MISP
/
mail_to_misp
mirror of https://github.com/MISP/mail_to_misp
2
0
Fork 0
Code Issues Releases Wiki Activity
mail_to_misp/mail2misp/mail2misp.py

439 lines
21 KiB
Python
Raw Normal View History

new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import re
import syslog
import html
carrier mail functionality Implements processing of a carrier mail that contains email attachments. Each email attachment is converted into an individual MISP event.
2019-11-16 16:47:43 +01:00
import os
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
from io import BytesIO
from ipaddress import ip_address
fix: Proper type detection of attachments Fix #27
2018-08-02 13:42:07 +02:00
from email import message_from_bytes, policy, message
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
from . import urlmarker
from . import hashmarker
from pyfaup.faup import Faup
chg: Bump deps, slight changes.
2019-07-18 15:12:15 +02:00
from pymisp import ExpandedPyMISP, MISPEvent, MISPObject, MISPSighting, InvalidMISPObject
from pymisp.tools import EMailObject, make_binary_objects, VTReportObject
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
from defang import refang
new: Allow to disable DNS lookups Fix #26
2018-08-02 11:55:37 +02:00
try:
import dns.resolver
HAS_DNS = True
except ImportError:
HAS_DNS = False
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
def is_ip(address):
try:
ip_address(address)
except ValueError:
return False
return True
class Mail2MISP():
add urlonly to event feature added
2019-07-19 12:20:56 +02:00
def __init__(self, misp_url, misp_key, verifycert, config, offline=False, urlsonly=False):
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
self.offline = offline
if not self.offline:
chg: Bump deps, slight changes.
2019-07-18 15:12:15 +02:00
self.misp = ExpandedPyMISP(misp_url, misp_key, verifycert, debug=config.debug)
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
self.config = config
add urlonly to event feature added
2019-07-19 12:20:56 +02:00
self.urlsonly = urlsonly
fix: Avoid failure if dns key is not in the config file.
2018-08-02 12:02:18 +02:00
if not hasattr(self.config, 'enable_dns'):
setattr(self.config, 'enable_dns', True)
add urlonly to event feature added
2019-07-19 12:20:56 +02:00
if self.urlsonly is False:
setattr(self.config, 'enable_dns', False)
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
self.debug = self.config.debug
self.config_from_email_body = {}
exclude attachements of size 0 bytes Optionally exclude attachments that are 0 bytes long
2019-11-19 10:13:36 +01:00
if not hasattr(self.config, 'ignore_nullsize_attachments'):
setattr(self.config, 'ignore_nullsize_attachments', False)
self.ignore_nullsize_attachments = self.config.ignore_nullsize_attachments
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
# Init Faup
self.f = Faup()
fix: Properly add sightings, meta event attributes
2018-08-03 11:26:11 +02:00
self.sightings_to_add = []
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
def load_email(self, pseudofile):
self.pseudofile = pseudofile
self.original_mail = message_from_bytes(self.pseudofile.getvalue(), policy=policy.default)
carrier mail functionality Implements processing of a carrier mail that contains email attachments. Each email attachment is converted into an individual MISP event.
2019-11-16 16:47:43 +01:00
add email sender to comment
2019-07-23 14:45:50 +02:00
try:
self.sender = self.original_mail.get('From')
except:
self.sender = "<unknown sender>"
carrier mail functionality Implements processing of a carrier mail that contains email attachments. Each email attachment is converted into an individual MISP event.
2019-11-16 16:47:43 +01:00
try:
self.subject = self.original_mail.get('Subject')
# Remove words from subject
for removeword in self.config.removelist:
self.subject = re.sub(removeword, "", self.subject).strip()
fixed wrong exception handling Except block handles 'BaseException'
2019-11-17 09:45:12 +01:00
except Exception as ex:
carrier mail functionality Implements processing of a carrier mail that contains email attachments. Each email attachment is converted into an individual MISP event.
2019-11-16 16:47:43 +01:00
self.subject = "<subject could not be retrieved>"
fixed wrong exception handling Except block handles 'BaseException'
2019-11-17 09:45:12 +01:00
if self.debug:
syslog.syslog(ex)
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
# Initialize the MISP event
self.misp_event = MISPEvent()
self.misp_event.info = f'{self.config.email_subject_prefix} - {self.subject}'
self.misp_event.distribution = self.config.default_distribution
self.misp_event.threat_level_id = self.config.default_threat_level
self.misp_event.analysis = self.config.default_analysis
def sighting(self, value, source):
if self.offline:
raise Exception('The script is running in offline mode, ')
'''Add a sighting'''
s = MISPSighting()
s.from_dict(value=value, source=source)
chg: Bump deps, slight changes.
