mirror of https://github.com/MISP/mail_to_misp
logging via syslog
parent
97b0cc4b76
commit
393f9b83ba
|
@ -14,6 +14,10 @@ import email
|
||||||
from email.generator import Generator
|
from email.generator import Generator
|
||||||
import tempfile
|
import tempfile
|
||||||
import socket
|
import socket
|
||||||
|
import syslog
|
||||||
|
|
||||||
|
syslog.openlog(logoption=syslog.LOG_PID, facility=syslog.LOG_USER)
|
||||||
|
|
||||||
|
|
||||||
def is_valid_ipv4_address(address):
|
def is_valid_ipv4_address(address):
|
||||||
try:
|
try:
|
||||||
|
@ -38,14 +42,10 @@ def is_valid_ipv6_address(address):
|
||||||
|
|
||||||
debug = config.debug
|
debug = config.debug
|
||||||
stdin_used = False
|
stdin_used = False
|
||||||
if debug:
|
|
||||||
debug_out_file = config.debug_out_file
|
|
||||||
target = open(debug_out_file, 'w')
|
|
||||||
target.write("New debug session opened")
|
|
||||||
|
|
||||||
|
email_subject = config.email_subject_prefix
|
||||||
try:
|
try:
|
||||||
if not sys.stdin.isatty():
|
if not sys.stdin.isatty():
|
||||||
email_subject = b'M2M - '
|
|
||||||
email_data = b''
|
email_data = b''
|
||||||
mailcontent = "".join(sys.stdin)
|
mailcontent = "".join(sys.stdin)
|
||||||
msg = email.message_from_string(mailcontent)
|
msg = email.message_from_string(mailcontent)
|
||||||
|
@ -67,12 +67,12 @@ try:
|
||||||
email_subject = sys.argv[2].encode()
|
email_subject = sys.argv[2].encode()
|
||||||
except:
|
except:
|
||||||
if debug:
|
if debug:
|
||||||
target.write("FATAL ERROR: Not all required input received")
|
syslog.syslog("FATAL ERROR: Not all required input received")
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
if debug:
|
if debug:
|
||||||
target.write(email_subject)
|
syslog.syslog(str(email_subject))
|
||||||
target.write(email_data)
|
syslog.syslog(str(email_data))
|
||||||
|
|
||||||
misp_url = config.misp_url
|
misp_url = config.misp_url
|
||||||
misp_key = config.misp_key
|
misp_key = config.misp_key
|
||||||
|
@ -147,7 +147,6 @@ for identifier in forward_identifiers:
|
||||||
if new_position < position:
|
if new_position < position:
|
||||||
t_before, t_split, t_email_data = email_data.partition(identifier)
|
t_before, t_split, t_email_data = email_data.partition(identifier)
|
||||||
position = new_position
|
position = new_position
|
||||||
print(position)
|
|
||||||
email_data = t_email_data
|
email_data = t_email_data
|
||||||
|
|
||||||
# Refang email data
|
# Refang email data
|
||||||
|
@ -159,9 +158,8 @@ email_data = refang(email_data.decode('utf-8', 'ignore'))
|
||||||
urllist = list()
|
urllist = list()
|
||||||
urllist += re.findall(urlmarker.WEB_URL_REGEX, email_data)
|
urllist += re.findall(urlmarker.WEB_URL_REGEX, email_data)
|
||||||
urllist += re.findall(urlmarker.IP_REGEX, email_data)
|
urllist += re.findall(urlmarker.IP_REGEX, email_data)
|
||||||
print (urllist)
|
|
||||||
if debug:
|
if debug:
|
||||||
target.write(str(urllist))
|
syslog.syslog(str(urllist))
|
||||||
|
|
||||||
# Init Faup
|
# Init Faup
|
||||||
f = Faup()
|
f = Faup()
|
||||||
|
@ -194,9 +192,8 @@ for entry in urllist:
|
||||||
f.decode(entry)
|
f.decode(entry)
|
||||||
domainname = f.get_domain()
|
domainname = f.get_domain()
|
||||||
