MISP
/
mail_to_misp
mirror of https://github.com/MISP/mail_to_misp
2
0
Fork 0
Code Issues Releases Wiki Activity

logging via syslog

pull/4/head
Sascha Rommelfangen 2017-05-30 11:24:30 +02:00
parent 97b0cc4b76
commit 393f9b83ba
2 changed files with 15 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
mail_to_misp.py
View File

@ -14,6 +14,10 @@ import email
from email.generator import Generator from email.generator import Generator
import tempfile import tempfile
import socket import socket
import syslog
syslog.openlog(logoption=syslog.LOG_PID, facility=syslog.LOG_USER)
def is_valid_ipv4_address(address): def is_valid_ipv4_address(address):
try: try:
@ -38,14 +42,10 @@ def is_valid_ipv6_address(address):
debug = config.debug debug = config.debug
stdin_used = False stdin_used = False
if debug:
debug_out_file = config.debug_out_file
target = open(debug_out_file, 'w')
target.write("New debug session opened")
email_subject = config.email_subject_prefix
try: try:
if not sys.stdin.isatty(): if not sys.stdin.isatty():
email_subject = b'M2M - '
email_data = b'' email_data = b''
mailcontent = "".join(sys.stdin) mailcontent = "".join(sys.stdin)
msg = email.message_from_string(mailcontent) msg = email.message_from_string(mailcontent)
@ -67,12 +67,12 @@ try:
email_subject = sys.argv[2].encode() email_subject = sys.argv[2].encode()
except: except:
if debug: if debug:
target.write("FATAL ERROR: Not all required input received") syslog.syslog("FATAL ERROR: Not all required input received")
sys.exit(1) sys.exit(1)
if debug: if debug:
target.write(email_subject) syslog.syslog(str(email_subject))
target.write(email_data) syslog.syslog(str(email_data))
misp_url = config.misp_url misp_url = config.misp_url
misp_key = config.misp_key misp_key = config.misp_key
@ -147,7 +147,6 @@ for identifier in forward_identifiers:
if new_position < position: if new_position < position:
t_before, t_split, t_email_data = email_data.partition(identifier) t_before, t_split, t_email_data = email_data.partition(identifier)
position = new_position position = new_position
print(position)
email_data = t_email_data email_data = t_email_data
# Refang email data # Refang email data
@ -159,9 +158,8 @@ email_data = refang(email_data.decode('utf-8', 'ignore'))
urllist = list() urllist = list()
urllist += re.findall(urlmarker.WEB_URL_REGEX, email_data) urllist += re.findall(urlmarker.WEB_URL_REGEX, email_data)
urllist += re.findall(urlmarker.IP_REGEX, email_data) urllist += re.findall(urlmarker.IP_REGEX, email_data)
print (urllist)
if debug: if debug:
target.write(str(urllist)) syslog.syslog(str(urllist))
# Init Faup # Init Faup
f = Faup() f = Faup()
@ -194,9 +192,8 @@ for entry in urllist:
f.decode(entry) f.decode(entry)
domainname = f.get_domain() domainname = f.get_domain()
hostname = f.get_host() hostname = f.get_host()
print (hostname)
if debug: if debug:
target.write(domainname + "\n") syslog.syslog(domainname.decode("utf-8", "ignore"))
if domainname not in excludelist: if domainname not in excludelist:
if domainname in internallist: if domainname in internallist:
misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0) misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0)
@ -206,15 +203,14 @@ for entry in urllist:
if (domainname in noidsflaglist) or (hostname in noidsflaglist): if (domainname in noidsflaglist) or (hostname in noidsflaglist):
ids_flag = False ids_flag = False
if debug: if debug:
target.write(entry + "\n") syslog.syslog(str(entry))
target.write(str(ids_flag))
if hostname: if hostname:
if is_valid_ipv4_address(entry): if is_valid_ipv4_address(entry):
misp.add_url(new_event, entry, category='Network activity', to_ids=False) misp.add_url(new_event, entry, category='Network activity', to_ids=False)
else: else:
misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag) misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag)
if debug: if debug:
target.write(hostname + "\n") syslog.syslog(hostname.decode("utf-8", "ignore"))
port = f.get_port() port = f.get_port()
comment = "" comment = ""
if port: if port:
@ -226,14 +222,12 @@ for entry in urllist:
try: try:
for rdata in dns.resolver.query(hostname.decode('utf-8', 'ignore'), 'A'): for rdata in dns.resolver.query(hostname.decode('utf-8', 'ignore'), 'A'):
if debug: if debug:
target.write(str(rdata) + "\n") syslog.syslog(str(rdata))
misp.add_ipdst(new_event, rdata.to_text(), category='Network activity', to_ids=False, comment=hostname.decode('utf-8', 'ignore')) misp.add_ipdst(new_event, rdata.to_text(), category='Network activity', to_ids=False, comment=hostname.decode('utf-8', 'ignore'))
except Exception as e: except Exception as e:
print (e) print (e)
if debug: if debug:
target.write("DNS unsuccessful\n") syslog.syslog("DNS unsuccessful")
if debug:
target.close()
# Try to add attachments # Try to add attachments
if stdin_used: if stdin_used:

2
mail_to_misp_config.py-example
View File

@ -5,8 +5,8 @@ misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web inte
misp_verifycert = True misp_verifycert = True
debug = False debug = False
debug_out_file = '/tmp/mail_to_misp-debug.txt'
nameservers = ['149.13.33.69'] nameservers = ['149.13.33.69']
email_subject_prefix = b'M2M - '
excludelist = (b'google.com', b'microsoft.com') excludelist = (b'google.com', b'microsoft.com')
externallist = (b'virustotal.com', b'malwr.com', b'hybrid-analysis.com', b'emergingthreats.net') externallist = (b'virustotal.com', b'malwr.com', b'hybrid-analysis.com', b'emergingthreats.net')