mirror of https://github.com/MISP/mail_to_misp
Merge branch 'master' of https://github.com/MISP/mail_to_misp
commit
84bdb2febb
66
README.md
66
README.md
|
@ -31,20 +31,45 @@ Connect your mail infrastructure to [MISP](https://github.com/MISP/MISP) in orde
|
||||||
|
|
||||||
For the moment, the implemented workflow is:
|
For the moment, the implemented workflow is:
|
||||||
|
|
||||||
1. Apple Mail
|
1. Postfix and others
|
||||||
|
|
||||||
`Email -> Apple Mail -> Mail rule -> AppleScript -> mail_to_misp -> PyMISP -> MISP`
|
|
||||||
|
|
||||||
2. Mozilla Thunderbird
|
|
||||||
|
|
||||||
`Email -> Thunderbird -> Mail rule -> filterscript -> thunderbird_wrapper -> mail_to_misp -> PyMISP -> MISP`
|
|
||||||
|
|
||||||
3. Postfix and others
|
|
||||||
|
|
||||||
`Email -> mail_to_misp`
|
`Email -> mail_to_misp`
|
||||||
|
|
||||||
|
2. Apple Mail
|
||||||
|
|
||||||
|
`Email -> Apple Mail -> Mail rule -> AppleScript -> mail_to_misp -> PyMISP -> MISP`
|
||||||
|
|
||||||
|
3. Mozilla Thunderbird
|
||||||
|
|
||||||
|
`Email -> Thunderbird -> Mail rule -> filterscript -> thunderbird_wrapper -> mail_to_misp -> PyMISP -> MISP`
|
||||||
|
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
|
### Postfix (or other MTA) - preferred method
|
||||||
|
|
||||||
|
1. Setup a new email address in the aliases file (e.g. /etc/aliases) and configure the correct path:
|
||||||
|
|
||||||
|
`misp_handler: "|/path/to/mail_to_misp.py"`
|
||||||
|
|
||||||
|
2. Rebuild the DB:
|
||||||
|
|
||||||
|
`$ sudo newaliases`
|
||||||
|
|
||||||
|
3. Configure mail_to_misp_config.py
|
||||||
|
|
||||||
|
You should now be able to send your IoC-containing mails to misp_handler@YOURDOMAIN.
|
||||||
|
|
||||||
|
#### Bonus: Fake-SMTPD spamtrap
|
||||||
|
|
||||||
|
If you want to process all incoming junk mails automatically and collect the contained information in a (separate?) MISP instance, you could use the fake_smtp.py script. It listens on port 25, accepts all mails and pushes them through mail_to_misp to a MISP instance.
|
||||||
|
|
||||||
|
1. Configure mail_to_misp_config.py
|
||||||
|
|
||||||
|
2. Run fake_smtp.py (as root)
|
||||||
|
|
||||||
|
`$ sudo python3 fake_smtp.py`
|
||||||
|
|
||||||
### Apple Mail
|
### Apple Mail
|
||||||
|
|
||||||
1. Mail rule script
|
1. Mail rule script
|
||||||
|
@ -92,29 +117,6 @@ pythoncom.PumpMessages()
|
||||||
|
|
||||||
Obviously, you would like to filter mails based on subject or from address and pass subject and body to mail_to_misp.py in order to do something useful. Pull-requests welcome for actual implementations :)
|
Obviously, you would like to filter mails based on subject or from address and pass subject and body to mail_to_misp.py in order to do something useful. Pull-requests welcome for actual implementations :)
|
||||||
|
|
||||||
### Postfix (or other MTA)
|
|
||||||
|
|
||||||
1. Setup a new email address in the aliases file (e.g. /etc/aliases) and configure the correct path:
|
|
||||||
|
|
||||||
`misp_handler: "|/path/to/mail_to_misp.py"`
|
|
||||||
|
|
||||||
2. Rebuild the DB:
|
|
||||||
|
|
||||||
`$ sudo newaliases`
|
|
||||||
|
|
||||||
3. Configure mail_to_misp_config.py
|
|
||||||
|
|
||||||
You should now be able to send your IoC-containing mails to misp_handler@YOURDOMAIN.
|
|
||||||
|
|
||||||
### Fake-SMTPD spamtrap
|
|
||||||
|
|
||||||
If you want to process all incoming junk mails automatically and collect the contained information in a (separate?) MISP instance, you could use the fake_smtp.py script. It listens on port 25, accepts all mails and pushes them through mail_to_misp to a MISP instance.
|
|
||||||
|
|
||||||
1. Configure mail_to_misp_config.py
|
|
||||||
|
|
||||||
2. Run fake_smtp.py (as root)
|
|
||||||
|
|
||||||
`$ sudo python3 fake_smtp.py`
|
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
|
|
|
@ -235,6 +235,10 @@ for entry in urllist:
|
||||||
f.decode(entry)
|
f.decode(entry)
|
||||||
domainname = f.get_domain().decode('utf-8', 'ignore')
|
domainname = f.get_domain().decode('utf-8', 'ignore')
|
||||||
hostname = f.get_host().decode('utf-8', 'ignore')
|
hostname = f.get_host().decode('utf-8', 'ignore')
|
||||||
|
try:
|
||||||
|
schema = f.get_scheme().decode('utf-8', 'ignore')
|
||||||
|
except:
|
||||||
|
schema = False
|
||||||
if debug:
|
if debug:
|
||||||
syslog.syslog(domainname)
|
syslog.syslog(domainname)
|
||||||
if domainname not in excludelist:
|
if domainname not in excludelist:
|
||||||
|
@ -248,10 +252,11 @@ for entry in urllist:
|
||||||
if debug:
|
if debug:
|
||||||
syslog.syslog(str(entry))
|
syslog.syslog(str(entry))
|
||||||
if hostname:
|
if hostname:
|
||||||
if is_valid_ipv4_address(entry):
|
if schema:
|
||||||
misp.add_url(new_event, entry, category='Network activity', to_ids=False)
|
if is_valid_ipv4_address(hostname):
|
||||||
else:
|
misp.add_url(new_event, entry, category='Network activity', to_ids=False)
|
||||||
misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag)
|
else:
|
||||||
|
misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag)
|
||||||
if debug:
|
if debug:
|
||||||
syslog.syslog(hostname)
|
syslog.syslog(hostname)
|
||||||
port = f.get_port()
|
port = f.get_port()
|
||||||
|
|
|
@ -31,7 +31,7 @@ noidsflaglist = ( 'myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip
|
||||||
)
|
)
|
||||||
|
|
||||||
# Stop parsing when this term is found
|
# Stop parsing when this term is found
|
||||||
stopword = b'Whois & IP Information'
|
stopword = 'Whois & IP Information'
|
||||||
|
|
||||||
# Ignore lines in body of message containing:
|
# Ignore lines in body of message containing:
|
||||||
ignorelist = (".*From: .*\n?", ".*Sender: .*\n?", ".*Received: .*\n?", ".*Sender IP: .*\n?",
|
ignorelist = (".*From: .*\n?", ".*Sender: .*\n?", ".*Received: .*\n?", ".*Sender IP: .*\n?",
|
||||||
|
@ -51,15 +51,21 @@ tlptags = { 'tlp:amber': [ 'tlp:amber', 'tlp: amber', 'tlp amber' ],
|
||||||
tlptag_default = sorted(tlptags.keys())[0]
|
tlptag_default = sorted(tlptags.keys())[0]
|
||||||
|
|
||||||
malwaretags = { 'locky': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"' ],
|
malwaretags = { 'locky': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"' ],
|
||||||
|
'jaff': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Jaff"' ],
|
||||||
'dridex': [ 'misp-galaxy:tool="dridex"' ],
|
'dridex': [ 'misp-galaxy:tool="dridex"' ],
|
||||||
'netwire': [ 'Netwire RAT' ]
|
'netwire': [ 'Netwire RAT' ],
|
||||||
|
'Pony': [ 'misp-galaxy:tool="Hancitor"' ],
|
||||||
|
'ursnif': [ 'misp-galaxy:tool="Snifula"' ],
|
||||||
|
'NanoCore': [ 'misp-galaxy:tool="NanoCoreRAT"' ],
|
||||||
|
'trickbot': [ 'misp-galaxy:tool="Trick Bot"' ]
|
||||||
}
|
}
|
||||||
|
|
||||||
# Tags to be set depending on the presence of other tags
|
# Tags to be set depending on the presence of other tags
|
||||||
dependingtags = { 'tlp:white': [ 'circl:osint-feed' ]
|
dependingtags = { 'tlp:white': [ 'circl:osint-feed' ]
|
||||||
}
|
}
|
||||||
|
|
||||||
# Known identifiers for forwarded messages
|
# Known identifiers for forwarded messages
|
||||||
forward_identifiers = { b'-------- Forwarded Message --------', b'Begin forwarded message:' }
|
forward_identifiers = { '-------- Forwarded Message --------', 'Begin forwarded message:' }
|
||||||
|
|
||||||
# Tags to add when hashes are found (e.g. to do automatic expansion)
|
# Tags to add when hashes are found (e.g. to do automatic expansion)
|
||||||
hash_only_tags = { 'TODO:VT-ENRICHMENT' }
|
hash_only_tags = { 'TODO:VT-ENRICHMENT' }
|
||||||
|
|
Loading…
Reference in New Issue