2019-07-18 15:12:15 +02:00
self.misp.add_sighting(s)
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
def _find_inline_forward(self):
'''Does the body contains a forwarded email?'''
for identifier in self.config.forward_identifiers:
if identifier in self.clean_email_body:
self.clean_email_body, fw_email = self.clean_email_body.split(identifier)
return self.forwarded_email(pseudofile=BytesIO(fw_email.encode()))
def _find_attached_forward(self):
forwarded_emails = []
for attachment in self.original_mail.iter_attachments():
multipart messages can be nested within each other An example of something that does this is GPG, when operating in PGP/MIME mode. The Python documentation remarks that an attachment is anything that isn't a body - meaning that if there are multipart messages nested within each other, the containers will be flagged as an attachment. When get_content() is called on the attachment, it fails with an unhandled KeyError as there is no attachment handler for multipart. This change wraps the get_content() call in a try...catch, and returns if an attachment type unsupported by the runtime is present. ``` Traceback (most recent call last): File "/Users/adamb/mail_to_misp/tests/tests.py", line 89, in test_nested_mime self.mail2misp.process_email_body() File "./mail2misp/mail2misp.py", line 188, in process_email_body self._find_attached_forward() File "./mail2misp/mail2misp.py", line 88, in _find_attached_forward attachment_content = attachment.get_content() File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/email/message.py", line 1096, in get_content return content_manager.get_content(self, *args, **kw) File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/email/contentmanager.py", line 25, in get_content raise KeyError(content_type) KeyError: 'multipart/mixed' ```
2020-06-07 01:16:17 +02:00
try:
attachment_content = attachment.get_content()
except KeyError:
# Attachment type has no handler
continue
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
# Search for email forwarded as attachment
# I could have more than one, attaching everything.
fix: Proper type detection of attachments Fix #27
2018-08-02 13:42:07 +02:00
if isinstance(attachment_content, message.EmailMessage):
forwarded_emails.append(self.forwarded_email(pseudofile=BytesIO(attachment_content.as_bytes())))
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
else:
fix: Proper type detection of attachments Fix #27
2018-08-02 13:42:07 +02:00
if isinstance(attachment_content, str):
fix: Properly handle plain text attachments
2018-08-02 17:02:17 +02:00
attachment_content = attachment_content.encode()
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
filename = attachment.get_filename()
if not filename:
filename = 'missing_filename'
if self.config_from_email_body.get('attachment') == self.config.m2m_benign_attachment_keyword:
# Attach sane file
fix: Proper type detection of attachments Fix #27
2018-08-02 13:42:07 +02:00
self.misp_event.add_attribute('attachment', value=filename, data=BytesIO(attachment_content))
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
else:
fix: Proper type detection of attachments Fix #27
2018-08-02 13:42:07 +02:00
f_object, main_object, sections = make_binary_objects(pseudofile=BytesIO(attachment_content), filename=filename, standalone=False)
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
self.misp_event.add_object(f_object)
if main_object:
self.misp_event.add_object(main_object)
[self.misp_event.add_object(section) for section in sections]
return forwarded_emails
def email_from_spamtrap(self):
'''The email comes from a spamtrap and should be attached as-is.'''
raw_body = self.original_mail.get_body(preferencelist=('html', 'plain'))
if raw_body:
self.clean_email_body = html.unescape(raw_body.get_payload(decode=True).decode('utf8', 'surrogateescape'))
else:
self.clean_email_body = ''
return self.forwarded_email(self.pseudofile)
def forwarded_email(self, pseudofile: BytesIO):
'''Extracts all possible indicators out of an email and create a MISP event out of it.
