mirror of https://github.com/MISP/mail_to_misp
Merge branch 'master' of https://github.com/MISP/mail_to_misp
CIRCL
commit
84bdb2febb
66
README.md
66
README.md
|
|
@ -31,20 +31,45 @@ Connect your mail infrastructure to [MISP](https://github.com/MISP/MISP) in orde
|
|||
|
||||
For the moment, the implemented workflow is:
|
||||
|
||||
1. Apple Mail
|
||||
|
||||
`Email -> Apple Mail -> Mail rule -> AppleScript -> mail_to_misp -> PyMISP -> MISP`
|
||||
|
||||
2. Mozilla Thunderbird
|
||||
|
||||
`Email -> Thunderbird -> Mail rule -> filterscript -> thunderbird_wrapper -> mail_to_misp -> PyMISP -> MISP`
|
||||
|
||||
3. Postfix and others
|
||||
1. Postfix and others
|
||||
|
||||
`Email -> mail_to_misp`
|
||||
|
||||
2. Apple Mail
|
||||
|
||||
`Email -> Apple Mail -> Mail rule -> AppleScript -> mail_to_misp -> PyMISP -> MISP`
|
||||
|
||||
3. Mozilla Thunderbird
|
||||
|
||||
`Email -> Thunderbird -> Mail rule -> filterscript -> thunderbird_wrapper -> mail_to_misp -> PyMISP -> MISP`
|
||||
|
||||
|
||||
## Installation
|
||||
|
||||
### Postfix (or other MTA) - preferred method
|
||||
|
||||
1. Setup a new email address in the aliases file (e.g. /etc/aliases) and configure the correct path:
|
||||
|
||||
`misp_handler: "|/path/to/mail_to_misp.py"`
|
||||
|
||||
2. Rebuild the DB:
|
||||
|
||||
`$ sudo newaliases`
|
||||
|
||||
3. Configure mail_to_misp_config.py
|
||||
|
||||
You should now be able to send your IoC-containing mails to misp_handler@YOURDOMAIN.
|
||||
|
||||
#### Bonus: Fake-SMTPD spamtrap
|
||||
|
||||
If you want to process all incoming junk mails automatically and collect the contained information in a (separate?) MISP instance, you could use the fake_smtp.py script. It listens on port 25, accepts all mails and pushes them through mail_to_misp to a MISP instance.
|
||||
|
||||
1. Configure mail_to_misp_config.py
|
||||
|
||||
2. Run fake_smtp.py (as root)
|
||||
|
||||
`$ sudo python3 fake_smtp.py`
|
||||
|
||||
### Apple Mail
|
||||
|
||||
1. Mail rule script
|
||||
|
|
@ -92,29 +117,6 @@ pythoncom.PumpMessages()
|
|||
|
||||
Obviously, you would like to filter mails based on subject or from address and pass subject and body to mail_to_misp.py in order to do something useful. Pull-requests welcome for actual implementations :)
|
||||
|
||||
### Postfix (or other MTA)
|
||||
|
||||
1. Setup a new email address in the aliases file (e.g. /etc/aliases) and configure the correct path:
|
||||
|
||||
`misp_handler: "|/path/to/mail_to_misp.py"`
|
||||
|
||||
2. Rebuild the DB:
|
||||
|
||||
`$ sudo newaliases`
|
||||
|
||||
3. Configure mail_to_misp_config.py
|
||||
|
||||
You should now be able to send your IoC-containing mails to misp_handler@YOURDOMAIN.
|
||||
|
||||
### Fake-SMTPD spamtrap
|
||||
|
||||
If you want to process all incoming junk mails automatically and collect the contained information in a (separate?) MISP instance, you could use the fake_smtp.py script. It listens on port 25, accepts all mails and pushes them through mail_to_misp to a MISP instance.
|
||||
|
||||
1. Configure mail_to_misp_config.py
|
||||
|
||||
2. Run fake_smtp.py (as root)
|
||||
|
||||
`$ sudo python3 fake_smtp.py`
|
||||
|
||||
## Requirements
|
||||
|
||||
|
|
|
|||
|
|
@ -235,6 +235,10 @@ for entry in urllist:
|
|||
f.decode(entry)
|
||||
domainname = f.get_domain().decode('utf-8', 'ignore')
|
||||
hostname = f.get_host().decode('utf-8', 'ignore')
|
||||
try:
|
||||
schema = f.get_scheme().decode('utf-8', 'ignore')
|
||||
except:
|
||||
schema = False
|
||||
if debug:
|
||||
syslog.syslog(domainname)
|
||||
if domainname not in excludelist:
|
||||
|
|
@ -248,10 +252,11 @@ for entry in urllist:
|
|||
if debug:
|
||||
syslog.syslog(str(entry))
|
||||
if hostname:
|
||||
if is_valid_ipv4_address(entry):
|
||||
misp.add_url(new_event, entry, category='Network activity', to_ids=False)
|
||||
else:
|
||||
misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag)
|
||||
if schema:
|
||||
if is_valid_ipv4_address(hostname):
|
||||
misp.add_url(new_event, entry, category='Network activity', to_ids=False)
|
||||
else:
|
||||
misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag)
|
||||
if debug:
|
||||
syslog.syslog(hostname)
|
||||
port = f.get_port()
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ noidsflaglist = ( 'myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip
|
|||
)
|
||||
|
||||
# Stop parsing when this term is found
|
||||
stopword = b'Whois & IP Information'
|
||||
stopword = 'Whois & IP Information'
|
||||
|
||||
# Ignore lines in body of message containing:
|
||||
ignorelist = (".*From: .*\n?", ".*Sender: .*\n?", ".*Received: .*\n?", ".*Sender IP: .*\n?",
|
||||
|
|
@ -51,15 +51,21 @@ tlptags = { 'tlp:amber': [ 'tlp:amber', 'tlp: amber', 'tlp amber' ],
|
|||
tlptag_default = sorted(tlptags.keys())[0]
|
||||
|
||||
malwaretags = { 'locky': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"' ],
|
||||
'jaff': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Jaff"' ],
|
||||
'dridex': [ 'misp-galaxy:tool="dridex"' ],
|
||||
'netwire': [ 'Netwire RAT' ]
|
||||
'netwire': [ 'Netwire RAT' ],
|
||||
'Pony': [ 'misp-galaxy:tool="Hancitor"' ],
|
||||
'ursnif': [ 'misp-galaxy:tool="Snifula"' ],
|
||||
'NanoCore': [ 'misp-galaxy:tool="NanoCoreRAT"' ],
|
||||
'trickbot': [ 'misp-galaxy:tool="Trick Bot"' ]
|
||||
}
|
||||
|
||||
# Tags to be set depending on the presence of other tags
|
||||
dependingtags = { 'tlp:white': [ 'circl:osint-feed' ]
|
||||
}
|
||||
|
||||
# Known identifiers for forwarded messages
|
||||
forward_identifiers = { b'-------- Forwarded Message --------', b'Begin forwarded message:' }
|
||||
forward_identifiers = { '-------- Forwarded Message --------', 'Begin forwarded message:' }
|
||||
|
||||
# Tags to add when hashes are found (e.g. to do automatic expansion)
|
||||
hash_only_tags = { 'TODO:VT-ENRICHMENT' }
|
||||
|
|
|
|||
Loading…
Reference in New Issue