From 11c99c879bfe2f38e56e66922ca022226b7edc8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Fri, 3 Aug 2018 11:26:11 +0200 Subject: [PATCH] fix: Properly add sightings, meta event attributes --- mail2misp/mail2misp.py | 17 +++++++++++------ tests/tests.py | 8 +++++--- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/mail2misp/mail2misp.py b/mail2misp/mail2misp.py index 7573d00..aa1709f 100644 --- a/mail2misp/mail2misp.py +++ b/mail2misp/mail2misp.py @@ -42,6 +42,7 @@ class Mail2MISP(): self.config_from_email_body = {} # Init Faup self.f = Faup() + self.sightings_to_add = [] def load_email(self, pseudofile): self.pseudofile = pseudofile @@ -194,21 +195,21 @@ class Mail2MISP(): if email_object: email_object.add_reference(attribute.uuid, 'contains') if self.config.sighting: - self.sighting(h, self.config.sighting_source) + self.sightings_to_add.append((h, self.config.sighting_source)) for h in set(re.findall(hashmarker.SHA1_REGEX, body)): contains_hash = True attribute = self.misp_event.add_attribute('sha1', h, enforceWarninglist=self.config.enforcewarninglist) if email_object: email_object.add_reference(attribute.uuid, 'contains') if self.config.sighting: - self.sighting(h, self.config.sighting_source) + self.sightings_to_add.append((h, self.config.sighting_source)) for h in set(re.findall(hashmarker.SHA256_REGEX, body)): contains_hash = True attribute = self.misp_event.add_attribute('sha256', h, enforceWarninglist=self.config.enforcewarninglist) if email_object: email_object.add_reference(attribute.uuid, 'contains') if self.config.sighting: - self.sighting(h, self.config.sighting_source) + self.sightings_to_add.append((h, self.config.sighting_source)) if contains_hash: [self.misp_event.add_tag(tag) for tag in self.config.hash_only_tags] @@ -281,7 +282,7 @@ class Mail2MISP(): if email_object: email_object.add_reference(attribute.uuid, 'contains') if self.config.sighting: - self.sighting(entry, self.config.sighting_source) + self.sightings_to_add.append((entry, self.config.sighting_source)) if hostname in hostname_processed: # Hostname already processed. @@ -289,7 +290,7 @@ class Mail2MISP(): hostname_processed.append(hostname) if self.config.sighting: - self.sighting(hostname, self.config.sighting_source) + self.sightings_to_add.append((hostname, self.config.sighting_source)) if self.debug: syslog.syslog(hostname) @@ -361,4 +362,8 @@ class Mail2MISP(): if self.offline: return self.misp_event.to_json() - return self.misp.add_event(self.misp_event) + event = self.misp.add_event(self.misp_event) + if self.config.sighting: + for value, source in self.sightings_to_add: + self.sighting(value, source) + return event diff --git a/tests/tests.py b/tests/tests.py index b5cd949..42bde92 100644 --- a/tests/tests.py +++ b/tests/tests.py @@ -77,9 +77,11 @@ class TestMailToMISP(unittest.TestCase): self.mail2misp.process_email_body() self.mail2misp.process_body_iocs() self.assertTrue(self.mail2misp.misp_event.publish) - self.assertEqual(self.mail2misp.misp_event.distribution, 3) - self.assertEqual(self.mail2misp.misp_event.threat_level_id, 2) - self.assertEqual(self.mail2misp.misp_event.analysis, 0) + self.assertEqual(self.mail2misp.misp_event.distribution, '3') + self.assertEqual(self.mail2misp.misp_event.threat_level_id, '2') + self.assertEqual(self.mail2misp.misp_event.analysis, '0') + self.mail2misp.add_event() + if __name__ == '__main__': unittest.main()