MISP
/
mail_to_misp
mirror of https://github.com/MISP/mail_to_misp
2
0
Fork 0
Code Issues Releases Wiki Activity

fix: Properly add sightings, meta event attributes

pull/31/head
Raphaël Vinot 2018-08-03 11:26:11 +02:00
parent 757f2cb4bf
commit 11c99c879b
2 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
mail2misp/mail2misp.py
View File

@ -42,6 +42,7 @@ class Mail2MISP():
self.config_from_email_body = {}
# Init Faup
self.f = Faup()
self.sightings_to_add = []
def load_email(self, pseudofile):
self.pseudofile = pseudofile
@ -194,21 +195,21 @@ class Mail2MISP():
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
if self.config.sighting:
self.sighting(h, self.config.sighting_source)
self.sightings_to_add.append((h, self.config.sighting_source))
for h in set(re.findall(hashmarker.SHA1_REGEX, body)):
contains_hash = True
attribute = self.misp_event.add_attribute('sha1', h, enforceWarninglist=self.config.enforcewarninglist)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
if self.config.sighting:
self.sighting(h, self.config.sighting_source)
self.sightings_to_add.append((h, self.config.sighting_source))
for h in set(re.findall(hashmarker.SHA256_REGEX, body)):
contains_hash = True
attribute = self.misp_event.add_attribute('sha256', h, enforceWarninglist=self.config.enforcewarninglist)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
if self.config.sighting:
self.sighting(h, self.config.sighting_source)
self.sightings_to_add.append((h, self.config.sighting_source))
if contains_hash:
[self.misp_event.add_tag(tag) for tag in self.config.hash_only_tags]
@ -281,7 +282,7 @@ class Mail2MISP():
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
if self.config.sighting:
self.sighting(entry, self.config.sighting_source)
self.sightings_to_add.append((entry, self.config.sighting_source))
if hostname in hostname_processed:
# Hostname already processed.
@ -289,7 +290,7 @@ class Mail2MISP():
hostname_processed.append(hostname)
if self.config.sighting:
self.sighting(hostname, self.config.sighting_source)
self.sightings_to_add.append((hostname, self.config.sighting_source))
if self.debug:
syslog.syslog(hostname)
@ -361,4 +362,8 @@ class Mail2MISP():
if self.offline:
return self.misp_event.to_json()
return self.misp.add_event(self.misp_event)
event = self.misp.add_event(self.misp_event)
if self.config.sighting:
for value, source in self.sightings_to_add:
self.sighting(value, source)
return event

8
tests/tests.py
View File

@ -77,9 +77,11 @@ class TestMailToMISP(unittest.TestCase):
self.mail2misp.process_email_body()
self.mail2misp.process_body_iocs()
self.assertTrue(self.mail2misp.misp_event.publish)
self.assertEqual(self.mail2misp.misp_event.distribution, 3)
self.assertEqual(self.mail2misp.misp_event.threat_level_id, 2)
self.assertEqual(self.mail2misp.misp_event.analysis, 0)
self.assertEqual(self.mail2misp.misp_event.distribution, '3')
self.assertEqual(self.mail2misp.misp_event.threat_level_id, '2')
self.assertEqual(self.mail2misp.misp_event.analysis, '0')
self.mail2misp.add_event()
if __name__ == '__main__':
unittest.main()