mail_to_misp/README.md

116 lines
4.2 KiB
Markdown
Raw Normal View History

2017-04-27 14:32:31 +02:00
# mail_to_misp
2017-05-24 16:09:04 +02:00
Connect your mail infrastructure to [MISP](https://github.com/MISP/MISP) in order to create events based on the information contained within mails.
2017-04-27 14:32:31 +02:00
## Features
- Extraction of URLs and IP addresses (and port numbers) from free text emails
- Extraction of hostnames from URLs
2017-04-28 10:00:45 +02:00
- Extraction of hashes (MD5, SHA1, SHA256)
2017-04-27 14:32:31 +02:00
- DNS expansion
- Custom filter list for lines containing specific words
- Subject filters
- Respecting TLP classification mentioned in free text (including optional spelling robustness)
- Refanging of URLs ('hxxp://...')
- Add tags automatically based on key words (configurable)
- Add tags automatically depending on the presence of other tags (configurable)
2017-05-22 09:48:42 +02:00
- Add tags automatically depending on presence of hashes (e.g. for automatic expansion)
2017-04-27 14:32:31 +02:00
- Ignore 'whitelisted' domains (configurable)
2017-05-22 09:48:42 +02:00
- Specify a stop word term to no further process input
2017-04-28 10:00:45 +02:00
- Configurable list of attributes not to enable the IDS flag
2017-04-27 14:32:31 +02:00
- Automatically create 'external analysis' links based on filter list (e.g. VirusTotal, malwr.com)
2017-04-27 14:58:25 +02:00
## Implementation
For the moment, the implemented workflow is:
2017-05-03 09:47:25 +02:00
1. Apple Mail
2017-05-23 15:17:19 +02:00
`Email -> Apple Mail -> Mail rule -> AppleScript -> mail_to_misp -> PyMISP -> MISP`
2017-05-03 09:47:25 +02:00
2. Mozilla Thunderbird
2017-05-23 15:17:19 +02:00
`Email -> Thunderbird -> Mail rule -> filterscript -> thunderbird_wrapper -> mail_to_misp -> PyMISP -> MISP`
3. Postfix and others
`Email -> mail_to_misp`
2017-04-27 14:58:25 +02:00
## Installation
### Apple Mail
1. Mail rule script
- git clone this repository
- open the AppleScript file MUA/Apple/Mail/MISP Mail Rule Action.txt in Apple's 'Script Editor'
- adjust the path to the python installation and location of the mail_to_misp.py script
- save it in ~/Library/Application Scripts/com.apple.mail/
2. Create a mail rule based on your needs, executing the AppleScript defined before
3. Configure mail_to_misp_config.py
2017-05-03 06:33:41 +02:00
### Thunderbird
1. Git clone https://github.com/rommelfs/filterscript and install plugin (instructions within the project description)
2. Mail rule script
- git clone this repository
- open the bash script MUA/Mozilla/Thunderbird/thunderbird_wrapper.sh and adujst the paths
- adjust the path to the python installation and location of the mail_to_misp.py script
3. Create a mail rule based on your needs, executing the thunderbird_wrapper.sh script
4. Configure mail_to_misp_config.py
2017-04-27 14:58:25 +02:00
You should be able to create MISP events now.
2017-05-03 09:47:25 +02:00
### Outlook
Outlook is not implemented due to lack of test environment. However, it should be feasible to do it this way:
```
import win32com.client
import pythoncom
class Handler_Class(object):
def OnNewMailEx(self, receivedItemsIDs):
for ID in receivedItemsIDs.split(","):
# Microsoft.Office.Interop.Outlook _MailItem properties:
# https://msdn.microsoft.com/en-us/library/microsoft.office.interop.outlook._mailitem_properties.aspx
mailItem = outlook.Session.GetItemFromID(ID)
print "Subj: " + mailItem.Subject
print "Body: " + mailItem.Body.encode( 'ascii', 'ignore' )
print "========"
outlook = win32com.client.DispatchWithEvents("Outlook.Application", Handler_Class)
pythoncom.PumpMessages()
```
(from: https://blog.matthewurch.ca/?p=236)
Obviously, you would like to filter mails based on subject or from address and pass subject and body to mail_to_misp.py in order to do something useful. Pull-requests welcome for actual implementations :)
2017-04-27 14:58:25 +02:00
2017-05-23 15:17:19 +02:00
### Postfix (or other MTA)
1. Setup a new email address in the aliases file (e.g. /etc/aliases) and configure the correct path:
2017-05-23 15:17:45 +02:00
2017-05-23 15:17:19 +02:00
`misp_handler: "|/path/to/mail_to_misp.py"`
2017-05-23 15:17:59 +02:00
2017-05-23 15:17:19 +02:00
2. Rebuild the DB:
2017-05-23 15:17:45 +02:00
2017-05-23 15:17:19 +02:00
`$ sudo newaliases`
2017-05-23 15:17:59 +02:00
2017-05-23 15:17:19 +02:00
3. Configure mail_to_misp_config.py
2017-04-27 14:58:25 +02:00
2017-05-23 15:18:47 +02:00
You should now be able to send your IoC-containing mails to misp_handler@YOURDOMAIN.
2017-04-27 14:32:31 +02:00
## Requirements
2017-05-03 06:33:41 +02:00
### General
2017-04-27 15:14:06 +02:00
- mail_to_misp requires access to a MISP instance (via API).
2017-05-24 16:08:39 +02:00
- Python 3
2017-04-27 15:14:06 +02:00
- urlmarker from https://github.com/rcompton/ryancompton.net/blob/master/assets/praw_drugs/urlmarker.py (contained in this project)
- defang from https://bitbucket.org/johannestaas/defang
2017-05-24 16:08:39 +02:00
- Optionally patch defang/defang/__init__.py and add dirty_line = dirty_line.replace('hxxp', 'http') at line 47
2017-04-27 14:32:31 +02:00
2017-05-03 06:33:41 +02:00
### Thunderbird
2017-04-27 14:32:31 +02:00
2017-05-03 06:33:41 +02:00
- https://github.com/rommelfs/filterscript (modified fork from https://github.com/adamnew123456/filterscript)