MISP
/
mail_to_misp
mirror of https://github.com/MISP/mail_to_misp
2
0
Fork 0
Code Issues Releases Wiki Activity

clean-up

slight_refactoring
Sascha Rommelfangen 2018-04-12 10:31:44 +02:00 committed by GitHub
parent 85a00f963c
commit 299b1ae8ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
README.md
View File

@ -21,37 +21,22 @@ Connect your mail infrastructure to [MISP](https://github.com/MISP/MISP) in orde
- Automatically create 'external analysis' links based on filter list (e.g. VirusTotal, malwr.com) - Automatically create 'external analysis' links based on filter list (e.g. VirusTotal, malwr.com)
- Automatically create 'internal reference' links based on filter list - Automatically create 'internal reference' links based on filter list
- Detection of forwarded messages - Detection of forwarded messages
- Process attachments as malware samples or specify that they are processed as benign files (m2m_attachment_keyword) - Process attachments as malware samples or specify that they are processed as benign files (`m2m_attachment_keyword`)
```
You can send mails with attachments to mail_to_misp and tell it, to treat the attachment as a benign document (in contrast to the default behaviour: treating it as a malware sample). You need to set a keyword in the configuration: You can send mails with attachments to mail_to_misp and tell it, to treat the attachment as a benign document (in contrast to the default behaviour: treating it as a malware sample). You need to set a keyword in the configuration:
m2m_attachment_keyword = 'attachment:benign' `m2m_attachment_keyword = 'attachment:benign'`
```
- Logging to syslog - Logging to syslog
- Remove "[tags]", "Re:" and "Fwd:" from subjects - Remove "[tags]", "Re:" and "Fwd:" from subjects
- Optionally attach entire mail to event - Optionally attach entire mail to event
- Contains now a fake-smtpd spamtrap which delivers IoCs/mails to MISP - Contains now a fake-smtpd spamtrap which delivers IoCs/mails to MISP
- Automatically filter out attributes that are on a server side warning list (enforcewarninglist=True) - Automatically filter out attributes that are on a server side warning list (`enforcewarninglist=True`)
- Support for value sighting (sighting=True, sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER") - Support for value sighting (`sighting=True`, `sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER"`)
- Auto-publish when key:yourkey is specified in mail (configurable, m2m_key, m2m_auto_distribution) - Auto-publish when `key:yourkey` is specified in mail (configurable, `m2m_key`, `m2m_auto_distribution`)
``` The `m2m_key configuration` is used to specify a secret only you and your users know. If you know the key, you can send a mail to your mail_to_misp instance, and when this key is present in the body of the message, it will automatically publish the event. So let's assume your config says: `m2m_key = 'ABCDEFGHIJKLMN0PQRSTUVWXYZ'`
The m2m_key configuration is used to specify a secret only you and your users know. If you know the key, you can send a mail to your mail_to_misp instance, and when this key is present in the body of the message, it will automatically publish the event. If you send a mail to mail_to_misp containing: `key:ABCDEFGHIJKLMN0PQRSTUVWXYZ` the event is automatically published.
So let's assume your config says:
m2m_key = 'ABCDEFGHIJKLMN0PQRSTUVWXYZ'
If you send a mail to mail_to_misp containing:
key:ABCDEFGHIJKLMN0PQRSTUVWXYZ
the event is automatically published.
If you don't want to use this feature, just don't put it in the message body. If you don't want to use this feature, just don't put it in the message body.
The distribution is defined in the configuration as well: `m2m_auto_distribution = '3' # 3 = All communities`
The distribution is defined in the configuration as well:
m2m_auto_distribution = '3' # 3 = All communities
```
## Implementation ## Implementation