* Gets all relevant Headers
* Attach the body
* Create MISP file objects (uses lief if possible)
* Set all references
'''
email_object = EMailObject(pseudofile=pseudofile, attach_original_mail=True, standalone=False)
if email_object.attachments:
# Create file objects for the attachments
for attachment_name, attachment in email_object.attachments:
exclude attachements of size 0 bytes Optionally exclude attachments that are 0 bytes long
2019-11-19 10:13:36 +01:00
if not (self.ignore_nullsize_attachments == True and attachment.getbuffer().nbytes == 0):
if not attachment_name:
attachment_name = 'NameMissing.txt'
if self.config_from_email_body.get('attachment') == self.config.m2m_benign_attachment_keyword:
a = self.misp_event.add_attribute('attachment', value=attachment_name, data=attachment)
email_object.add_reference(a.uuid, 'related-to', 'Email attachment')
else:
f_object, main_object, sections = make_binary_objects(pseudofile=attachment, filename=attachment_name, standalone=False)
if self.config.vt_key:
try:
vt_object = VTReportObject(self.config.vt_key, f_object.get_attributes_by_relation('sha256')[0].value, standalone=False)
self.misp_event.add_object(vt_object)
f_object.add_reference(vt_object.uuid, 'analysed-with')
except InvalidMISPObject as e:
print(e)
pass
self.misp_event.add_object(f_object)
if main_object:
self.misp_event.add_object(main_object)
for section in sections:
self.misp_event.add_object(section)
email_object.add_reference(f_object.uuid, 'related-to', 'Email attachment')
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
self.process_body_iocs(email_object)
if self.config.spamtrap or self.config.attach_original_mail or self.config_from_email_body.get('attach_original_mail'):
self.misp_event.add_object(email_object)
return email_object
def process_email_body(self):
mail_as_bytes = self.original_mail.get_body(preferencelist=('html', 'plain')).get_payload(decode=True)
if mail_as_bytes:
self.clean_email_body = html.unescape(mail_as_bytes.decode('utf8', 'surrogateescape'))
# Check if there are config lines in the body & convert them to a python dictionary:
# <config.body_config_prefix>:<key>:<value> => {<key>: <value>}
self.config_from_email_body = {k.strip(): v.strip() for k, v in re.findall(f'{self.config.body_config_prefix}:(.*):(.*)', self.clean_email_body)}
if self.config_from_email_body:
# ... remove the config lines from the body
self.clean_email_body = re.sub(rf'^{self.config.body_config_prefix}.*\n?', '',
html.unescape(self.original_mail.get_body(preferencelist=('html', 'plain')).get_payload(decode=True).decode('utf8', 'surrogateescape')), flags=re.MULTILINE)
# Check if autopublish key is present and valid
if self.config_from_email_body.get('m2mkey') == self.config.m2m_key:
fix: Allow passing 0 to distribution, threat_level and analysis
2018-08-03 10:52:35 +02:00
if self.config_from_email_body.get('distribution') is not None:
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
self.misp_event.distribution = self.config_from_email_body.get('distribution')
fix: Allow passing 0 to distribution, threat_level and analysis
2018-08-03 10:52:35 +02:00
if self.config_from_email_body.get('threat_level') is not None:
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
self.misp_event.threat_level_id = self.config_from_email_body.get('threat_level')
fix: Allow passing 0 to distribution, threat_level and analysis
2018-08-03 10:52:35 +02:00
if self.config_from_email_body.get('analysis') is not None:
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
self.misp_event.analysis = self.config_from_email_body.get('analysis')
if self.config_from_email_body.get('publish'):
self.misp_event.publish()
self._find_inline_forward()
else:
self.clean_email_body = ''
self._find_attached_forward()
def process_body_iocs(self, email_object=None):
if email_object:
body = html.unescape(email_object.email.get_body(preferencelist=('html', 'plain')).get_payload(decode=True).decode('utf8', 'surrogateescape'))
else:
body = self.clean_email_body
# Cleanup body content
# Depending on the source of the mail, there is some cleanup to do. Ignore lines in body of message
for ignoreline in self.config.ignorelist:
body = re.sub(rf'^{ignoreline}.*\n?', '', body, flags=re.MULTILINE)
# Remove everything after the stopword from the body
body = body.split(self.config.stopword, 1)[0]
# Add tags to the event if keywords are found in the mail
for tag in self.config.tlptags:
tag extraction from subject and bug fix for alternativetags
2019-07-23 13:35:17 +02:00
for alternativetag in self.config.tlptags[tag]:
if alternativetag in body.lower():
self.misp_event.add_tag(tag)
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
# Prepare extraction of IOCs
# Refang email data
body = refang(body)
# Extract and add hashes
contains_hash = False
for h in set(re.findall(hashmarker.MD5_REGEX, body)):
contains_hash = True
attribute = self.misp_event.add_attribute('md5', h, enforceWarninglist=self.config.enforcewarninglist)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
if self.config.sighting:
fix: Properly add sightings, meta event attributes
2018-08-03 11:26:11 +02:00
self.sightings_to_add.append((h, self.config.sighting_source))
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
for h in set(re.findall(hashmarker.SHA1_REGEX, body)):
contains_hash = True
