chg: add gitignore, cleanup

.gitignore

@@ -0,0 +1,115 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+env/
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# dotenv
+.env
+
+# virtualenv
+.venv
+venv/
+ENV/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+
+# Redis
+*.rdb
+
+# Storage
+rawdata
+
+# ardb
+storage/ardb.pid
+storage/data
+storage/repl
+
+# Config files of running instance
+*config.py

fake_smtp_config.py-example

@@ -0,0 +1,8 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+from pathlib import Path
+
+binpath = Path(__file__).cwd() / 'mail_to_misp.py'
+
+smtp_addr = '127.0.0.1'
+smtp_port = 2525

mail_to_misp.py

@@ -77,7 +77,7 @@ class Mail2MISP():
             if attachment.get_filename() and attachment.get_filename().endswith('.eml'):
                 self.forwarded_email(pseudofile=BytesIO(attachment.get_content().as_bytes()))
             else:
-                if self.config_from_email_body.get('attachment') == 'benign':
+                if self.config_from_email_body.get('attachment') == config.m2m_benign_attachment_keyword:
                     # Attach sane file
                     self.misp_event.add_attribute('attachment', value='Report',
                                                   data=BytesIO(attachment.get_content().as_bytes()))

mail_to_misp_config.py-example

@@ -1,6 +1,5 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
-import os
 
 misp_url = 'YOUR_MISP_URL'
 misp_key = 'YOUR_KEY_HERE'  # The MISP auth key can be found on the MISP web interface under the automation section
@@ -10,23 +9,13 @@ spamtrap = False
 
 m2m_key = 'YOUSETYOURKEYHERE'
 m2m_auto_distribution = '3'  # 3 = All communities
-m2m_attachment_keyword = 'attachment:benign'
+m2m_benign_attachment_keyword = 'benign'
 
 debug = False
 nameservers = ['149.13.33.69']
 email_subject_prefix = 'M2M'
 attach_original_mail = True
 
-# Paths (should be automatic)
-bindir = os.path.dirname(os.path.realpath(__file__))
-cfgdir = os.path.dirname(os.path.realpath(__file__))
-scriptname = 'mail_to_misp.py'
-binpath = os.path.join(bindir, scriptname)
-
-# for the SPAM trap
-smtp_addr = "127.0.0.1"
-smtp_port = 25
-
 excludelist = ('google.com', 'microsoft.com')
 externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')
 internallist = ('internal.system.local')
@@ -51,7 +40,7 @@ sighting = True
 sighting_source = "YOUR_MAIL_TO_MISP_IDENTIFIER"
 
 # Remove "[tags]", "Re: ", "Fwd: " from subject
-removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")
+removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ", "{Spam?} ")
 
 # TLP tag setup
 # Tuples contain different variations of spelling