mail_to_misp/mail_to_misp_config.py-example


print ("hello")
misp_url = 'YOUR_MISP_URL'
misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web interface under the automation section
misp_verifycert = True

debug = False
nameservers = ['149.13.33.69']
email_subject_prefix = b'M2M - '

excludelist = (b'google.com', b'microsoft.com')
externallist = (b'virustotal.com', b'malwr.com', b'hybrid-analysis.com', b'emergingthreats.net')
internallist = (b'internal.system.local')
noidsflaglist = (b'myexternalip.com', b'ipinfo.io', b'icanhazip.com', b'wtfismyip.com', b'ipecho.net', b'api.ipify.org', b'checkip.amazonaws.com', b'whatismyipaddress.com', b'google.com', b'dropbox.com')

# Stop parsing when this term is found
stopword = b'Whois & IP Information'

# TLP tag setup
# Tuples contain different variations of spelling
tlptags = { 'tlp:amber': [ 'tlp:amber', 'tlp: amber', 'tlp amber' ],
            'tlp:green': [ 'tlp:green', 'tlp: green', 'tlp green' ],
            'tlp:white': [ 'tlp:white', 'tlp: white', 'tlp white' ]
          }
tlptag_default = sorted(tlptags.keys())[0]

malwaretags = { 'locky':    [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"' ],
                'dridex':   [ 'misp-galaxy:tool="dridex"' ],
                'netwire':  [ 'Netwire RAT' ]
              }
# Tags to be set depending on the presence of other tags
dependingtags = { 'tlp:white': [ 'circl:osint-feed' ]
                }

# Known identifiers for forwarded messages 
forward_identifiers = { b'-------- Forwarded Message --------', b'Begin forwarded message:' }

# Tags to add when hashes are found (e.g. to do automatic expansion)
hash_only_tags = { 'TODO:VT-ENRICHMENT' }
initial commit 2017-04-27 13:58:49 +02:00
fixed the tlp selection 2017-05-29 17:26:39 +02:00			`print ("hello")`
initial commit 2017-04-27 13:58:49 +02:00			`misp_url = 'YOUR_MISP_URL'`
			`misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web interface under the automation section`
			`misp_verifycert = True`

set debug to False by default 2017-05-23 15:19:31 +02:00			`debug = False`
initial commit 2017-04-27 13:58:49 +02:00			`nameservers = ['149.13.33.69']`
logging via syslog 2017-05-30 11:24:30 +02:00			`email_subject_prefix = b'M2M - '`
initial commit 2017-04-27 13:58:49 +02:00
forwarding filter and internallist 2017-05-29 17:06:46 +02:00			`excludelist = (b'google.com', b'microsoft.com')`
			`externallist = (b'virustotal.com', b'malwr.com', b'hybrid-analysis.com', b'emergingthreats.net')`
			`internallist = (b'internal.system.local')`
			`noidsflaglist = (b'myexternalip.com', b'ipinfo.io', b'icanhazip.com', b'wtfismyip.com', b'ipecho.net', b'api.ipify.org', b'checkip.amazonaws.com', b'whatismyipaddress.com', b'google.com', b'dropbox.com')`
updated config example 2017-05-17 09:54:24 +02:00
			`# Stop parsing when this term is found`
forwarding filter and internallist 2017-05-29 17:06:46 +02:00			`stopword = b'Whois & IP Information'`
initial commit 2017-04-27 13:58:49 +02:00
			`# TLP tag setup`
			`# Tuples contain different variations of spelling`
fixed order 2017-05-29 17:15:52 +02:00			`tlptags = { 'tlp:amber': [ 'tlp:amber', 'tlp: amber', 'tlp amber' ],`
more tlp fix-ups 2017-05-29 10:53:10 +02:00			`'tlp:green': [ 'tlp:green', 'tlp: green', 'tlp green' ],`
fixed order 2017-05-29 17:15:52 +02:00			`'tlp:white': [ 'tlp:white', 'tlp: white', 'tlp white' ]`
initial commit 2017-04-27 13:58:49 +02:00			`}`
fixed the tlp selection 2017-05-29 17:26:39 +02:00			`tlptag_default = sorted(tlptags.keys())[0]`
initial commit 2017-04-27 13:58:49 +02:00
			`malwaretags = { 'locky': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"' ],`
			`'dridex': [ 'misp-galaxy:tool="dridex"' ],`
			`'netwire': [ 'Netwire RAT' ]`
			`}`
			`# Tags to be set depending on the presence of other tags`
			`dependingtags = { 'tlp:white': [ 'circl:osint-feed' ]`
			`}`

identify forwarded messages 2017-05-29 15:36:27 +02:00			`# Known identifiers for forwarded messages`
			`forward_identifiers = { b'-------- Forwarded Message --------', b'Begin forwarded message:' }`

added additional tags based on finding of hashes 2017-05-22 09:43:44 +02:00			`# Tags to add when hashes are found (e.g. to do automatic expansion)`
			`hash_only_tags = { 'TODO:VT-ENRICHMENT' }`
fixed the tlp selection 2017-05-29 17:26:39 +02:00