attribute = self.misp_event.add_attribute('sha1', h, enforceWarninglist=self.config.enforcewarninglist)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
if self.config.sighting:
fix: Properly add sightings, meta event attributes
2018-08-03 11:26:11 +02:00
self.sightings_to_add.append((h, self.config.sighting_source))
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
for h in set(re.findall(hashmarker.SHA256_REGEX, body)):
contains_hash = True
attribute = self.misp_event.add_attribute('sha256', h, enforceWarninglist=self.config.enforcewarninglist)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
if self.config.sighting:
fix: Properly add sightings, meta event attributes
2018-08-03 11:26:11 +02:00
self.sightings_to_add.append((h, self.config.sighting_source))
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
if contains_hash:
[self.misp_event.add_tag(tag) for tag in self.config.hash_only_tags]
# # Extract network IOCs
urllist = []
urllist += re.findall(urlmarker.WEB_URL_REGEX, body)
urllist += re.findall(urlmarker.IP_REGEX, body)
if self.debug:
syslog.syslog(str(urllist))
hostname_processed = []
# Add IOCs and expanded information to MISP
for entry in set(urllist):
ids_flag = True
self.f.decode(entry)
fix: Support new version of pyfaup
2019-01-21 14:39:04 +01:00
domainname = self.f.get_domain()
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
if domainname in self.config.excludelist:
# Ignore the entry
continue
fix: Support new version of pyfaup
2019-01-21 14:39:04 +01:00
hostname = self.f.get_host()
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
scheme = self.f.get_scheme()
if scheme:
fix: Support new version of pyfaup
2019-01-21 14:39:04 +01:00
scheme = scheme
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
resource_path = self.f.get_resource_path()
if resource_path:
fix: Support new version of pyfaup
2019-01-21 14:39:04 +01:00
resource_path = resource_path
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
if self.debug:
syslog.syslog(domainname)
handled the case with internalattributes better
2019-07-22 11:31:27 +02:00
if domainname in self.config.internallist and self.urlsonly is False: # Add link to internal reference unless in urlsonly mode
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
attribute = self.misp_event.add_attribute('link', entry, category='Internal reference',
to_ids=False, enforceWarninglist=False)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
add urlonly to event feature added
2019-07-19 12:20:56 +02:00
elif domainname in self.config.externallist or self.urlsonly is False: # External analysis
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
attribute = self.misp_event.add_attribute('link', entry, category='External analysis',
to_ids=False, enforceWarninglist=False)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
add urlonly to event feature added
2019-07-19 12:20:56 +02:00
elif domainname in self.config.externallist or self.urlsonly: # External analysis
using subject as comment when urlsonly is enabled
2019-07-22 14:35:51 +02:00
if self.urlsonly:
add email sender to comment
2019-07-23 14:45:50 +02:00
comment = self.subject + " (from: " + self.sender +")"
using subject as comment when urlsonly is enabled
2019-07-22 14:35:51 +02:00
else:
comment = ""
add urlonly to event feature added
2019-07-19 12:20:56 +02:00
attribute = self.misp.add_attribute(self.urlsonly, {"type": 'link', "value": entry, "category": 'External analysis',
using subject as comment when urlsonly is enabled
2019-07-22 14:35:51 +02:00
"to_ids": False, "comment": comment})
tag extraction from subject and bug fix for alternativetags
2019-07-23 13:35:17 +02:00
for tag in self.config.tlptags:
for alternativetag in self.config.tlptags[tag]:
if alternativetag in self.subject.lower():
self.misp.tag(attribute["uuid"], tag)
add email sender to comment
2019-07-23 14:45:50 +02:00
new_subject = comment.replace(alternativetag, '')
tag extraction from subject and bug fix for alternativetags
2019-07-23 13:35:17 +02:00
self.misp.change_comment(attribute["uuid"], new_subject)
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
else: # The URL is probably an indicator.
comment = ""
if (domainname in self.config.noidsflaglist) or (hostname in self.config.noidsflaglist):
ids_flag = False
comment = "Known host (mostly for connectivity test or IP lookup)"
if self.debug:
syslog.syslog(str(entry))
if scheme:
if is_ip(hostname):
attribute = self.misp_event.add_attribute('url', entry, to_ids=False,
enforceWarninglist=self.config.enforcewarninglist)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
else:
if resource_path: # URL has path, ignore warning list
attribute = self.misp_event.add_attribute('url', entry, to_ids=ids_flag,
enforceWarninglist=False, comment=comment)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
else: # URL has no path
attribute = self.misp_event.add_attribute('url', entry, to_ids=ids_flag,
enforceWarninglist=self.config.enforcewarninglist, comment=comment)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
if self.config.sighting:
fix: Properly add sightings, meta event attributes
2018-08-03 11:26:11 +02:00
self.sightings_to_add.append((entry, self.config.sighting_source))
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
if hostname in hostname_processed:
