From 316b73644b5b74486fd4637022a51a5ea23dcfeb Mon Sep 17 00:00:00 2001
From: Sascha Rommelfangen <sascha@rommelfangen.de>
Date: Thu, 4 Jan 2018 16:12:40 +0100
Subject: [PATCH] overriding warninglist enforcement when full URL with
 resource

---
 mail_to_misp.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/mail_to_misp.py b/mail_to_misp.py
index edf24ab..f3f894a 100755
--- a/mail_to_misp.py
+++ b/mail_to_misp.py
@@ -260,6 +260,10 @@ for entry in urllist:
         schema = f.get_scheme().decode('utf-8', 'ignore')
     except:
         schema = False
+    try:
+        resource_path = f.get_resource_path().decode('utf-8', 'ignore')
+    except:
+        resource_path = False
     if debug:
         syslog.syslog(domainname)
     if domainname not in excludelist:
@@ -279,8 +283,12 @@ for entry in urllist:
                     if is_valid_ipv4_address(hostname):
                         add_attribute(new_event, 'url', entry, 'Network activity', False, enforcewarninglist, sighting)
                     else:
-                        add_attribute(new_event, 'url', entry, 'Network activity', ids_flag, enforcewarninglist, 
-                                        sighting, comment=comment)
+                        if resource_path:
+                            add_attribute(new_event, 'url', entry, 'Network activity', ids_flag, False,
+                                            sighting, comment=comment)
+                        else:
+                            add_attribute(new_event, 'url', entry, 'Network activity', ids_flag, enforcewarninglist, 
+                                            sighting, comment=comment)
                 if debug:
                     syslog.syslog(hostname)
                 try: