mirror of https://github.com/MISP/mail_to_misp
implemented option to skip creation of attributes on warning list
parent
e8e6abd84b
commit
81be376f81
|
@ -126,6 +126,7 @@ externallist = config.externallist
|
||||||
internallist = config.internallist
|
internallist = config.internallist
|
||||||
noidsflaglist = config.noidsflaglist
|
noidsflaglist = config.noidsflaglist
|
||||||
ignorelist = config.ignorelist
|
ignorelist = config.ignorelist
|
||||||
|
enforcewarninglist = config.enforcewarninglist
|
||||||
removelist = config.removelist
|
removelist = config.removelist
|
||||||
malwaretags = config.malwaretags
|
malwaretags = config.malwaretags
|
||||||
dependingtags = config.dependingtags
|
dependingtags = config.dependingtags
|
||||||
|
@ -134,7 +135,6 @@ stopword = config.stopword
|
||||||
hash_only_tags = config.hash_only_tags
|
hash_only_tags = config.hash_only_tags
|
||||||
forward_identifiers = config.forward_identifiers
|
forward_identifiers = config.forward_identifiers
|
||||||
attach_original_mail = config.attach_original_mail
|
attach_original_mail = config.attach_original_mail
|
||||||
skip_wl = config.skip_item_on_warninglist
|
|
||||||
|
|
||||||
original_email_data = email_data
|
original_email_data = email_data
|
||||||
|
|
||||||
|
@ -172,7 +172,7 @@ misp_event.load(new_event)
|
||||||
misp.tag(misp_event.uuid, tlp_tag)
|
misp.tag(misp_event.uuid, tlp_tag)
|
||||||
|
|
||||||
if attach_original_mail and original_email_data:
|
if attach_original_mail and original_email_data:
|
||||||
misp.add_named_attribute(new_event, 'email-body', original_email_data, category='Payload delivery', to_ids=False)
|
misp.add_named_attribute(new_event, 'email-body', original_email_data, category='Payload delivery', to_ids=False, enforceWarninglist=enforcewarninglist)
|
||||||
# Add additional tags depending on others
|
# Add additional tags depending on others
|
||||||
for tag in dependingtags:
|
for tag in dependingtags:
|
||||||
if tag in tlp_tag:
|
if tag in tlp_tag:
|
||||||
|
@ -223,11 +223,11 @@ hashlist_sha1 = re.findall(hashmarker.SHA1_REGEX, email_data)
|
||||||
hashlist_sha256 = re.findall(hashmarker.SHA256_REGEX, email_data)
|
hashlist_sha256 = re.findall(hashmarker.SHA256_REGEX, email_data)
|
||||||
|
|
||||||
for h in hashlist_md5:
|
for h in hashlist_md5:
|
||||||
misp.add_named_attribute(new_event, 'md5', h, to_ids=True)
|
misp.add_named_attribute(new_event, 'md5', h, to_ids=True, enforceWarninglist=enforcewarninglist)
|
||||||
for h in hashlist_sha1:
|
for h in hashlist_sha1:
|
||||||
misp.add_named_attribute(new_event, 'sha1', h, to_ids=True)
|
misp.add_named_attribute(new_event, 'sha1', h, to_ids=True, enforceWarninglist=enforcewarninglist)
|
||||||
for h in hashlist_sha256:
|
for h in hashlist_sha256:
|
||||||
misp.add_named_attribute(new_event, 'sha256', h, to_ids=True)
|
misp.add_named_attribute(new_event, 'sha256', h, to_ids=True, enforceWarninglist=enforcewarninglist)
|
||||||
|
|
||||||
if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0):
|
if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0):
|
||||||
for tag in hash_only_tags:
|
for tag in hash_only_tags:
|
||||||
|
@ -247,9 +247,11 @@ for entry in urllist:
|
||||||
syslog.syslog(domainname)
|
syslog.syslog(domainname)
|
||||||
if domainname not in excludelist:
|
if domainname not in excludelist:
|
||||||
if domainname in internallist:
|
if domainname in internallist:
|
||||||
misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0)
|
misp.add_named_attribute(new_event, 'link', entry, category='Internal reference',
|
||||||
|
to_ids=False, distribution=0, enforceWarninglist=enforcewarninglist)
|
||||||
elif domainname in externallist:
|
elif domainname in externallist:
|
||||||
misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False)
|
misp.add_named_attribute(new_event, 'link', entry, category='External analysis',
|
||||||
|
to_ids=False, enforceWarninglist=enforcewarninglist)
|
