MISP
/
mail_to_misp
mirror of https://github.com/MISP/mail_to_misp
2
0
Fork 0
Code Issues Releases Wiki Activity

clean-up

slight_refactoring
Sascha Rommelfangen 2018-04-12 10:31:44 +02:00 committed by GitHub
parent 85a00f963c
commit 299b1ae8ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
README.md
View File

@ -21,37 +21,22 @@ Connect your mail infrastructure to [MISP](https://github.com/MISP/MISP) in orde
- Automatically create 'external analysis' links based on filter list (e.g. VirusTotal, malwr.com)
- Automatically create 'internal reference' links based on filter list
- Detection of forwarded messages
- Process attachments as malware samples or specify that they are processed as benign files (m2m_attachment_keyword)
```
- Process attachments as malware samples or specify that they are processed as benign files (`m2m_attachment_keyword`)
You can send mails with attachments to mail_to_misp and tell it, to treat the attachment as a benign document (in contrast to the default behaviour: treating it as a malware sample). You need to set a keyword in the configuration:
m2m_attachment_keyword = 'attachment:benign'
```
`m2m_attachment_keyword = 'attachment:benign'`
- Logging to syslog
- Remove "[tags]", "Re:" and "Fwd:" from subjects
- Optionally attach entire mail to event
- Contains now a fake-smtpd spamtrap which delivers IoCs/mails to MISP
- Automatically filter out attributes that are on a server side warning list (enforcewarninglist=True)
- Support for value sighting (sighting=True, sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER")
- Auto-publish when key:yourkey is specified in mail (configurable, m2m_key, m2m_auto_distribution)
```
The m2m_key configuration is used to specify a secret only you and your users know. If you know the key, you can send a mail to your mail_to_misp instance, and when this key is present in the body of the message, it will automatically publish the event.
So let's assume your config says:
m2m_key = 'ABCDEFGHIJKLMN0PQRSTUVWXYZ'
If you send a mail to mail_to_misp containing:
key:ABCDEFGHIJKLMN0PQRSTUVWXYZ
the event is automatically published.
- Automatically filter out attributes that are on a server side warning list (`enforcewarninglist=True`)
- Support for value sighting (`sighting=True`, `sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER"`)
- Auto-publish when `key:yourkey` is specified in mail (configurable, `m2m_key`, `m2m_auto_distribution`)
The `m2m_key configuration` is used to specify a secret only you and your users know. If you know the key, you can send a mail to your mail_to_misp instance, and when this key is present in the body of the message, it will automatically publish the event. So let's assume your config says: `m2m_key = 'ABCDEFGHIJKLMN0PQRSTUVWXYZ'`
If you send a mail to mail_to_misp containing: `key:ABCDEFGHIJKLMN0PQRSTUVWXYZ` the event is automatically published.
If you don't want to use this feature, just don't put it in the message body.
The distribution is defined in the configuration as well: `m2m_auto_distribution = '3' # 3 = All communities`
The distribution is defined in the configuration as well:
m2m_auto_distribution = '3' # 3 = All communities
```
## Implementation