mail_to_misp/mail_to_misp.py

#!/usr/bin/python3
# -*- coding: utf-8 -*-

import urlmarker
import hashmarker
import sys
import re
from pyfaup.faup import Faup
from pymisp import PyMISP
from defang import refang
import dns.resolver
import mail_to_misp_config as config
import email
from email.generator import Generator
import tempfile
import socket
import syslog

syslog.openlog(logoption=syslog.LOG_PID, facility=syslog.LOG_USER)


def is_valid_ipv4_address(address):
    try:
        socket.inet_pton(socket.AF_INET, address)
    except AttributeError:  # no inet_pton here, sorry
        try:
            socket.inet_aton(address)
        except socket.error:
            return False
        return address.count('.') == 3
    except socket.error:  # not a valid address
        return False

    return True

def is_valid_ipv6_address(address):
    try:
        socket.inet_pton(socket.AF_INET6, address)
    except socket.error:  # not a valid address
        return False
    return True

debug = config.debug
stdin_used = False

email_subject = config.email_subject_prefix
try:
    if not sys.stdin.isatty():
        email_data = b''
        mailcontent = "".join(sys.stdin)
        msg = email.message_from_string(mailcontent)
        mail_subject = msg.get('Subject').encode()
        for part in msg.walk():
            if part.get_content_maintype() == 'multipart':
                continue
            if part.get_content_maintype() == 'text':
                email_data += part.get_payload(decode=True)
        email_subject += mail_subject
        stdin_used = True
except Exception as e:
    print(e)
    pass

try:
    if not stdin_used:
        email_data = sys.argv[1].encode()
        email_subject = sys.argv[2].encode()
except:
    if debug:
        syslog.syslog("FATAL ERROR: Not all required input received")
    sys.exit(1)

if debug:    
    syslog.syslog(str(email_subject))
    syslog.syslog(str(email_data))

misp_url = config.misp_url
misp_key = config.misp_key
misp_verifycert = config.misp_verifycert

resolver = dns.resolver.Resolver(configure=False)
resolver.nameservers = config.nameservers

excludelist = config.excludelist
externallist = config.externallist
internallist = config.internallist
noidsflaglist = config.noidsflaglist
ignorelist = config.ignorelist
removelist = config.removelist
malwaretags = config.malwaretags
dependingtags = config.dependingtags
tlptag_default = config.tlptag_default
stopword = config.stopword
hash_only_tags = config.hash_only_tags
forward_identifiers = config.forward_identifiers

# Ignore lines in body of message
for ignoreline in ignorelist:
    email_data = re.sub(ignoreline, b"", email_data)

# Remove words from subject
for removeword in removelist:
    email_subject = re.sub(removeword, b"", email_subject)

def init(url, key):
    return PyMISP(url, key, misp_verifycert, 'json')

# Evaluate classification
tlp_tag = tlptag_default
tlptags = config.tlptags
for tag in tlptags:
    for alternativetag in tlptags[tag]:
        if alternativetag.encode() in email_data.lower():
            tlp_tag = tag

# Create the MISP event
misp = init(misp_url, misp_key)
new_event = misp.new_event(info=email_subject.decode('utf-8', 'ignore'), distribution=0, threat_level_id=3, analysis=1)
misp.add_tag(new_event, tlp_tag)

# Add additional tags depending on others
for tag in dependingtags:
    if tag in tlp_tag:
        for dependingtag in dependingtags[tag]:
            misp.add_tag(new_event, dependingtag)

## Prepare extraction of IOCs

# Limit the input if the stopword is found
email_data = email_data.split(stopword, 1)[0]

# Find the first forwarding message and use that content
position = 99999
t_email_data = email_data
for identifier in forward_identifiers:
    new_position = email_data.find(identifier)
    if new_position == -1:
        new_position = position
    if new_position < position:
        t_before, t_split, t_email_data = email_data.partition(identifier)
        position = new_position
email_data = t_email_data

# Refang email data
email_data = refang(email_data.decode('utf-8', 'ignore'))


## Extract various IOCs

urllist = list() 
urllist += re.findall(urlmarker.WEB_URL_REGEX, email_data)
urllist += re.findall(urlmarker.IP_REGEX, email_data)
if debug:
    syslog.syslog(str(urllist))