hostname = f.get_host()
|
hostname = f.get_host()
|
||||||
print (hostname)
|
|
||||||
if debug:
|
if debug:
|
||||||
target.write(domainname + "\n")
|
syslog.syslog(domainname.decode("utf-8", "ignore"))
|
||||||
if domainname not in excludelist:
|
if domainname not in excludelist:
|
||||||
if domainname in internallist:
|
if domainname in internallist:
|
||||||
misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0)
|
misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0)
|
||||||
|
@ -206,15 +203,14 @@ for entry in urllist:
|
||||||
if (domainname in noidsflaglist) or (hostname in noidsflaglist):
|
if (domainname in noidsflaglist) or (hostname in noidsflaglist):
|
||||||
ids_flag = False
|
ids_flag = False
|
||||||
if debug:
|
if debug:
|
||||||
target.write(entry + "\n")
|
syslog.syslog(str(entry))
|
||||||
target.write(str(ids_flag))
|
|
||||||
if hostname:
|
if hostname:
|
||||||
if is_valid_ipv4_address(entry):
|
if is_valid_ipv4_address(entry):
|
||||||
misp.add_url(new_event, entry, category='Network activity', to_ids=False)
|
misp.add_url(new_event, entry, category='Network activity', to_ids=False)
|
||||||
else:
|
else:
|
||||||
misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag)
|
misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag)
|
||||||
if debug:
|
if debug:
|
||||||
target.write(hostname + "\n")
|
syslog.syslog(hostname.decode("utf-8", "ignore"))
|
||||||
port = f.get_port()
|
port = f.get_port()
|
||||||
comment = ""
|
comment = ""
|
||||||
if port:
|
if port:
|
||||||
|
@ -226,14 +222,12 @@ for entry in urllist:
|
||||||
try:
|
try:
|
||||||
for rdata in dns.resolver.query(hostname.decode('utf-8', 'ignore'), 'A'):
|
for rdata in dns.resolver.query(hostname.decode('utf-8', 'ignore'), 'A'):
|
||||||
if debug:
|
if debug:
|
||||||
target.write(str(rdata) + "\n")
|
syslog.syslog(str(rdata))
|
||||||
misp.add_ipdst(new_event, rdata.to_text(), category='Network activity', to_ids=False, comment=hostname.decode('utf-8', 'ignore'))
|
misp.add_ipdst(new_event, rdata.to_text(), category='Network activity', to_ids=False, comment=hostname.decode('utf-8', 'ignore'))
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
print (e)
|
print (e)
|
||||||
if debug:
|
if debug:
|
||||||
target.write("DNS unsuccessful\n")
|
syslog.syslog("DNS unsuccessful")
|
||||||
if debug:
|
|
||||||
target.close()
|
|
||||||
|
|
||||||
# Try to add attachments
|
# Try to add attachments
|
||||||
if stdin_used:
|
if stdin_used:
|
||||||
|
|
|
@ -5,8 +5,8 @@ misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web inte
|
||||||
misp_verifycert = True
|
misp_verifycert = True
|
||||||
|
|
||||||
debug = False
|
debug = False
|
||||||
debug_out_file = '/tmp/mail_to_misp-debug.txt'
|
|
||||||
nameservers = ['149.13.33.69']
|
nameservers = ['149.13.33.69']
|
||||||
|
email_subject_prefix = b'M2M - '
|
||||||
|
|
||||||
excludelist = (b'google.com', b'microsoft.com')
|
excludelist = (b'google.com', b'microsoft.com')
|
||||||
externallist = (b'virustotal.com', b'malwr.com', b'hybrid-analysis.com', b'emergingthreats.net')
|
externallist = (b'virustotal.com', b'malwr.com', b'hybrid-analysis.com', b'emergingthreats.net')
|
||||||
|
|
Loading…
Reference in New Issue