mirror of https://github.com/MISP/mail_to_misp
python 3
parent
c751dd5e8a
commit
7d7a08c6a8
|
@ -13,6 +13,28 @@ import mail_to_misp_config as config
|
||||||
import email
|
import email
|
||||||
from email.generator import Generator
|
from email.generator import Generator
|
||||||
import tempfile
|
import tempfile
|
||||||
|
import socket
|
||||||
|
|
||||||
|
def is_valid_ipv4_address(address):
|
||||||
|
try:
|
||||||
|
socket.inet_pton(socket.AF_INET, address)
|
||||||
|
except AttributeError: # no inet_pton here, sorry
|
||||||
|
try:
|
||||||
|
socket.inet_aton(address)
|
||||||
|
except socket.error:
|
||||||
|
return False
|
||||||
|
return address.count('.') == 3
|
||||||
|
except socket.error: # not a valid address
|
||||||
|
return False
|
||||||
|
|
||||||
|
return True
|
||||||
|
|
||||||
|
def is_valid_ipv6_address(address):
|
||||||
|
try:
|
||||||
|
socket.inet_pton(socket.AF_INET6, address)
|
||||||
|
except socket.error: # not a valid address
|
||||||
|
return False
|
||||||
|
return True
|
||||||
|
|
||||||
debug = config.debug
|
debug = config.debug
|
||||||
stdin_used = False
|
stdin_used = False
|
||||||
|
@ -110,8 +132,10 @@ for tag in dependingtags:
|
||||||
# Extract IOCs
|
# Extract IOCs
|
||||||
email_data = email_data.split(stopword, 1)[0]
|
email_data = email_data.split(stopword, 1)[0]
|
||||||
email_data = refang(email_data.decode('utf-8', 'ignore'))
|
email_data = refang(email_data.decode('utf-8', 'ignore'))
|
||||||
urllist = re.findall(urlmarker.WEB_URL_REGEX, email_data)
|
urllist = list()
|
||||||
|
urllist += re.findall(urlmarker.WEB_URL_REGEX, email_data)
|
||||||
urllist += re.findall(urlmarker.IP_REGEX, email_data)
|
urllist += re.findall(urlmarker.IP_REGEX, email_data)
|
||||||
|
print (urllist)
|
||||||
if debug:
|
if debug:
|
||||||
target.write(str(urllist))
|
target.write(str(urllist))
|
||||||
|
|
||||||
|
@ -144,8 +168,9 @@ if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256)
|
||||||
for entry in urllist:
|
for entry in urllist:
|
||||||
ids_flag = True
|
ids_flag = True
|
||||||
f.decode(entry)
|
f.decode(entry)
|
||||||
domainname = f.get_domain().lower()
|
domainname = f.get_domain()
|
||||||
hostname = f.get_host().lower()
|
hostname = f.get_host()
|
||||||
|
print (hostname)
|
||||||
if debug:
|
if debug:
|
||||||
target.write(domainname + "\n")
|
target.write(domainname + "\n")
|
||||||
if domainname not in excludelist:
|
if domainname not in excludelist:
|
||||||
|
@ -157,22 +182,28 @@ for entry in urllist:
|
||||||
if debug:
|
if debug:
|
||||||
target.write(entry + "\n")
|
target.write(entry + "\n")
|
||||||
target.write(str(ids_flag))
|
target.write(str(ids_flag))
|
||||||
misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag)
|
if hostname:
|
||||||
if debug:
|
misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag)
|
||||||
target.write(hostname + "\n")
|
|
||||||
port = f.get_port()
|
|
||||||
comment = ""
|
|
||||||
if port:
|
|
||||||
comment = "on port: " + str(port)
|
|
||||||
misp.add_hostname(new_event, hostname.decode('utf-8', 'ignore'), comment=comment, category='Network activity', to_ids=ids_flag)
|
|
||||||
try:
|
|
||||||
for rdata in dns.resolver.query(hostname, 'A'):
|
|
||||||
if debug:
|
|
||||||
target.write(str(rdata) + "\n")
|
|
||||||
misp.add_ipdst(new_event, str(rdata), category='Network activity', to_ids=ids_flag, comment=hostname)
|
|
||||||
except:
|
|
||||||
if debug:
|
if debug:
|
||||||
target.write("DNS unsuccessful\n")
|
target.write(hostname + "\n")
|
||||||
|
port = f.get_port()
|
||||||
|
comment = ""
|
||||||
|
if port:
|
||||||
|
comment = "on port: " + str(port)
|
||||||
|
|
||||||
|
if is_valid_ipv4_address(hostname.decode('utf-8', 'ignore')):
|
||||||
|
misp.add_ipdst(new_event, hostname.decode('utf-8', 'ignore'), comment=comment, category='Network activity', to_ids=ids_flag)
|
||||||
|
else:
|
||||||
|
misp.add_hostname(new_event, hostname.decode('utf-8', 'ignore'), comment=comment, category='Network activity', to_ids=ids_flag)
|
||||||
|
try:
|
||||||
|
for rdata in dns.resolver.query(hostname.decode('utf-8', 'ignore'), 'A'):
|
||||||
|
if debug:
|
||||||
|
target.write(str(rdata) + "\n")
|
||||||
|
misp.add_ipdst(new_event, rdata.to_text(), category='Network activity', to_ids=ids_flag, comment=hostname.decode('utf-8', 'ignore'))
|
||||||
|
except Exception as e:
|
||||||
|
print (e)
|
||||||
|
if debug:
|
||||||
|
target.write("DNS unsuccessful\n")
|
||||||
if debug:
|
if debug:
|
||||||
target.close()
|
target.close()
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue