.com', 'whatismyipaddress.com', 'google.com',`
			`'dropbox.com'`
			`)`
updated config example 2017-05-17 09:54:24 +02:00
			`# Stop parsing when this term is found`
config example fixed 2017-06-30 08:35:50 +02:00			`stopword = 'Whois & IP Information'`
initial commit 2017-04-27 13:58:49 +02:00
made ignorelists even more configurable 2017-05-30 16:35:29 +02:00			`# Ignore lines in body of message containing:`
config example fixed 2017-06-30 08:35:50 +02:00			`ignorelist = (".From: .\n?", ".Sender: .\n?", ".Received: .\n?", ".Sender IP: .\n?",`
			`".Reply-To: .\n?", ".Registrar WHOIS Server: .\n?", ".Registrar: .\n?",`
			`".Domain Status: .\n?", ".Registrant Email: .\n?", ".IP Location: .\n?",`
			`".X-Get-Message-Sender-Via: .\n?", ".X-Authenticated-Sender: .\n")`
made ignorelists even more configurable 2017-05-30 16:35:29 +02:00
implemented option to skip creation of attributes on warning list 2017-12-20 14:26:30 +01:00			`# Ignore (don't add) attributes that are on server side warning list`
			`enforcewarninglist=True`

added support for sighting of values 2017-12-20 16:08:27 +01:00			`# Add a sighting for each value`
			`sighting=True`
fixed distribution, added sighting source 2017-12-21 11:55:23 +01:00			`sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER"`
added support for sighting of values 2017-12-20 16:08:27 +01:00
made ignorelists even more configurable 2017-05-30 16:35:29 +02:00			`# Remove "[tags]", "Re: ", "Fwd: " from subject`
refactored to be more reliable (e.g. charset detection) 2017-05-31 14:52:47 +02:00			`removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")`
made ignorelists even more configurable 2017-05-30 16:35:29 +02:00
initial commit 2017-04-27 13:58:49 +02:00			`# TLP tag setup`
			`# Tuples contain different variations of spelling`
fixed order 2017-05-29 17:15:52 +02:00			`tlptags = { 'tlp:amber': [ 'tlp:amber', 'tlp: amber', 'tlp amber' ],`
more tlp fix-ups 2017-05-29 10:53:10 +02:00			`'tlp:green': [ 'tlp:green', 'tlp: green', 'tlp green' ],`
fixed order 2017-05-29 17:15:52 +02:00			`'tlp:white': [ 'tlp:white', 'tlp: white', 'tlp white' ]`
initial commit 2017-04-27 13:58:49 +02:00			`}`
fixed the tlp selection 2017-05-29 17:26:39 +02:00			`tlptag_default = sorted(tlptags.keys())[0]`
initial commit 2017-04-27 13:58:49 +02:00
			`malwaretags = { 'locky': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"' ],`
config example fixed 2017-06-30 08:35:50 +02:00			`'jaff': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Jaff"' ],`
initial commit 2017-04-27 13:58:49 +02:00			`'dridex': [ 'misp-galaxy:tool="dridex"' ],`
config example fixed 2017-06-30 08:35:50 +02:00			`'netwire': [ 'Netwire RAT' ],`
			`'Pony': [ 'misp-galaxy:tool="Hancitor"' ],`
			`'ursnif': [ 'misp-galaxy:tool="Snifula"' ],`
			`'NanoCore': [ 'misp-galaxy:tool="NanoCoreRAT"' ],`
			`'trickbot': [ 'misp-galaxy:tool="Trick Bot"' ]`
initial commit 2017-04-27 13:58:49 +02:00			`}`
config example fixed 2017-06-30 08:35:50 +02:00
initial commit 2017-04-27 13:58:49 +02:00			`# Tags to be set depending on the presence of other tags`
			`dependingtags = { 'tlp:white': [ 'circl:osint-feed' ]`
			`}`

identify forwarded messages 2017-05-29 15:36:27 +02:00			`# Known identifiers for forwarded messages`
config example fixed 2017-06-30 08:35:50 +02:00			`forward_identifiers = { '-------- Forwarded Message --------', 'Begin forwarded message:' }`
identify forwarded messages 2017-05-29 15:36:27 +02:00
added additional tags based on finding of hashes 2017-05-22 09:43:44 +02:00			`# Tags to add when hashes are found (e.g. to do automatic expansion)`
			`hash_only_tags = { 'TODO:VT-ENRICHMENT' }`
fixed the tlp selection 2017-05-29 17:26:39 +02:00
implemented option to skip creation of attributes on warning list 2017-12-20 14:26:30 +01:00			# If an attribute is on any MISP server side `warning list`, skip the creation of the attribute
			`skip_item_on_warninglist = True`