MISP
/
mail_to_misp
mirror of https://github.com/MISP/mail_to_misp
2
0
Fork 0
Code Issues Releases Wiki Activity

refactoring

slight_refactoring
Sascha Rommelfangen 2017-12-21 09:46:19 +01:00
parent af92d3aa87
commit 5a24782f11
1 changed files with 37 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
mail_to_misp.py
View File

@ -51,6 +51,19 @@ def is_valid_ipv6_address(address):
return False return False
return True return True
# Add a sighting
def sight(sighting, value):
if sighting:
d = {'value': value}
misp.set_sightings(d)
# Add named attribute and sight if configured
def add_attribute(event, attribute_type, value, category, ids_flag, warninglist, sighting, comment=None):
syslog.syslog("Event " + event['Event']['id'] + ": Adding attribute (" + attribute_type + ") " + value)
misp.add_named_attribute(event, attribute_type, value, category, comment=comment, to_ids=ids_flag, distribution=0, enforceWarninglist=warninglist)
sight(sighting, value)
syslog.syslog("Job started.")
debug = config.debug debug = config.debug
stdin_used = False stdin_used = False
@ -70,6 +83,7 @@ else:
# receive data and subject through arguments # receive data and subject through arguments
else: else:
mailcontent = sys.argv[1] mailcontent = sys.argv[1]
if debug:
syslog.syslog(mailcontent) syslog.syslog(mailcontent)
if len(sys.argv) >= 3: if len(sys.argv) >= 3:
mail_subject = sys.argv[2].encode("utf-8", "ignore") mail_subject = sys.argv[2].encode("utf-8", "ignore")
@ -90,6 +104,7 @@ for part in msg.walk():
continue continue
if part.get_content_maintype() == 'text': if part.get_content_maintype() == 'text':
part.set_charset(charset) part.set_charset(charset)
if debug:
syslog.syslog(str(part.get_payload(decode=True))) syslog.syslog(str(part.get_payload(decode=True)))
email_data += part.get_payload(decode=True) email_data += part.get_payload(decode=True)
try: try:
@ -148,18 +163,9 @@ for ignoreline in ignorelist:
for removeword in removelist: for removeword in removelist:
email_subject = re.sub(removeword, "", email_subject) email_subject = re.sub(removeword, "", email_subject)
if debug:
import logging
logger = logging.getLogger('pymisp').setLevel(logging.DEBUG)
logging.basicConfig(level=logging.DEBUG, filename="/tmp/mail_to_misp_debug.log", filemode='w')
def init(url, key): def init(url, key):
return PyMISP(url, key, misp_verifycert, 'json', debug=None) return PyMISP(url, key, misp_verifycert, 'json')
def sight(sighting, value):
if sighting:
d = {'value': value}
misp.set_sightings(d)
# Evaluate classification # Evaluate classification
tlp_tag = tlptag_default tlp_tag = tlptag_default
@ -178,8 +184,10 @@ misp_event.load(new_event)
misp.tag(misp_event.uuid, tlp_tag) misp.tag(misp_event.uuid, tlp_tag)
if attach_original_mail and original_email_data: if attach_original_mail and original_email_data:
misp.add_named_attribute(new_event, 'email-body', original_email_data, category='Payload delivery', # misp.add_named_attribute(new_event, 'email-body', original_email_data, category='Payload delivery',
to_ids=False, enforceWarninglist=enforcewarninglist) # to_ids=False, enforceWarninglist=enforcewarninglist)
add_attribute(new_event, 'email-body', original_email_data, 'Payload delivery', False, enforcewarninglist)
# Add additional tags depending on others # Add additional tags depending on others
for tag in dependingtags: for tag in dependingtags:
if tag in tlp_tag: if tag in tlp_tag:
@ -230,14 +238,11 @@ hashlist_sha1 = re.findall(hashmarker.SHA1_REGEX, email_data)
hashlist_sha256 = re.findall(hashmarker.SHA256_REGEX, email_data) hashlist_sha256 = re.findall(hashmarker.SHA256_REGEX, email_data)
for h in hashlist_md5: for h in hashlist_md5:
misp.add_named_attribute(new_event, 'md5', h, to_ids=True, enforceWarninglist=enforcewarninglist) add_attribute(new_event, 'md5', h, 'Payload delivery', True, enforcewarninglist, sighting)
sight(sighting, h)
for h in hashlist_sha1: for h in hashlist_sha1:
misp.add_named_attribute(new_event, 'sha1', h, to_ids=True, enforceWarninglist=enforcewarninglist) add_attribute(new_event, 'sha1', h, 'Payload delivery', True, enforcewarninglist, sighting)
sight(sighting, h)
for h in hashlist_sha256: for h in hashlist_sha256:
misp.add_named_attribute(new_event, 'sha256', h, to_ids=True, enforceWarninglist=enforcewarninglist) add_attribute(new_event, 'sha256', h, 'Payload delivery', True, enforcewarninglist, sighting)
sight(sighting, h)
if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0): if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0):
for tag in hash_only_tags: for tag in hash_only_tags:
@ -257,13 +262,9 @@ for entry in urllist:
syslog.syslog(domainname) syslog.syslog(domainname)
if domainname not in excludelist: if domainname not in excludelist:
if domainname in internallist: if domainname in internallist:
misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', add_attribute(new_event, 'link', entry, 'Internal reference', False, enforcewarninglist, sighting)
to_ids=False, distribution=0, enforceWarninglist=enforcewarninglist)
sight(sighting, entry)
elif domainname in externallist: elif domainname in externallist:
misp.add_named_attribute(new_event, 'link', entry, category='External analysis', add_attribute(new_event, 'link', entry, 'External analysis', False, enforcewarninglist, sighting)
to_ids=False, enforceWarninglist=enforcewarninglist)
sight(sighting, entry)
else: else:
comment = "" comment = ""
if (domainname in noidsflaglist) or (hostname in noidsflaglist): if (domainname in noidsflaglist) or (hostname in noidsflaglist):
@ -274,37 +275,30 @@ for entry in urllist:
if hostname: if hostname:
if schema: if schema:
if is_valid_ipv4_address(hostname): if is_valid_ipv4_address(hostname):
misp.add_named_attribute(new_event, 'url', entry, category='Network activity', add_attribute(new_event, 'url', entry, 'Network activity', False, enforcewarninglist, sighting)
to_ids=False, enforceWarninglist=enforcewarninglist)
else: else:
misp.add_named_attribute(new_event, 'url', entry, category='Network activity', add_attribute(new_event, 'url', entry, 'Network activity', ids_flag, enforcewarninglist,
to_ids=ids_flag, enforceWarninglist=enforcewarninglist) sighting, comment=comment)
sight(sighting, entry)
if debug: if debug:
syslog.syslog(hostname) syslog.syslog(hostname)
try: try:
port = f.get_port().decode('utf-8', 'ignore') port = f.get_port().decode('utf-8', 'ignore')
except: except:
port = None port = None
comment = ""
if port: if port:
comment = "on port: " + port comment = "on port: " + port
if is_valid_ipv4_address(hostname): if is_valid_ipv4_address(hostname):
misp.add_named_attribute(new_event, 'ip-dst', hostname, comment=comment, category='Network activity', add_attribute(new_event, 'ip-dst', hostname, 'Network activity', ids_flag, enforcewarninglist,
to_ids=False, enforceWarninglist=enforcewarninglist) sighting, comment=comment)
sight(sighting, hostname)
else: else:
misp.add_named_attribute(new_event, 'hostname', hostname, comment=comment, category='Network activity', add_attribute(new_event, 'hostname', hostname, 'Network activity', ids_flag, enforcewarninglist,
to_ids=ids_flag, enforceWarninglist=enforcewarninglist) sighting, comment=comment)
sight(sighting, hostname)
try: try:
for rdata in dns.resolver.query(hostname, 'A'): for rdata in dns.resolver.query(hostname, 'A'):
if debug: if debug:
syslog.syslog(str(rdata)) syslog.syslog(str(rdata))
misp.add_named_attribute(new_event, 'ip-dst', rdata.to_text(), comment=hostname, add_attribute(new_event, 'ip-dst', rdata.to_text(), 'Network activity', False, enforcewarninglist,
category='Network activity', to_ids=False, sighting, comment=hostname)
enforceWarninglist=enforcewarninglist)
sight(sighting, rdata.to_text())
except Exception as e: except Exception as e:
if debug: if debug:
syslog.syslog(str(e)) syslog.syslog(str(e))
@ -326,5 +320,4 @@ if stdin_used:
sight(sighting, file_hash) sight(sighting, file_hash)
output.close() output.close()
if debug: syslog.syslog("Job finished.")
syslog.syslog("Job finished.")