# Hostname already processed.
continue
hostname_processed.append(hostname)
if self.config.sighting:
fix: Properly add sightings, meta event attributes
2018-08-03 11:26:11 +02:00
self.sightings_to_add.append((hostname, self.config.sighting_source))
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
if self.debug:
syslog.syslog(hostname)
comment = ''
port = self.f.get_port()
if port:
fix: Support new version of pyfaup
2019-01-21 14:39:04 +01:00
port = port
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
comment = f'on port: {port}'
if is_ip(hostname):
attribute = self.misp_event.add_attribute('ip-dst', hostname, to_ids=ids_flag,
enforceWarninglist=self.config.enforcewarninglist,
comment=comment)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
else:
related_ips = []
new: Allow to disable DNS lookups Fix #26
2018-08-02 11:55:37 +02:00
if HAS_DNS and self.config.enable_dns:
try:
syslog.syslog(hostname)
for rdata in dns.resolver.query(hostname, 'A'):
if self.debug:
syslog.syslog(str(rdata))
related_ips.append(rdata.to_text())
except Exception as e:
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
if self.debug:
new: Allow to disable DNS lookups Fix #26
2018-08-02 11:55:37 +02:00
syslog.syslog(str(e))
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
if related_ips:
hip = MISPObject(name='ip-port')
hip.add_attribute('hostname', value=hostname, to_ids=ids_flag,
enforceWarninglist=self.config.enforcewarninglist, comment=comment)
for ip in set(related_ips):
hip.add_attribute('ip', type='ip-dst', value=ip, to_ids=False,
enforceWarninglist=self.config.enforcewarninglist)
self.misp_event.add_object(hip)
if email_object:
email_object.add_reference(hip.uuid, 'contains')
else:
add urlonly to event feature added
2019-07-19 12:20:56 +02:00
if self.urlsonly is False:
attribute = self.misp_event.add_attribute('hostname', value=hostname,
to_ids=ids_flag, enforceWarninglist=self.config.enforcewarninglist,
comment=comment)
new: Make it a lib, add test cases
2018-05-14 23:23:30 +02:00
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
def add_event(self):
'''Add event on the remote MISP instance.'''
# Add additional tags depending on others
tags = []
for tag in [t.name for t in self.misp_event.tags]:
if self.config.dependingtags.get(tag):
tags += self.config.dependingtags.get(tag)
# Add additional tags according to configuration
for malware in self.config.malwaretags:
if malware.lower() in self.subject.lower():
tags += self.config.malwaretags.get(malware)
if tags:
[self.misp_event.add_tag(tag) for tag in tags]
has_tlp_tag = False
for tag in [t.name for t in self.misp_event.tags]:
if tag.lower().startswith('tlp'):
has_tlp_tag = True
if not has_tlp_tag:
self.misp_event.add_tag(self.config.tlptag_default)
if self.offline:
return self.misp_event.to_json()
fix: Buggy decode, the email was added twice
2019-07-18 16:12:44 +02:00
event = self.misp.add_event(self.misp_event, pythonify=True)
fix: Properly add sightings, meta event attributes
2018-08-03 11:26:11 +02:00
if self.config.sighting:
for value, source in self.sightings_to_add:
self.sighting(value, source)
return event
carrier mail functionality Implements processing of a carrier mail that contains email attachments. Each email attachment is converted into an individual MISP event.
2019-11-16 16:47:43 +01:00
def get_attached_emails(self,pseudofile):
fixed wrong exception handling Except block handles 'BaseException'
2019-11-17 09:45:12 +01:00
if self.debug:
syslog.syslog("get_attached_emails Job started.")
carrier mail functionality Implements processing of a carrier mail that contains email attachments. Each email attachment is converted into an individual MISP event.
2019-11-16 16:47:43 +01:00
forwarded_emails = []
self.pseudofile = pseudofile
self.original_mail = message_from_bytes(self.pseudofile.getvalue(), policy=policy.default)
for attachment in self.original_mail.iter_attachments():
attachment_content = attachment.get_content()
filename = attachment.get_filename()
fixed wrong exception handling Except block handles 'BaseException'
2019-11-17 09:45:12 +01:00
if self.debug:
syslog.syslog(f'get_attached_emails: filename = {filename}')
carrier mail functionality Implements processing of a carrier mail that contains email attachments. Each email attachment is converted into an individual MISP event.
2019-11-16 16:47:43 +01:00
# Search for email forwarded as attachment
# I could have more than one, attaching everything.
if isinstance(attachment, message.EmailMessage) and os.path.splitext(filename)[1] == '.eml':
# all attachments are identified as message.EmailMessage so filtering on extension for now.
forwarded_emails.append(BytesIO(attachment_content))
return forwarded_emails