# Init Faup
f = Faup()

# Add tags according to configuration
for malware in malwaretags:
    if malware.encode() in email_subject.lower():
        for tag in malwaretags[malware]:
            misp.add_tag(new_event, tag)

# Extract and add hashes
hashlist_md5 = re.findall(hashmarker.MD5_REGEX, email_data)
hashlist_sha1 = re.findall(hashmarker.SHA1_REGEX, email_data)
hashlist_sha256 = re.findall(hashmarker.SHA256_REGEX, email_data)

for h in hashlist_md5:
    misp.add_hashes(new_event, md5=h)
for h in hashlist_sha1:
    misp.add_hashes(new_event, sha1=h)
for h in hashlist_sha256:
    misp.add_hashes(new_event, sha256=h)

if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0):
    for tag in hash_only_tags:
        misp.add_tag(new_event, tag)

# Add IOCs and expanded information to MISP
for entry in urllist:
    ids_flag = True
    f.decode(entry)
    domainname = f.get_domain()
    hostname = f.get_host()
    if debug:
        syslog.syslog(domainname.decode("utf-8", "ignore"))
    if domainname not in excludelist:
        if domainname in internallist:
            misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0)
        elif domainname in externallist:
            misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False)
        else:
            if (domainname in noidsflaglist) or (hostname in noidsflaglist):
                ids_flag = False
            if debug:
                syslog.syslog(str(entry))
            if hostname:
                if is_valid_ipv4_address(entry):
                    misp.add_url(new_event, entry, category='Network activity', to_ids=False)
                else:
                    misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag)
                if debug:
                    syslog.syslog(hostname.decode("utf-8", "ignore"))
                port = f.get_port()
                comment = ""
                if port:
                    comment = "on port: " + str(port)
                if is_valid_ipv4_address(hostname.decode('utf-8', 'ignore')):
                    misp.add_ipdst(new_event, hostname.decode('utf-8', 'ignore'), comment=comment, category='Network activity', to_ids=False)
                else:
                    misp.add_hostname(new_event, hostname.decode('utf-8', 'ignore'), comment=comment, category='Network activity', to_ids=ids_flag)
                try:
                    for rdata in dns.resolver.query(hostname.decode('utf-8', 'ignore'), 'A'):
                        if debug:
                            syslog.syslog(str(rdata))
                        misp.add_ipdst(new_event, rdata.to_text(), category='Network activity', to_ids=False, comment=hostname.decode('utf-8', 'ignore'))
                except Exception as e:
                    print (e)
                    if debug:
                        syslog.syslog("DNS unsuccessful")
 
# Try to add attachments
if stdin_used:
    for part in msg.walk():
        if part.get_content_maintype() == 'multipart':
            continue
        if part.get_content_maintype() != 'text':
            filename = part.get_filename()
            _, output_path = tempfile.mkstemp()
            output = open(output_path, 'wb')
            output.write(part.get_payload(decode=True))
            misp.upload_sample(filename, output_path, new_event, distribution=None, to_ids=True, category=None, comment=None, info='My Info', analysis=None, threat_level_id=None) 
            output.close()
hello python 3 2017-05-24 11:02:28 +02:00			`#!/usr/bin/python3`
			`# -- coding: utf-8 --`
initial commit 2017-04-27 13:58:49 +02:00
			`import urlmarker`
new functionalities (hashes, ids_flag) 2017-04-28 10:00:58 +02:00			`import hashmarker`
initial commit 2017-04-27 13:58:49 +02:00			`import sys`
			`import re`
			`from pyfaup.faup import Faup`
			`from pymisp import PyMISP`
			`from defang import refang`
			`import dns.resolver`
			`import mail_to_misp_config as config`
alias file mail handling 2017-05-23 15:09:25 +02:00			`import email`
			`from email.generator import Generator`
hello python 3 2017-05-24 11:02:28 +02:00			`import tempfile`
python 3 2017-05-24 15:44:14 +02:00			`import socket`
logging via syslog 2017-05-30 11:24:30 +02:00			`import syslog`

			`syslog.openlog(logoption=syslog.LOG_PID, facility=syslog.LOG_USER)`

python 3 2017-05-24 15:44:14 +02:00
			`def is_valid_ipv4_address(address):`
			`try:`
			`socket.inet_pton(socket.AF_INET, address)`
			`except AttributeError: # no inet_pton here, sorry`
			`try:`
			`socket.inet_aton(address)`
			`except socket.error:`
			`return False`
			`return address.count('.') == 3`
			`except socket.error: # not a valid address`
			`return False`

