2017-06-01 17:00:32 +02:00
|
|
|
#!/usr/bin/env python3
|
2017-05-30 12:21:40 +02:00
|
|
|
# -*- coding: utf-8 -*-
|
2017-06-01 16:19:58 +02:00
|
|
|
import sys
|
|
|
|
|
import os
|
2017-04-27 13:58:49 +02:00
|
|
|
|
|
|
|
|
misp_url = 'YOUR_MISP_URL'
|
|
|
|
|
misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web interface under the automation section
|
|
|
|
|
misp_verifycert = True
|
|
|
|
|
|
2017-05-23 15:19:31 +02:00
|
|
|
debug = False
|
2017-04-27 13:58:49 +02:00
|
|
|
nameservers = ['149.13.33.69']
|
2017-05-30 11:24:30 +02:00
|
|
|
email_subject_prefix = b'M2M - '
|
2017-05-31 15:45:53 +02:00
|
|
|
attach_original_mail = True
|
2017-04-27 13:58:49 +02:00
|
|
|
|
2017-06-01 15:07:51 +02:00
|
|
|
# Paths (should be automatic)
|
|
|
|
|
bindir = os.path.dirname(os.path.realpath(__file__))
|
|
|
|
|
cfgdir = os.path.dirname(os.path.realpath(__file__))
|
|
|
|
|
scriptname = 'mail_to_misp.py'
|
|
|
|
|
binpath = os.path.join(bindir, scriptname)
|
|
|
|
|
|
|
|
|
|
# for the SPAM trap
|
|
|
|
|
smtp_addr = "127.0.0.1"
|
|
|
|
|
smtp_port = 25
|
|
|
|
|
|
2017-05-31 14:52:47 +02:00
|
|
|
excludelist = ('google.com', 'microsoft.com')
|
|
|
|
|
externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')
|
|
|
|
|
internallist = ('internal.system.local')
|
|
|
|
|
noidsflaglist = ( 'myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip.com', 'ipecho.net',
|
|
|
|
|
'api.ipify.org', 'checkip.amazonaws.com', 'whatismyipaddress.com', 'google.com',
|
|
|
|
|
'dropbox.com'
|
|
|
|
|
)
|
2017-05-17 09:54:24 +02:00
|
|
|
|
|
|
|
|
# Stop parsing when this term is found
|
2017-05-29 17:06:46 +02:00
|
|
|
stopword = b'Whois & IP Information'
|
2017-04-27 13:58:49 +02:00
|
|
|
|
2017-05-30 16:35:29 +02:00
|
|
|
# Ignore lines in body of message containing:
|
2017-05-31 14:52:47 +02:00
|
|
|
ignorelist = ( ".*From: .*\n?", ".*Sender: .*\n?", ".*Received: .*\n?", ".*Sender IP: .*\n?",
|
|
|
|
|
".*Reply-To: .*\n?", ".*Registrar WHOIS Server: .*\n?", ".*Registrar: .*\n?",
|
|
|
|
|
".*Domain Status: .*\n?", ".*Registrant Email: .*\n?", ".*IP Location: .*\n?"
|
|
|
|
|
)
|
2017-05-30 16:35:29 +02:00
|
|
|
|
|
|
|
|
# Remove "[tags]", "Re: ", "Fwd: " from subject
|
2017-05-31 14:52:47 +02:00
|
|
|
removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")
|
2017-05-30 16:35:29 +02:00
|
|
|
|
2017-04-27 13:58:49 +02:00
|
|
|
# TLP tag setup
|
|
|
|
|
# Tuples contain different variations of spelling
|
2017-05-29 17:15:52 +02:00
|
|
|
tlptags = { 'tlp:amber': [ 'tlp:amber', 'tlp: amber', 'tlp amber' ],
|
2017-05-29 10:53:10 +02:00
|
|
|
'tlp:green': [ 'tlp:green', 'tlp: green', 'tlp green' ],
|
2017-05-29 17:15:52 +02:00
|
|
|
'tlp:white': [ 'tlp:white', 'tlp: white', 'tlp white' ]
|
2017-04-27 13:58:49 +02:00
|
|
|
}
|
2017-05-29 17:26:39 +02:00
|
|
|
tlptag_default = sorted(tlptags.keys())[0]
|
2017-04-27 13:58:49 +02:00
|
|
|
|
|
|
|
|
malwaretags = { 'locky': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"' ],
|
|
|
|
|
'dridex': [ 'misp-galaxy:tool="dridex"' ],
|
|
|
|
|
'netwire': [ 'Netwire RAT' ]
|
|
|
|
|
}
|
|
|
|
|
# Tags to be set depending on the presence of other tags
|
|
|
|
|
dependingtags = { 'tlp:white': [ 'circl:osint-feed' ]
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-29 15:36:27 +02:00
|
|
|
# Known identifiers for forwarded messages
|
|
|
|
|
forward_identifiers = { b'-------- Forwarded Message --------', b'Begin forwarded message:' }
|
|
|
|
|
|
2017-05-22 09:43:44 +02:00
|
|
|
# Tags to add when hashes are found (e.g. to do automatic expansion)
|
|
|
|
|
hash_only_tags = { 'TODO:VT-ENRICHMENT' }
|
2017-05-29 17:26:39 +02:00
|
|
|
|
