MISP
/
mail_to_misp
mirror of https://github.com/MISP/mail_to_misp
2
0
Fork 0
Code Issues Releases Wiki Activity

added support for sighting of values

slight_refactoring
Sascha Rommelfangen 2017-12-20 16:08:27 +01:00
parent 02fdf63127
commit 1d27e9e4e2
2 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
mail_to_misp.py
View File

@ -22,6 +22,7 @@ try:
import socket
import syslog
import ftfy
import hashlib
config = __import__(configfile)
except ImportError as e:
print("(!) Problem loading module:")
@ -127,6 +128,7 @@ internallist = config.internallist
noidsflaglist = config.noidsflaglist
ignorelist = config.ignorelist
enforcewarninglist = config.enforcewarninglist
sighting = config.sighting
removelist = config.removelist
malwaretags = config.malwaretags
dependingtags = config.dependingtags
@ -154,6 +156,10 @@ if debug:
def init(url, key):
return PyMISP(url, key, misp_verifycert, 'json', debug=None)
def sight(sighting, value):
if sighting:
d = {'value': value}
misp.set_sightings(d)
# Evaluate classification
tlp_tag = tlptag_default
@ -225,10 +231,13 @@ hashlist_sha256 = re.findall(hashmarker.SHA256_REGEX, email_data)
for h in hashlist_md5:
misp.add_named_attribute(new_event, 'md5', h, to_ids=True, enforceWarninglist=enforcewarninglist)
sight(sighting, h)
for h in hashlist_sha1:
misp.add_named_attribute(new_event, 'sha1', h, to_ids=True, enforceWarninglist=enforcewarninglist)
sight(sighting, h)
for h in hashlist_sha256:
misp.add_named_attribute(new_event, 'sha256', h, to_ids=True, enforceWarninglist=enforcewarninglist)
sight(sighting, h)
if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0):
for tag in hash_only_tags:
@ -250,9 +259,11 @@ for entry in urllist:
if domainname in internallist:
misp.add_named_attribute(new_event, 'link', entry, category='Internal reference',
to_ids=False, distribution=0, enforceWarninglist=enforcewarninglist)
sight(sighting, entry)
elif domainname in externallist:
misp.add_named_attribute(new_event, 'link', entry, category='External analysis',
to_ids=False, enforceWarninglist=enforcewarninglist)
sight(sighting, entry)
else:
comment = ""
if (domainname in noidsflaglist) or (hostname in noidsflaglist):
@ -268,6 +279,7 @@ for entry in urllist:
else:
misp.add_named_attribute(new_event, 'url', entry, category='Network activity',
to_ids=ids_flag, enforceWarninglist=enforcewarninglist)
sight(sighting, entry)
if debug:
syslog.syslog(hostname)
try:
@ -280,9 +292,11 @@ for entry in urllist:
if is_valid_ipv4_address(hostname):
misp.add_named_attribute(new_event, 'ip-dst', hostname, comment=comment, category='Network activity',
to_ids=False, enforceWarninglist=enforcewarninglist)
sight(sighting, hostname)
else:
misp.add_named_attribute(new_event, 'hostname', hostname, comment=comment, category='Network activity',
to_ids=ids_flag, enforceWarninglist=enforcewarninglist)
sight(sighting, hostname)
try:
for rdata in dns.resolver.query(hostname, 'A'):
if debug:
@ -290,6 +304,7 @@ for entry in urllist:
misp.add_named_attribute(new_event, 'ip-dst', rdata.to_text(), comment=hostname,
category='Network activity', to_ids=False,
enforceWarninglist=enforcewarninglist)
sight(sighting, rdata.to_text())
except Exception as e:
if debug:
syslog.syslog(str(e))
@ -307,6 +322,8 @@ if stdin_used:
attachment = part.get_payload(decode=True)
event_id = misp_event.id
misp.upload_sample(filename, output_path, event_id, distribution=None, to_ids=True)
file_hash = hashlib.sha256(open(output_path, 'rb').read()).hexdigest()
sight(sighting, file_hash)
output.close()
if debug:

3
mail_to_misp_config.py-example
View File

@ -42,6 +42,9 @@ ignorelist = (".*From: .*\n?", ".*Sender: .*\n?", ".*Received: .*\n?", ".*Sender
# Ignore (don't add) attributes that are on server side warning list
enforcewarninglist=True
# Add a sighting for each value
sighting=True
# Remove "[tags]", "Re: ", "Fwd: " from subject
removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")