mail_to_misp/mail_to_misp_config.py-example

85 lines
3.2 KiB
Plaintext
Raw Normal View History

2017-06-01 17:00:32 +02:00
#!/usr/bin/env python3
2017-05-30 12:21:40 +02:00
# -*- coding: utf-8 -*-
2017-04-27 13:58:49 +02:00
misp_url = 'YOUR_MISP_URL'
2018-05-02 19:08:22 +02:00
misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web interface under the automation section
2017-04-27 13:58:49 +02:00
misp_verifycert = True
2018-05-02 19:08:22 +02:00
spamtrap = False
default_distribution = 0
default_threat_level = 4
default_analysis = 1
id_tag = 'host:m2m:tld'
freetext = False
2018-05-02 19:08:22 +02:00
body_config_prefix = 'm2m' # every line in the body starting with this value will be skipped from the IOCs
m2m_key = 'YOUSETYOURKEYHERE'
2018-05-04 14:24:02 +02:00
m2m_benign_attachment_keyword = 'benign'
2017-04-27 13:58:49 +02:00
2018-08-02 17:04:46 +02:00
enable_dns = True
2017-05-23 15:19:31 +02:00
debug = False
2017-04-27 13:58:49 +02:00
nameservers = ['149.13.33.69']
2018-05-02 19:08:22 +02:00
email_subject_prefix = 'M2M'
attach_original_mail = False
ignore_carrier_mail = False
ignore_nullsize_attachments = False
2017-04-27 13:58:49 +02:00
excludelist = ('google.com', 'microsoft.com')
externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')
internallist = ('internal.system.local')
2018-05-02 19:08:22 +02:00
noidsflaglist = ('myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip.com', 'ipecho.net',
'api.ipify.org', 'checkip.amazonaws.com', 'whatismyipaddress.com', 'google.com',
'dropbox.com'
)
2017-05-17 09:54:24 +02:00
# Stop parsing when this term is found
2017-06-30 08:35:50 +02:00
stopword = 'Whois & IP Information'
2017-04-27 13:58:49 +02:00
# Ignore lines in body of message containing:
2018-05-02 19:08:22 +02:00
ignorelist = ("From:", "Sender:", "Received:", "Sender IP:", "Reply-To:", "Registrar WHOIS Server:",
"Registrar:", "Domain Status:", "Registrant Email:", "IP Location:",
"X-Get-Message-Sender-Via:", "X-Authenticated-Sender:")
# Ignore (don't add) attributes that are on server side warning list
2018-05-02 19:08:22 +02:00
enforcewarninglist = True
2017-12-20 16:08:27 +01:00
# Add a sighting for each value
2018-05-02 19:08:22 +02:00
sighting = True
sighting_source = "YOUR_MAIL_TO_MISP_IDENTIFIER"
2017-12-20 16:08:27 +01:00
# Remove "Re:", "Fwd:" and {Spam?} from subject
# add: "[\(\[].*?[\)\]]" to remove everything between [] and (): i.e. [tag]
2018-05-14 23:23:30 +02:00
removelist = (r"Re:", r"Fwd:", r"\{Spam\?\} ")
2017-04-27 13:58:49 +02:00
# TLP tag setup
# Tuples contain different variations of spelling
2018-05-02 19:08:22 +02:00
tlptags = {'tlp:amber': ['tlp:amber', 'tlp: amber', 'tlp amber'],
'tlp:green': ['tlp:green', 'tlp: green', 'tlp green'],
'tlp:white': ['tlp:white', 'tlp: white', 'tlp white']
}
2017-05-29 17:26:39 +02:00
tlptag_default = sorted(tlptags.keys())[0]
2017-04-27 13:58:49 +02:00
2018-05-02 19:08:22 +02:00
malwaretags = {'locky': ['ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"'],
'jaff': ['ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Jaff"'],
'dridex': ['misp-galaxy:tool="dridex"'],
'netwire': ['Netwire RAT'],
'Pony': ['misp-galaxy:tool="Hancitor"'],
'ursnif': ['misp-galaxy:tool="Snifula"'],
'NanoCore': ['misp-galaxy:tool="NanoCoreRAT"'],
'trickbot': ['misp-galaxy:tool="Trick Bot"']
}
2017-06-30 08:35:50 +02:00
2017-04-27 13:58:49 +02:00
# Tags to be set depending on the presence of other tags
2018-05-02 19:08:22 +02:00
dependingtags = {'tlp:white': ['circl:osint-feed']
}
2017-04-27 13:58:49 +02:00
2018-05-02 19:08:22 +02:00
# Known identifiers for forwarded messages
forward_identifiers = {'-------- Forwarded Message --------', 'Begin forwarded message:'}
2017-05-29 15:36:27 +02:00
# Tags to add when hashes are found (e.g. to do automatic expansion)
2018-05-02 19:08:22 +02:00
hash_only_tags = {'TODO:VT-ENRICHMENT'}
2017-05-29 17:26:39 +02:00
# If an attribute is on any MISP server side `warning list`, skip the creation of the attribute
skip_item_on_warninglist = True
vt_key = None