From 92c99c0559de233ab0ff9b86b0c10f6fc957cfe3 Mon Sep 17 00:00:00 2001 From: begunrom Date: Tue, 19 Nov 2019 10:13:36 +0100 Subject: [PATCH] exclude attachements of size 0 bytes Optionally exclude attachments that are 0 bytes long --- mail2misp/mail2misp.py | 46 ++++++++++++++++++---------------- mail_to_misp_config.py-example | 1 + 2 files changed, 26 insertions(+), 21 deletions(-) diff --git a/mail2misp/mail2misp.py b/mail2misp/mail2misp.py index d0a3a53..d6deb6a 100644 --- a/mail2misp/mail2misp.py +++ b/mail2misp/mail2misp.py @@ -44,6 +44,9 @@ class Mail2MISP(): setattr(self.config, 'enable_dns', False) self.debug = self.config.debug self.config_from_email_body = {} + if not hasattr(self.config, 'ignore_nullsize_attachments'): + setattr(self.config, 'ignore_nullsize_attachments', False) + self.ignore_nullsize_attachments = self.config.ignore_nullsize_attachments # Init Faup self.f = Faup() self.sightings_to_add = [] @@ -134,27 +137,28 @@ class Mail2MISP(): if email_object.attachments: # Create file objects for the attachments for attachment_name, attachment in email_object.attachments: - if not attachment_name: - attachment_name = 'NameMissing.txt' - if self.config_from_email_body.get('attachment') == self.config.m2m_benign_attachment_keyword: - a = self.misp_event.add_attribute('attachment', value=attachment_name, data=attachment) - email_object.add_reference(a.uuid, 'related-to', 'Email attachment') - else: - f_object, main_object, sections = make_binary_objects(pseudofile=attachment, filename=attachment_name, standalone=False) - if self.config.vt_key: - try: - vt_object = VTReportObject(self.config.vt_key, f_object.get_attributes_by_relation('sha256')[0].value, standalone=False) - self.misp_event.add_object(vt_object) - f_object.add_reference(vt_object.uuid, 'analysed-with') - except InvalidMISPObject as e: - print(e) - pass - self.misp_event.add_object(f_object) - if main_object: - self.misp_event.add_object(main_object) - for section in sections: - self.misp_event.add_object(section) - email_object.add_reference(f_object.uuid, 'related-to', 'Email attachment') + if not (self.ignore_nullsize_attachments == True and attachment.getbuffer().nbytes == 0): + if not attachment_name: + attachment_name = 'NameMissing.txt' + if self.config_from_email_body.get('attachment') == self.config.m2m_benign_attachment_keyword: + a = self.misp_event.add_attribute('attachment', value=attachment_name, data=attachment) + email_object.add_reference(a.uuid, 'related-to', 'Email attachment') + else: + f_object, main_object, sections = make_binary_objects(pseudofile=attachment, filename=attachment_name, standalone=False) + if self.config.vt_key: + try: + vt_object = VTReportObject(self.config.vt_key, f_object.get_attributes_by_relation('sha256')[0].value, standalone=False) + self.misp_event.add_object(vt_object) + f_object.add_reference(vt_object.uuid, 'analysed-with') + except InvalidMISPObject as e: + print(e) + pass + self.misp_event.add_object(f_object) + if main_object: + self.misp_event.add_object(main_object) + for section in sections: + self.misp_event.add_object(section) + email_object.add_reference(f_object.uuid, 'related-to', 'Email attachment') self.process_body_iocs(email_object) if self.config.spamtrap or self.config.attach_original_mail or self.config_from_email_body.get('attach_original_mail'): self.misp_event.add_object(email_object) diff --git a/mail_to_misp_config.py-example b/mail_to_misp_config.py-example index b321c4d..468027b 100644 --- a/mail_to_misp_config.py-example +++ b/mail_to_misp_config.py-example @@ -19,6 +19,7 @@ nameservers = ['149.13.33.69'] email_subject_prefix = 'M2M' attach_original_mail = False ignore_carrier_mail = False +ignore_nullsize_attachments = False excludelist = ('google.com', 'microsoft.com') externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')