MISP
/
mail_to_misp
mirror of https://github.com/MISP/mail_to_misp
2
0
Fork 0
Code Issues Releases Wiki Activity

config example fixed

slight_refactoring
Sascha Rommelfangen 2017-06-30 08:35:50 +02:00
parent 26d3384de4
commit 4bd1d6179a
1 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
mail_to_misp_config.py-example
View File

@ -31,13 +31,13 @@ noidsflaglist = ( 'myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip
) )
# Stop parsing when this term is found # Stop parsing when this term is found
stopword = b'Whois & IP Information' stopword = 'Whois & IP Information'
# Ignore lines in body of message containing: # Ignore lines in body of message containing:
ignorelist = ( ".*From: .*\n?", ".*Sender: .*\n?", ".*Received: .*\n?", ".*Sender IP: .*\n?", ignorelist = (".*From: .*\n?", ".*Sender: .*\n?", ".*Received: .*\n?", ".*Sender IP: .*\n?",
".*Reply-To: .*\n?", ".*Registrar WHOIS Server: .*\n?", ".*Registrar: .*\n?", ".*Reply-To: .*\n?", ".*Registrar WHOIS Server: .*\n?", ".*Registrar: .*\n?",
".*Domain Status: .*\n?", ".*Registrant Email: .*\n?", ".*IP Location: .*\n?" ".*Domain Status: .*\n?", ".*Registrant Email: .*\n?", ".*IP Location: .*\n?",
) ".*X-Get-Message-Sender-Via: .*\n?", ".*X-Authenticated-Sender: .*\n")
# Remove "[tags]", "Re: ", "Fwd: " from subject # Remove "[tags]", "Re: ", "Fwd: " from subject
removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ") removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")
@ -51,15 +51,21 @@ tlptags = { 'tlp:amber': [ 'tlp:amber', 'tlp: amber', 'tlp amber' ],
tlptag_default = sorted(tlptags.keys())[0] tlptag_default = sorted(tlptags.keys())[0]
malwaretags = { 'locky': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"' ], malwaretags = { 'locky': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"' ],
'jaff': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Jaff"' ],
'dridex': [ 'misp-galaxy:tool="dridex"' ], 'dridex': [ 'misp-galaxy:tool="dridex"' ],
'netwire': [ 'Netwire RAT' ] 'netwire': [ 'Netwire RAT' ],
'Pony': [ 'misp-galaxy:tool="Hancitor"' ],
'ursnif': [ 'misp-galaxy:tool="Snifula"' ],
'NanoCore': [ 'misp-galaxy:tool="NanoCoreRAT"' ],
'trickbot': [ 'misp-galaxy:tool="Trick Bot"' ]
} }
# Tags to be set depending on the presence of other tags # Tags to be set depending on the presence of other tags
dependingtags = { 'tlp:white': [ 'circl:osint-feed' ] dependingtags = { 'tlp:white': [ 'circl:osint-feed' ]
} }
# Known identifiers for forwarded messages # Known identifiers for forwarded messages
forward_identifiers = { b'-------- Forwarded Message --------', b'Begin forwarded message:' } forward_identifiers = { '-------- Forwarded Message --------', 'Begin forwarded message:' }
# Tags to add when hashes are found (e.g. to do automatic expansion) # Tags to add when hashes are found (e.g. to do automatic expansion)
hash_only_tags = { 'TODO:VT-ENRICHMENT' } hash_only_tags = { 'TODO:VT-ENRICHMENT' }