fix: Properly add sightings, meta event attributes

2018-08-03 11:26:11 +02:00 · 2018-08-03 11:26:11 +02:00 · 11c99c879b
parent 757f2cb4bf
commit 11c99c879b
2 changed files with 16 additions and 9 deletions
--- a/mail2misp/mail2misp.py
+++ b/mail2misp/mail2misp.py
@ -42,6 +42,7 @@ class Mail2MISP():
        self.config_from_email_body = {}
        # Init Faup
        self.f = Faup()
+        self.sightings_to_add = []

    def load_email(self, pseudofile):
        self.pseudofile = pseudofile
@ -194,21 +195,21 @@ class Mail2MISP():
            if email_object:
                email_object.add_reference(attribute.uuid, 'contains')
            if self.config.sighting:
-                self.sighting(h, self.config.sighting_source)
+                self.sightings_to_add.append((h, self.config.sighting_source))
        for h in set(re.findall(hashmarker.SHA1_REGEX, body)):
            contains_hash = True
            attribute = self.misp_event.add_attribute('sha1', h, enforceWarninglist=self.config.enforcewarninglist)
            if email_object:
                email_object.add_reference(attribute.uuid, 'contains')
            if self.config.sighting:
-                self.sighting(h, self.config.sighting_source)
+                self.sightings_to_add.append((h, self.config.sighting_source))
        for h in set(re.findall(hashmarker.SHA256_REGEX, body)):
            contains_hash = True
            attribute = self.misp_event.add_attribute('sha256', h, enforceWarninglist=self.config.enforcewarninglist)
            if email_object:
                email_object.add_reference(attribute.uuid, 'contains')
            if self.config.sighting:
-                self.sighting(h, self.config.sighting_source)
+                self.sightings_to_add.append((h, self.config.sighting_source))

        if contains_hash:
            [self.misp_event.add_tag(tag) for tag in self.config.hash_only_tags]
@ -281,7 +282,7 @@ class Mail2MISP():
                            if email_object:
                                email_object.add_reference(attribute.uuid, 'contains')
                    if self.config.sighting:
-                        self.sighting(entry, self.config.sighting_source)
+                        self.sightings_to_add.append((entry, self.config.sighting_source))

                if hostname in hostname_processed:
                    # Hostname already processed.
@ -289,7 +290,7 @@ class Mail2MISP():

                hostname_processed.append(hostname)
                if self.config.sighting:
-                    self.sighting(hostname, self.config.sighting_source)
+                    self.sightings_to_add.append((hostname, self.config.sighting_source))

                if self.debug:
                    syslog.syslog(hostname)
@ -361,4 +362,8 @@ class Mail2MISP():

        if self.offline:
            return self.misp_event.to_json()
-        return self.misp.add_event(self.misp_event)
+        event = self.misp.add_event(self.misp_event)
+        if self.config.sighting:
+            for value, source in self.sightings_to_add:
+                self.sighting(value, source)
+        return event
--- a/tests/tests.py
+++ b/tests/tests.py
@ -77,9 +77,11 @@ class TestMailToMISP(unittest.TestCase):
        self.mail2misp.process_email_body()
        self.mail2misp.process_body_iocs()
        self.assertTrue(self.mail2misp.misp_event.publish)
-        self.assertEqual(self.mail2misp.misp_event.distribution, 3)
-        self.assertEqual(self.mail2misp.misp_event.threat_level_id, 2)
-        self.assertEqual(self.mail2misp.misp_event.analysis, 0)
+        self.assertEqual(self.mail2misp.misp_event.distribution, '3')
+        self.assertEqual(self.mail2misp.misp_event.threat_level_id, '2')
+        self.assertEqual(self.mail2misp.misp_event.analysis, '0')
+        self.mail2misp.add_event()
+

 if __name__ == '__main__':
    unittest.main()