implemented option to skip creation of attributes on warning list

slight_refactoring
Sascha Rommelfangen 2017-12-20 14:26:30 +01:00
parent e8e6abd84b
commit 81be376f81
2 changed files with 25 additions and 12 deletions

View File

@ -126,6 +126,7 @@ externallist = config.externallist
internallist = config.internallist internallist = config.internallist
noidsflaglist = config.noidsflaglist noidsflaglist = config.noidsflaglist
ignorelist = config.ignorelist ignorelist = config.ignorelist
enforcewarninglist = config.enforcewarninglist
removelist = config.removelist removelist = config.removelist
malwaretags = config.malwaretags malwaretags = config.malwaretags
dependingtags = config.dependingtags dependingtags = config.dependingtags
@ -134,7 +135,6 @@ stopword = config.stopword
hash_only_tags = config.hash_only_tags hash_only_tags = config.hash_only_tags
forward_identifiers = config.forward_identifiers forward_identifiers = config.forward_identifiers
attach_original_mail = config.attach_original_mail attach_original_mail = config.attach_original_mail
skip_wl = config.skip_item_on_warninglist
original_email_data = email_data original_email_data = email_data
@ -172,7 +172,7 @@ misp_event.load(new_event)
misp.tag(misp_event.uuid, tlp_tag) misp.tag(misp_event.uuid, tlp_tag)
if attach_original_mail and original_email_data: if attach_original_mail and original_email_data:
misp.add_named_attribute(new_event, 'email-body', original_email_data, category='Payload delivery', to_ids=False) misp.add_named_attribute(new_event, 'email-body', original_email_data, category='Payload delivery', to_ids=False, enforceWarninglist=enforcewarninglist)
# Add additional tags depending on others # Add additional tags depending on others
for tag in dependingtags: for tag in dependingtags:
if tag in tlp_tag: if tag in tlp_tag:
@ -223,11 +223,11 @@ hashlist_sha1 = re.findall(hashmarker.SHA1_REGEX, email_data)
hashlist_sha256 = re.findall(hashmarker.SHA256_REGEX, email_data) hashlist_sha256 = re.findall(hashmarker.SHA256_REGEX, email_data)
for h in hashlist_md5: for h in hashlist_md5:
misp.add_named_attribute(new_event, 'md5', h, to_ids=True) misp.add_named_attribute(new_event, 'md5', h, to_ids=True, enforceWarninglist=enforcewarninglist)
for h in hashlist_sha1: for h in hashlist_sha1:
misp.add_named_attribute(new_event, 'sha1', h, to_ids=True) misp.add_named_attribute(new_event, 'sha1', h, to_ids=True, enforceWarninglist=enforcewarninglist)
for h in hashlist_sha256: for h in hashlist_sha256:
misp.add_named_attribute(new_event, 'sha256', h, to_ids=True) misp.add_named_attribute(new_event, 'sha256', h, to_ids=True, enforceWarninglist=enforcewarninglist)
if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0): if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0):
for tag in hash_only_tags: for tag in hash_only_tags:
@ -247,9 +247,11 @@ for entry in urllist:
syslog.syslog(domainname) syslog.syslog(domainname)
if domainname not in excludelist: if domainname not in excludelist:
if domainname in internallist: if domainname in internallist:
misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0) misp.add_named_attribute(new_event, 'link', entry, category='Internal reference',
to_ids=False, distribution=0, enforceWarninglist=enforcewarninglist)
elif domainname in externallist: elif domainname in externallist:
misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False) misp.add_named_attribute(new_event, 'link', entry, category='External analysis',
to_ids=False, enforceWarninglist=enforcewarninglist)
else: else:
comment = "" comment = ""
if (domainname in noidsflaglist) or (hostname in noidsflaglist): if (domainname in noidsflaglist) or (hostname in noidsflaglist):
@ -260,9 +262,11 @@ for entry in urllist:
if hostname: if hostname:
if schema: if schema:
if is_valid_ipv4_address(hostname): if is_valid_ipv4_address(hostname):
misp.add_named_attribute(new_event, 'url', entry, category='Network activity', to_ids=False) misp.add_named_attribute(new_event, 'url', entry, category='Network activity',
to_ids=False, enforceWarninglist=enforcewarninglist)
else: else:
misp.add_named_attribute(new_event, 'url', entry, category='Network activity', to_ids=ids_flag) misp.add_named_attribute(new_event, 'url', entry, category='Network activity',
to_ids=ids_flag, enforceWarninglist=enforcewarninglist)
if debug: if debug:
syslog.syslog(hostname) syslog.syslog(hostname)
try: try:
@ -273,14 +277,18 @@ for entry in urllist:
if port: if port:
comment = "on port: " + port comment = "on port: " + port
if is_valid_ipv4_address(hostname): if is_valid_ipv4_address(hostname):
misp.add_named_attribute(new_event, 'ip-dst', hostname, comment=comment, category='Network activity', to_ids=False) misp.add_named_attribute(new_event, 'ip-dst', hostname, comment=comment, category='Network activity',
to_ids=False, enforceWarninglist=enforcewarninglist)
else: else:
misp.add_named_attribute(new_event, 'hostname', hostname, comment=comment, category='Network activity', to_ids=ids_flag) misp.add_named_attribute(new_event, 'hostname', hostname, comment=comment, category='Network activity',
to_ids=ids_flag, enforceWarninglist=enforcewarninglist)
try: try:
for rdata in dns.resolver.query(hostname, 'A'): for rdata in dns.resolver.query(hostname, 'A'):
if debug: if debug:
syslog.syslog(str(rdata)) syslog.syslog(str(rdata))
misp.add_named_attribute(new_event, 'ip-dst', rdata.to_text(), comment=hostname, category='Network activity', to_ids=False) misp.add_named_attribute(new_event, 'ip-dst', rdata.to_text(), comment=hostname,
category='Network activity', to_ids=False,
enforceWarninglist=enforcewarninglist)
except Exception as e: except Exception as e:
if debug: if debug:
syslog.syslog(str(e)) syslog.syslog(str(e))

View File

@ -39,6 +39,9 @@ ignorelist = (".*From: .*\n?", ".*Sender: .*\n?", ".*Received: .*\n?", ".*Sender
".*Domain Status: .*\n?", ".*Registrant Email: .*\n?", ".*IP Location: .*\n?", ".*Domain Status: .*\n?", ".*Registrant Email: .*\n?", ".*IP Location: .*\n?",
".*X-Get-Message-Sender-Via: .*\n?", ".*X-Authenticated-Sender: .*\n") ".*X-Get-Message-Sender-Via: .*\n?", ".*X-Authenticated-Sender: .*\n")
# Ignore (don't add) attributes that are on server side warning list
enforcewarninglist=True
# Remove "[tags]", "Re: ", "Fwd: " from subject # Remove "[tags]", "Re: ", "Fwd: " from subject
removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ") removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")
@ -70,3 +73,5 @@ forward_identifiers = { '-------- Forwarded Message --------', 'Begin forwarded
# Tags to add when hashes are found (e.g. to do automatic expansion) # Tags to add when hashes are found (e.g. to do automatic expansion)
hash_only_tags = { 'TODO:VT-ENRICHMENT' } hash_only_tags = { 'TODO:VT-ENRICHMENT' }
# If an attribute is on any MISP server side `warning list`, skip the creation of the attribute
skip_item_on_warninglist = True