diff --git a/README.md b/README.md index 7618b92..ccc7350 100644 --- a/README.md +++ b/README.md @@ -31,20 +31,45 @@ Connect your mail infrastructure to [MISP](https://github.com/MISP/MISP) in orde For the moment, the implemented workflow is: -1. Apple Mail - -`Email -> Apple Mail -> Mail rule -> AppleScript -> mail_to_misp -> PyMISP -> MISP` - -2. Mozilla Thunderbird - -`Email -> Thunderbird -> Mail rule -> filterscript -> thunderbird_wrapper -> mail_to_misp -> PyMISP -> MISP` - -3. Postfix and others +1. Postfix and others `Email -> mail_to_misp` +2. Apple Mail + +`Email -> Apple Mail -> Mail rule -> AppleScript -> mail_to_misp -> PyMISP -> MISP` + +3. Mozilla Thunderbird + +`Email -> Thunderbird -> Mail rule -> filterscript -> thunderbird_wrapper -> mail_to_misp -> PyMISP -> MISP` + + ## Installation +### Postfix (or other MTA) - preferred method + +1. Setup a new email address in the aliases file (e.g. /etc/aliases) and configure the correct path: + +`misp_handler: "|/path/to/mail_to_misp.py"` + +2. Rebuild the DB: + +`$ sudo newaliases` + +3. Configure mail_to_misp_config.py + +You should now be able to send your IoC-containing mails to misp_handler@YOURDOMAIN. + +#### Bonus: Fake-SMTPD spamtrap + +If you want to process all incoming junk mails automatically and collect the contained information in a (separate?) MISP instance, you could use the fake_smtp.py script. It listens on port 25, accepts all mails and pushes them through mail_to_misp to a MISP instance. + +1. Configure mail_to_misp_config.py + +2. Run fake_smtp.py (as root) + +`$ sudo python3 fake_smtp.py` + ### Apple Mail 1. Mail rule script @@ -92,29 +117,6 @@ pythoncom.PumpMessages() Obviously, you would like to filter mails based on subject or from address and pass subject and body to mail_to_misp.py in order to do something useful. Pull-requests welcome for actual implementations :) -### Postfix (or other MTA) - -1. Setup a new email address in the aliases file (e.g. /etc/aliases) and configure the correct path: - -`misp_handler: "|/path/to/mail_to_misp.py"` - -2. Rebuild the DB: - -`$ sudo newaliases` - -3. Configure mail_to_misp_config.py - -You should now be able to send your IoC-containing mails to misp_handler@YOURDOMAIN. - -### Fake-SMTPD spamtrap - -If you want to process all incoming junk mails automatically and collect the contained information in a (separate?) MISP instance, you could use the fake_smtp.py script. It listens on port 25, accepts all mails and pushes them through mail_to_misp to a MISP instance. - -1. Configure mail_to_misp_config.py - -2. Run fake_smtp.py (as root) - -`$ sudo python3 fake_smtp.py` ## Requirements diff --git a/mail_to_misp.py b/mail_to_misp.py index be00976..6bfa41d 100755 --- a/mail_to_misp.py +++ b/mail_to_misp.py @@ -235,6 +235,10 @@ for entry in urllist: f.decode(entry) domainname = f.get_domain().decode('utf-8', 'ignore') hostname = f.get_host().decode('utf-8', 'ignore') + try: + schema = f.get_scheme().decode('utf-8', 'ignore') + except: + schema = False if debug: syslog.syslog(domainname) if domainname not in excludelist: @@ -248,10 +252,11 @@ for entry in urllist: if debug: syslog.syslog(str(entry)) if hostname: - if is_valid_ipv4_address(entry): - misp.add_url(new_event, entry, category='Network activity', to_ids=False) - else: - misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag) + if schema: + if is_valid_ipv4_address(hostname): + misp.add_url(new_event, entry, category='Network activity', to_ids=False) + else: + misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag) if debug: syslog.syslog(hostname) port = f.get_port() diff --git a/mail_to_misp_config.py-example b/mail_to_misp_config.py-example index 9267342..9b00b41 100644 --- a/mail_to_misp_config.py-example +++ b/mail_to_misp_config.py-example @@ -31,7 +31,7 @@ noidsflaglist = ( 'myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip ) # Stop parsing when this term is found -stopword = b'Whois & IP Information' +stopword = 'Whois & IP Information' # Ignore lines in body of message containing: ignorelist = (".*From: .*\n?", ".*Sender: .*\n?", ".*Received: .*\n?", ".*Sender IP: .*\n?", @@ -51,15 +51,21 @@ tlptags = { 'tlp:amber': [ 'tlp:amber', 'tlp: amber', 'tlp amber' ], tlptag_default = sorted(tlptags.keys())[0] malwaretags = { 'locky': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"' ], + 'jaff': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Jaff"' ], 'dridex': [ 'misp-galaxy:tool="dridex"' ], - 'netwire': [ 'Netwire RAT' ] + 'netwire': [ 'Netwire RAT' ], + 'Pony': [ 'misp-galaxy:tool="Hancitor"' ], + 'ursnif': [ 'misp-galaxy:tool="Snifula"' ], + 'NanoCore': [ 'misp-galaxy:tool="NanoCoreRAT"' ], + 'trickbot': [ 'misp-galaxy:tool="Trick Bot"' ] } + # Tags to be set depending on the presence of other tags dependingtags = { 'tlp:white': [ 'circl:osint-feed' ] } # Known identifiers for forwarded messages -forward_identifiers = { b'-------- Forwarded Message --------', b'Begin forwarded message:' } +forward_identifiers = { '-------- Forwarded Message --------', 'Begin forwarded message:' } # Tags to add when hashes are found (e.g. to do automatic expansion) hash_only_tags = { 'TODO:VT-ENRICHMENT' }