			`return True`

			`def is_valid_ipv6_address(address):`
			`try:`
			`socket.inet_pton(socket.AF_INET6, address)`
			`except socket.error: # not a valid address`
			`return False`
			`return True`
initial commit 2017-04-27 13:58:49 +02:00
			`debug = config.debug`
alias file mail handling 2017-05-23 15:09:25 +02:00			`stdin_used = False`

logging via syslog 2017-05-30 11:24:30 +02:00			`email_subject = config.email_subject_prefix`
alias file mail handling 2017-05-23 15:09:25 +02:00			`try:`
python3 changes 2017-05-24 15:50:05 +02:00			`if not sys.stdin.isatty():`
			`email_data = b''`
			`mailcontent = "".join(sys.stdin)`
			`msg = email.message_from_string(mailcontent)`
			`mail_subject = msg.get('Subject').encode()`
			`for part in msg.walk():`
			`if part.get_content_maintype() == 'multipart':`
			`continue`
			`if part.get_content_maintype() == 'text':`
			`email_data += part.get_payload(decode=True)`
			`email_subject += mail_subject`
			`stdin_used = True`
alias file mail handling 2017-05-23 15:09:25 +02:00			`except Exception as e:`
hello python 3 2017-05-24 11:02:28 +02:00			`print(e)`
alias file mail handling 2017-05-23 15:09:25 +02:00			`pass`

initial commit 2017-04-27 13:58:49 +02:00			`try:`
alias file mail handling 2017-05-23 15:09:25 +02:00			`if not stdin_used:`
python3 changes 2017-05-24 15:50:05 +02:00			`email_data = sys.argv[1].encode()`
			`email_subject = sys.argv[2].encode()`
initial commit 2017-04-27 13:58:49 +02:00			`except:`
			`if debug:`
logging via syslog 2017-05-30 11:24:30 +02:00			`syslog.syslog("FATAL ERROR: Not all required input received")`
initial commit 2017-04-27 13:58:49 +02:00			`sys.exit(1)`

			`if debug:`
logging via syslog 2017-05-30 11:24:30 +02:00			`syslog.syslog(str(email_subject))`
			`syslog.syslog(str(email_data))`
initial commit 2017-04-27 13:58:49 +02:00
			`misp_url = config.misp_url`
			`misp_key = config.misp_key`
			`misp_verifycert = config.misp_verifycert`

			`resolver = dns.resolver.Resolver(configure=False)`
			`resolver.nameservers = config.nameservers`

			`excludelist = config.excludelist`
			`externallist = config.externallist`
forwarding filter and internallist 2017-05-29 17:06:46 +02:00			`internallist = config.internallist`
new functionalities (hashes, ids_flag) 2017-04-28 10:00:58 +02:00			`noidsflaglist = config.noidsflaglist`
made ignorelists even more configurable 2017-05-30 16:35:29 +02:00			`ignorelist = config.ignorelist`
			`removelist = config.removelist`
initial commit 2017-04-27 13:58:49 +02:00			`malwaretags = config.malwaretags`
			`dependingtags = config.dependingtags`
fixed bug if no TLP tag is found A default TLP tag from the list is selected in such a case. It is the last (and shall be the most restrictive) from the list. 2017-05-10 11:11:30 +02:00			`tlptag_default = config.tlptag_default`
added stopword functionality 2017-05-17 09:51:47 +02:00			`stopword = config.stopword`
added adding additional tags for hashes 2017-05-22 09:44:55 +02:00			`hash_only_tags = config.hash_only_tags`
identify forwarded messages 2017-05-29 15:35:56 +02:00			`forward_identifiers = config.forward_identifiers`
initial commit 2017-04-27 13:58:49 +02:00
			`# Ignore lines in body of message`
made ignorelists even more configurable 2017-05-30 16:35:29 +02:00			`for ignoreline in ignorelist:`
			`email_data = re.sub(ignoreline, b"", email_data)`
initial commit 2017-04-27 13:58:49 +02:00
made ignorelists even more configurable 2017-05-30 16:35:29 +02:00			`# Remove words from subject`
			`for removeword in removelist:`
			`email_subject = re.sub(removeword, b"", email_subject)`
initial commit 2017-04-27 13:58:49 +02:00
			`def init(url, key):`
			`return PyMISP(url, key, misp_verifycert, 'json')`

