MISP
/
mail_to_misp
mirror of https://github.com/MISP/mail_to_misp
2
0
Fork 0
Code Issues Releases Wiki Activity

identify forwarded messages

pull/4/head
Sascha Rommelfangen 2017-05-29 15:35:56 +02:00
parent beca7e4803
commit 7946de1ca9
1 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
mail_to_misp.py
View File

@ -89,6 +89,7 @@ dependingtags = config.dependingtags
tlptag_default = config.tlptag_default tlptag_default = config.tlptag_default
stopword = config.stopword stopword = config.stopword
hash_only_tags = config.hash_only_tags hash_only_tags = config.hash_only_tags
forward_identifiers = config.forward_identifiers
# Ignore lines in body of message # Ignore lines in body of message
email_data = re.sub(b".*From: .*\n?",b"", email_data) email_data = re.sub(b".*From: .*\n?",b"", email_data)
@ -130,9 +131,27 @@ for tag in dependingtags:
for dependingtag in dependingtags[tag]: for dependingtag in dependingtags[tag]:
misp.add_tag(new_event, dependingtag) misp.add_tag(new_event, dependingtag)
# Extract IOCs ## Prepare extraction of IOCs
# Limit the input if the stopword is found
email_data = email_data.split(stopword, 1)[0] email_data = email_data.split(stopword, 1)[0]
# Find the first forwarding message and use that content
position = 99999
t_email_data = email_data
for identifier in forward_identifiers:
new_position = email_data.find(identifier)
if new_position < position:
t_before, t_split, t_email_data = email_data.partition(identifier)
position = new_position
email_data = t_email_data
# Refang email data
email_data = refang(email_data.decode('utf-8', 'ignore')) email_data = refang(email_data.decode('utf-8', 'ignore'))
## Extract various IOCs
urllist = list() urllist = list()
urllist += re.findall(urlmarker.WEB_URL_REGEX, email_data) urllist += re.findall(urlmarker.WEB_URL_REGEX, email_data)
urllist += re.findall(urlmarker.IP_REGEX, email_data) urllist += re.findall(urlmarker.IP_REGEX, email_data)