mail_to_misp/mail_to_misp.py

103 lines
3.9 KiB
Python
Raw Normal View History

#!/usr/bin/env python3
2017-05-24 11:02:28 +02:00
# -*- coding: utf-8 -*-
2017-04-27 13:58:49 +02:00
2018-05-04 17:25:23 +02:00
import os
2017-06-01 09:02:11 +02:00
import sys
2018-05-02 19:08:22 +02:00
import argparse
import syslog
from pathlib import Path
from io import BytesIO
import importlib
2018-05-14 23:23:30 +02:00
from mail2misp import Mail2MISP
2018-05-02 19:08:22 +02:00
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Push a Mail into a MISP instance')
parser.add_argument("-r", "--read", help="Read from tempfile.")
parser.add_argument("-t", "--trap", action='store_true', default=False, help="Import the Email as-is.")
parser.add_argument("-e", "--event", default=False, help="Add indicators to this MISP event.")
2019-07-19 12:20:56 +02:00
parser.add_argument("-u", "--urlsonly", default=False, action='store_true', help="Extract only URLs.")
parser.add_argument('infile', nargs='?', type=argparse.FileType('rb'))
2018-05-02 19:08:22 +02:00
args = parser.parse_args()
syslog.openlog(logoption=syslog.LOG_PID, facility=syslog.LOG_USER)
syslog.syslog("Job started.")
2018-05-04 17:43:00 +02:00
os.chdir(Path(__file__).parent)
2018-05-04 17:25:23 +02:00
2018-05-04 16:28:37 +02:00
configmodule = Path(__file__).name.replace('.py', '_config')
2018-05-02 19:08:22 +02:00
if Path(f'{configmodule}.py').exists():
config = importlib.import_module(configmodule)
try:
misp_url = config.misp_url
misp_key = config.misp_key
misp_verifycert = config.misp_verifycert
debug = config.debug
ignore_carrier_mail = config.ignore_carrier_mail
2018-05-02 19:08:22 +02:00
except Exception as e:
syslog.syslog(str(e))
print("There is a problem with the configuration. A mandatory configuration variable is not set.")
print("Did you just update? mail_to_misp might have new configuration variables.")
print("Please compare with the configuration example.")
print("\nTrace:")
print(e)
sys.exit(-2)
else:
2018-05-02 19:08:22 +02:00
print("Couldn't locate config file {0}".format(f'{configmodule}.py'))
sys.exit(-1)
if args.infile:
2018-05-06 21:58:47 +02:00
pseudofile = BytesIO(args.infile.read().encode('utf8', 'surrogateescape'))
2018-05-02 19:08:22 +02:00
elif args.read:
# read from tempfile
with open(args.read, 'rb') as f:
pseudofile = BytesIO(f.read())
2017-06-01 18:39:39 +02:00
else:
2018-05-02 19:08:22 +02:00
# receive data and subject through arguments
raise Exception('This is not implemented anymore.')
syslog.syslog("About to create a mail2misp object.")
2019-07-19 12:20:56 +02:00
mail2misp = Mail2MISP(misp_url, misp_key, misp_verifycert, config=config, urlsonly=args.event)
attached_emails = mail2misp.get_attached_emails(pseudofile)
syslog.syslog(f"found {len(attached_emails)} attached emails")
2020-06-16 12:03:59 +02:00
if ignore_carrier_mail and len(attached_emails) != 0:
syslog.syslog("Ignoring the carrier mail.")
2020-06-16 12:03:59 +02:00
while len(attached_emails) != 0:
pseudofile = attached_emails.pop()
2020-06-16 12:03:59 +02:00
# Throw away the Mail2MISP object of the carrier mail and create a new one for each e-mail attachment
mail2misp = Mail2MISP(misp_url, misp_key, misp_verifycert, config=config, urlsonly=args.event)
mail2misp.load_email(pseudofile)
2020-06-16 12:03:59 +02:00
if debug:
syslog.syslog(f'Working on {mail2misp.subject}')
2020-06-16 12:03:59 +02:00
if args.trap or config.spamtrap:
mail2misp.email_from_spamtrap()
else:
mail2misp.process_email_body()
2020-06-16 12:03:59 +02:00
mail2misp.process_body_iocs()
2020-06-16 12:03:59 +02:00
if not args.event:
mail2misp.add_event()
2020-06-16 12:03:59 +02:00
syslog.syslog("Job finished.")
2018-05-02 19:08:22 +02:00
else:
syslog.syslog("Running standard mail2misp")
mail2misp = Mail2MISP(misp_url, misp_key, misp_verifycert, config=config, urlsonly=args.event)
mail2misp.load_email(pseudofile)
if debug:
syslog.syslog(f'Working on {mail2misp.subject}')
if args.trap or config.spamtrap:
mail2misp.email_from_spamtrap()
else:
mail2misp.process_email_body()
2020-06-16 12:03:59 +02:00
mail2misp.process_body_iocs()
2020-06-16 12:03:59 +02:00
if not args.event:
mail2misp.add_event()
syslog.syslog("Job finished.")