			`# Evaluate classification`
fixed bug if no TLP tag is found A default TLP tag from the list is selected in such a case. It is the last (and shall be the most restrictive) from the list. 2017-05-10 11:11:30 +02:00			`tlp_tag = tlptag_default`
initial commit 2017-04-27 13:58:49 +02:00			`tlptags = config.tlptags`
			`for tag in tlptags:`
			`for alternativetag in tlptags[tag]:`
hello python 3 2017-05-24 11:02:28 +02:00			`if alternativetag.encode() in email_data.lower():`
initial commit 2017-04-27 13:58:49 +02:00			`tlp_tag = tag`

			`# Create the MISP event`
			`misp = init(misp_url, misp_key)`
hello python 3 2017-05-24 11:02:28 +02:00			`new_event = misp.new_event(info=email_subject.decode('utf-8', 'ignore'), distribution=0, threat_level_id=3, analysis=1)`
initial commit 2017-04-27 13:58:49 +02:00			`misp.add_tag(new_event, tlp_tag)`

			`# Add additional tags depending on others`
			`for tag in dependingtags:`
			`if tag in tlp_tag:`
			`for dependingtag in dependingtags[tag]:`
			`misp.add_tag(new_event, dependingtag)`

identify forwarded messages 2017-05-29 15:35:56 +02:00			`## Prepare extraction of IOCs`

			`# Limit the input if the stopword is found`
added stopword functionality 2017-05-17 09:51:47 +02:00			`email_data = email_data.split(stopword, 1)[0]`
identify forwarded messages 2017-05-29 15:35:56 +02:00
			`# Find the first forwarding message and use that content`
			`position = 99999`
			`t_email_data = email_data`
			`for identifier in forward_identifiers:`
			`new_position = email_data.find(identifier)`
forwarding filter and internallist 2017-05-29 17:06:46 +02:00			`if new_position == -1:`
			`new_position = position`
identify forwarded messages 2017-05-29 15:35:56 +02:00			`if new_position < position:`
			`t_before, t_split, t_email_data = email_data.partition(identifier)`
			`position = new_position`
			`email_data = t_email_data`

			`# Refang email data`
hello python 3 2017-05-24 11:02:28 +02:00			`email_data = refang(email_data.decode('utf-8', 'ignore'))`
identify forwarded messages 2017-05-29 15:35:56 +02:00

			`## Extract various IOCs`

python 3 2017-05-24 15:44:14 +02:00			`urllist = list()`
			`urllist += re.findall(urlmarker.WEB_URL_REGEX, email_data)`
new functionalities (hashes, ids_flag) 2017-04-28 10:00:58 +02:00			`urllist += re.findall(urlmarker.IP_REGEX, email_data)`
initial commit 2017-04-27 13:58:49 +02:00			`if debug:`
logging via syslog 2017-05-30 11:24:30 +02:00			`syslog.syslog(str(urllist))`
initial commit 2017-04-27 13:58:49 +02:00
			`# Init Faup`
			`f = Faup()`

updated documentation 2017-04-27 17:50:50 +02:00			`# Add tags according to configuration`
initial commit 2017-04-27 13:58:49 +02:00			`for malware in malwaretags:`
hello python 3 2017-05-24 11:02:28 +02:00			`if malware.encode() in email_subject.lower():`
initial commit 2017-04-27 13:58:49 +02:00			`for tag in malwaretags[malware]:`
			`misp.add_tag(new_event, tag)`

new functionalities (hashes, ids_flag) 2017-04-28 10:00:58 +02:00			`# Extract and add hashes`
			`hashlist_md5 = re.findall(hashmarker.MD5_REGEX, email_data)`
			`hashlist_sha1 = re.findall(hashmarker.SHA1_REGEX, email_data)`
			`hashlist_sha256 = re.findall(hashmarker.SHA256_REGEX, email_data)`

