diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..10c6e69 --- /dev/null +++ b/.gitignore @@ -0,0 +1,115 @@ +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +env/ +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +*.egg-info/ +.installed.cfg +*.egg + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +.hypothesis/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# pyenv +.python-version + +# celery beat schedule file +celerybeat-schedule + +# SageMath parsed files +*.sage.py + +# dotenv +.env + +# virtualenv +.venv +venv/ +ENV/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ + +# Redis +*.rdb + +# Storage +rawdata + +# ardb +storage/ardb.pid +storage/data +storage/repl + +# Config files of running instance +*config.py diff --git a/fake_smtp_config.py-example b/fake_smtp_config.py-example new file mode 100644 index 0000000..48b208a --- /dev/null +++ b/fake_smtp_config.py-example @@ -0,0 +1,8 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +from pathlib import Path + +binpath = Path(__file__).cwd() / 'mail_to_misp.py' + +smtp_addr = '127.0.0.1' +smtp_port = 2525 diff --git a/mail_to_misp.py b/mail_to_misp.py index 97b9108..ff6fb60 100755 --- a/mail_to_misp.py +++ b/mail_to_misp.py @@ -77,7 +77,7 @@ class Mail2MISP(): if attachment.get_filename() and attachment.get_filename().endswith('.eml'): self.forwarded_email(pseudofile=BytesIO(attachment.get_content().as_bytes())) else: - if self.config_from_email_body.get('attachment') == 'benign': + if self.config_from_email_body.get('attachment') == config.m2m_benign_attachment_keyword: # Attach sane file self.misp_event.add_attribute('attachment', value='Report', data=BytesIO(attachment.get_content().as_bytes())) diff --git a/mail_to_misp_config.py-example b/mail_to_misp_config.py-example index bb98be1..8f8359e 100644 --- a/mail_to_misp_config.py-example +++ b/mail_to_misp_config.py-example @@ -1,6 +1,5 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -import os misp_url = 'YOUR_MISP_URL' misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web interface under the automation section @@ -10,23 +9,13 @@ spamtrap = False m2m_key = 'YOUSETYOURKEYHERE' m2m_auto_distribution = '3' # 3 = All communities -m2m_attachment_keyword = 'attachment:benign' +m2m_benign_attachment_keyword = 'benign' debug = False nameservers = ['149.13.33.69'] email_subject_prefix = 'M2M' attach_original_mail = True -# Paths (should be automatic) -bindir = os.path.dirname(os.path.realpath(__file__)) -cfgdir = os.path.dirname(os.path.realpath(__file__)) -scriptname = 'mail_to_misp.py' -binpath = os.path.join(bindir, scriptname) - -# for the SPAM trap -smtp_addr = "127.0.0.1" -smtp_port = 25 - excludelist = ('google.com', 'microsoft.com') externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net') internallist = ('internal.system.local') @@ -51,7 +40,7 @@ sighting = True sighting_source = "YOUR_MAIL_TO_MISP_IDENTIFIER" # Remove "[tags]", "Re: ", "Fwd: " from subject -removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ") +removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ", "{Spam?} ") # TLP tag setup # Tuples contain different variations of spelling