tag extraction from subject and bug fix for alternativetags

pull/38/head
Sascha Rommelfangen 2019-07-23 13:35:17 +02:00
parent 5347325d8b
commit 0f6d95e8a7
1 changed files with 10 additions and 14 deletions

View File

@ -196,8 +196,9 @@ class Mail2MISP():
# Add tags to the event if keywords are found in the mail # Add tags to the event if keywords are found in the mail
for tag in self.config.tlptags: for tag in self.config.tlptags:
if any(alternativetag in body.lower() for alternativetag in self.config.tlptags[tag]): for alternativetag in self.config.tlptags[tag]:
self.misp_event.add_tag(tag) if alternativetag in body.lower():
self.misp_event.add_tag(tag)
# Prepare extraction of IOCs # Prepare extraction of IOCs
# Refang email data # Refang email data
@ -279,6 +280,13 @@ class Mail2MISP():
comment = "" comment = ""
attribute = self.misp.add_attribute(self.urlsonly, {"type": 'link', "value": entry, "category": 'External analysis', attribute = self.misp.add_attribute(self.urlsonly, {"type": 'link', "value": entry, "category": 'External analysis',
"to_ids": False, "comment": comment}) "to_ids": False, "comment": comment})
for tag in self.config.tlptags:
for alternativetag in self.config.tlptags[tag]:
if alternativetag in self.subject.lower():
self.misp.tag(attribute["uuid"], tag)
new_subject = self.subject.replace(alternativetag, '')
self.misp.change_comment(attribute["uuid"], new_subject)
else: # The URL is probably an indicator. else: # The URL is probably an indicator.
comment = "" comment = ""
if (domainname in self.config.noidsflaglist) or (hostname in self.config.noidsflaglist): if (domainname in self.config.noidsflaglist) or (hostname in self.config.noidsflaglist):
@ -391,15 +399,3 @@ class Mail2MISP():
for value, source in self.sightings_to_add: for value, source in self.sightings_to_add:
self.sighting(value, source) self.sighting(value, source)
return event return event
def update_event(self, eid=None):
'''Update event on the remote MISP instance.'''
if self.offline:
return self.misp_event.to_json()
event = self.misp.update_event(self.misp_event, eid)
syslog.syslog(str(event))
# if self.config.sighting:
# for value, source in self.sightings_to_add:
# self.sighting(value, source)
return event