			`for h in hashlist_md5:`
			`misp.add_hashes(new_event, md5=h)`
			`for h in hashlist_sha1:`
			`misp.add_hashes(new_event, sha1=h)`
			`for h in hashlist_sha256:`
			`misp.add_hashes(new_event, sha256=h)`

added adding additional tags for hashes 2017-05-22 09:44:55 +02:00			`if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0):`
			`for tag in hash_only_tags:`
			`misp.add_tag(new_event, tag)`

initial commit 2017-04-27 13:58:49 +02:00			`# Add IOCs and expanded information to MISP`
			`for entry in urllist:`
new functionalities (hashes, ids_flag) 2017-04-28 10:00:58 +02:00			`ids_flag = True`
initial commit 2017-04-27 13:58:49 +02:00			`f.decode(entry)`
python 3 2017-05-24 15:44:14 +02:00			`domainname = f.get_domain()`
			`hostname = f.get_host()`
initial commit 2017-04-27 13:58:49 +02:00			`if debug:`
logging via syslog 2017-05-30 11:24:30 +02:00			`syslog.syslog(domainname.decode("utf-8", "ignore"))`
initial commit 2017-04-27 13:58:49 +02:00			`if domainname not in excludelist:`
forwarding filter and internallist 2017-05-29 17:06:46 +02:00			`if domainname in internallist:`
			`misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0)`
			`elif domainname in externallist:`
added header, corrected No-IDS flag 2017-05-08 15:47:47 +02:00			`misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False)`
initial commit 2017-04-27 13:58:49 +02:00			`else:`
new functionalities (hashes, ids_flag) 2017-04-28 10:00:58 +02:00			`if (domainname in noidsflaglist) or (hostname in noidsflaglist):`
			`ids_flag = False`
initial commit 2017-04-27 13:58:49 +02:00			`if debug:`
logging via syslog 2017-05-30 11:24:30 +02:00			`syslog.syslog(str(entry))`
python 3 2017-05-24 15:44:14 +02:00			`if hostname:`
attachment -> sample 2017-05-24 16:39:21 +02:00			`if is_valid_ipv4_address(entry):`
			`misp.add_url(new_event, entry, category='Network activity', to_ids=False)`
			`else:`
			`misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag)`
initial commit 2017-04-27 13:58:49 +02:00			`if debug:`
logging via syslog 2017-05-30 11:24:30 +02:00			`syslog.syslog(hostname.decode("utf-8", "ignore"))`
python 3 2017-05-24 15:44:14 +02:00			`port = f.get_port()`
			`comment = ""`
			`if port:`
			`comment = "on port: " + str(port)`
			`if is_valid_ipv4_address(hostname.decode('utf-8', 'ignore')):`
on request, ip addresses have no longer IDS flag enabled 2017-05-24 16:20:57 +02:00			`misp.add_ipdst(new_event, hostname.decode('utf-8', 'ignore'), comment=comment, category='Network activity', to_ids=False)`
python 3 2017-05-24 15:44:14 +02:00			`else:`
			`misp.add_hostname(new_event, hostname.decode('utf-8', 'ignore'), comment=comment, category='Network activity', to_ids=ids_flag)`
			`try:`
			`for rdata in dns.resolver.query(hostname.decode('utf-8', 'ignore'), 'A'):`
			`if debug:`
logging via syslog 2017-05-30 11:24:30 +02:00			`syslog.syslog(str(rdata))`
attachment -> sample 2017-05-24 16:39:21 +02:00			`misp.add_ipdst(new_event, rdata.to_text(), category='Network activity', to_ids=False, comment=hostname.decode('utf-8', 'ignore'))`
python 3 2017-05-24 15:44:14 +02:00			`except Exception as e:`
			`print (e)`
			`if debug:`
logging via syslog 2017-05-30 11:24:30 +02:00			`syslog.syslog("DNS unsuccessful")`
hello python 3 2017-05-24 11:02:28 +02:00
			`# Try to add attachments`
			`if stdin_used:`
			`for part in msg.walk():`
			`if part.get_content_maintype() == 'multipart':`
			`continue`
			`if part.get_content_maintype() != 'text':`
			`filename = part.get_filename()`
			`_, output_path = tempfile.mkstemp()`
			`output = open(output_path, 'wb')`
			`output.write(part.get_payload(decode=True))`
'upload sample' - needs fix from pymisp 2017-05-29 10:51:22 +02:00			`misp.upload_sample(filename, output_path, new_event, distribution=None, to_ids=True, category=None, comment=None, info='My Info', analysis=None, threat_level_id=None)`
hello python 3 2017-05-24 11:02:28 +02:00			`output.close()`