||||||
else:
|
else:
|
||||||
comment = ""
|
comment = ""
|
||||||
if (domainname in noidsflaglist) or (hostname in noidsflaglist):
|
if (domainname in noidsflaglist) or (hostname in noidsflaglist):
|
||||||
|
@ -260,9 +262,11 @@ for entry in urllist:
|
||||||
if hostname:
|
if hostname:
|
||||||
if schema:
|
if schema:
|
||||||
if is_valid_ipv4_address(hostname):
|
if is_valid_ipv4_address(hostname):
|
||||||
misp.add_named_attribute(new_event, 'url', entry, category='Network activity', to_ids=False)
|
misp.add_named_attribute(new_event, 'url', entry, category='Network activity',
|
||||||
|
to_ids=False, enforceWarninglist=enforcewarninglist)
|
||||||
else:
|
else:
|
||||||
misp.add_named_attribute(new_event, 'url', entry, category='Network activity', to_ids=ids_flag)
|
misp.add_named_attribute(new_event, 'url', entry, category='Network activity',
|
||||||
|
to_ids=ids_flag, enforceWarninglist=enforcewarninglist)
|
||||||
if debug:
|
if debug:
|
||||||
syslog.syslog(hostname)
|
syslog.syslog(hostname)
|
||||||
try:
|
try:
|
||||||
|
@ -273,14 +277,18 @@ for entry in urllist:
|
||||||
if port:
|
if port:
|
||||||
comment = "on port: " + port
|
comment = "on port: " + port
|
||||||
if is_valid_ipv4_address(hostname):
|
if is_valid_ipv4_address(hostname):
|
||||||
misp.add_named_attribute(new_event, 'ip-dst', hostname, comment=comment, category='Network activity', to_ids=False)
|
misp.add_named_attribute(new_event, 'ip-dst', hostname, comment=comment, category='Network activity',
|
||||||
|
to_ids=False, enforceWarninglist=enforcewarninglist)
|
||||||
else:
|
else:
|
||||||
misp.add_named_attribute(new_event, 'hostname', hostname, comment=comment, category='Network activity', to_ids=ids_flag)
|
misp.add_named_attribute(new_event, 'hostname', hostname, comment=comment, category='Network activity',
|
||||||
|
to_ids=ids_flag, enforceWarninglist=enforcewarninglist)
|
||||||
try:
|
try:
|
||||||
for rdata in dns.resolver.query(hostname, 'A'):
|
for rdata in dns.resolver.query(hostname, 'A'):
|
||||||
if debug:
|
if debug:
|
||||||
syslog.syslog(str(rdata))
|
syslog.syslog(str(rdata))
|
||||||
misp.add_named_attribute(new_event, 'ip-dst', rdata.to_text(), comment=hostname, category='Network activity', to_ids=False)
|
misp.add_named_attribute(new_event, 'ip-dst', rdata.to_text(), comment=hostname,
|
||||||
|
category='Network activity', to_ids=False,
|
||||||
|
enforceWarninglist=enforcewarninglist)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
if debug:
|
if debug:
|
||||||
syslog.syslog(str(e))
|
syslog.syslog(str(e))
|
||||||
|
|
|
@ -39,6 +39,9 @@ ignorelist = (".*From: .*\n?", ".*Sender: .*\n?", ".*Received: .*\n?", ".*Sender
|
||||||
".*Domain Status: .*\n?", ".*Registrant Email: .*\n?", ".*IP Location: .*\n?",
|
".*Domain Status: .*\n?", ".*Registrant Email: .*\n?", ".*IP Location: .*\n?",
|
||||||
".*X-Get-Message-Sender-Via: .*\n?", ".*X-Authenticated-Sender: .*\n")
|
".*X-Get-Message-Sender-Via: .*\n?", ".*X-Authenticated-Sender: .*\n")
|
||||||
|
|
||||||
|
# Ignore (don't add) attributes that are on server side warning list
|
||||||
|
enforcewarninglist=True
|
||||||
|
|
||||||
# Remove "[tags]", "Re: ", "Fwd: " from subject
|
# Remove "[tags]", "Re: ", "Fwd: " from subject
|
||||||
removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")
|
removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")
|
||||||
|
|
||||||
|
@ -70,3 +73,5 @@ forward_identifiers = { '-------- Forwarded Message --------', 'Begin forwarded
|
||||||
# Tags to add when hashes are found (e.g. to do automatic expansion)
|
# Tags to add when hashes are found (e.g. to do automatic expansion)
|
||||||
hash_only_tags = { 'TODO:VT-ENRICHMENT' }
|
hash_only_tags = { 'TODO:VT-ENRICHMENT' }
|
||||||
|
|
||||||
|
# If an attribute is on any MISP server side `warning list`, skip the creation of the attribute
|
||||||
|
skip_item_on_warninglist = True
|
||||||
|
|
Loading…
Reference in New Issue