mirror of https://github.com/MISP/mail_to_misp
exclude attachements of size 0 bytes
Optionally exclude attachments that are 0 bytes longpull/39/head
parent
b02cce7d14
commit
92c99c0559
|
@ -44,6 +44,9 @@ class Mail2MISP():
|
||||||
setattr(self.config, 'enable_dns', False)
|
setattr(self.config, 'enable_dns', False)
|
||||||
self.debug = self.config.debug
|
self.debug = self.config.debug
|
||||||
self.config_from_email_body = {}
|
self.config_from_email_body = {}
|
||||||
|
if not hasattr(self.config, 'ignore_nullsize_attachments'):
|
||||||
|
setattr(self.config, 'ignore_nullsize_attachments', False)
|
||||||
|
self.ignore_nullsize_attachments = self.config.ignore_nullsize_attachments
|
||||||
# Init Faup
|
# Init Faup
|
||||||
self.f = Faup()
|
self.f = Faup()
|
||||||
self.sightings_to_add = []
|
self.sightings_to_add = []
|
||||||
|
@ -134,27 +137,28 @@ class Mail2MISP():
|
||||||
if email_object.attachments:
|
if email_object.attachments:
|
||||||
# Create file objects for the attachments
|
# Create file objects for the attachments
|
||||||
for attachment_name, attachment in email_object.attachments:
|
for attachment_name, attachment in email_object.attachments:
|
||||||
if not attachment_name:
|
if not (self.ignore_nullsize_attachments == True and attachment.getbuffer().nbytes == 0):
|
||||||
attachment_name = 'NameMissing.txt'
|
if not attachment_name:
|
||||||
if self.config_from_email_body.get('attachment') == self.config.m2m_benign_attachment_keyword:
|
attachment_name = 'NameMissing.txt'
|
||||||
a = self.misp_event.add_attribute('attachment', value=attachment_name, data=attachment)
|
if self.config_from_email_body.get('attachment') == self.config.m2m_benign_attachment_keyword:
|
||||||
email_object.add_reference(a.uuid, 'related-to', 'Email attachment')
|
a = self.misp_event.add_attribute('attachment', value=attachment_name, data=attachment)
|
||||||
else:
|
email_object.add_reference(a.uuid, 'related-to', 'Email attachment')
|
||||||
f_object, main_object, sections = make_binary_objects(pseudofile=attachment, filename=attachment_name, standalone=False)
|
else:
|
||||||
if self.config.vt_key:
|
f_object, main_object, sections = make_binary_objects(pseudofile=attachment, filename=attachment_name, standalone=False)
|
||||||
try:
|
if self.config.vt_key:
|
||||||
vt_object = VTReportObject(self.config.vt_key, f_object.get_attributes_by_relation('sha256')[0].value, standalone=False)
|
try:
|
||||||
self.misp_event.add_object(vt_object)
|
vt_object = VTReportObject(self.config.vt_key, f_object.get_attributes_by_relation('sha256')[0].value, standalone=False)
|
||||||
f_object.add_reference(vt_object.uuid, 'analysed-with')
|
self.misp_event.add_object(vt_object)
|
||||||
except InvalidMISPObject as e:
|
f_object.add_reference(vt_object.uuid, 'analysed-with')
|
||||||
print(e)
|
except InvalidMISPObject as e:
|
||||||
pass
|
print(e)
|
||||||
self.misp_event.add_object(f_object)
|
pass
|
||||||
if main_object:
|
self.misp_event.add_object(f_object)
|
||||||
self.misp_event.add_object(main_object)
|
if main_object:
|
||||||
for section in sections:
|
self.misp_event.add_object(main_object)
|
||||||
self.misp_event.add_object(section)
|
for section in sections:
|
||||||
email_object.add_reference(f_object.uuid, 'related-to', 'Email attachment')
|
self.misp_event.add_object(section)
|
||||||
|
email_object.add_reference(f_object.uuid, 'related-to', 'Email attachment')
|
||||||
self.process_body_iocs(email_object)
|
self.process_body_iocs(email_object)
|
||||||
if self.config.spamtrap or self.config.attach_original_mail or self.config_from_email_body.get('attach_original_mail'):
|
if self.config.spamtrap or self.config.attach_original_mail or self.config_from_email_body.get('attach_original_mail'):
|
||||||
self.misp_event.add_object(email_object)
|
self.misp_event.add_object(email_object)
|
||||||
|
|
|
@ -19,6 +19,7 @@ nameservers = ['149.13.33.69']
|
||||||
email_subject_prefix = 'M2M'
|
email_subject_prefix = 'M2M'
|
||||||
attach_original_mail = False
|
attach_original_mail = False
|
||||||
ignore_carrier_mail = False
|
ignore_carrier_mail = False
|
||||||
|
ignore_nullsize_attachments = False
|
||||||
|
|
||||||
excludelist = ('google.com', 'microsoft.com')
|
excludelist = ('google.com', 'microsoft.com')
|
||||||
externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')
|
externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')
|
||||||
|
|
Loading…
Reference in New Issue