exclude attachements of size 0 bytes

Optionally exclude attachments that are 0 bytes long
2019-11-19 10:13:36 +01:00 · 2019-11-19 10:13:36 +01:00 · 92c99c0559
parent b02cce7d14
commit 92c99c0559
2 changed files with 26 additions and 21 deletions
--- a/mail2misp/mail2misp.py
+++ b/mail2misp/mail2misp.py
@ -44,6 +44,9 @@ class Mail2MISP():
            setattr(self.config, 'enable_dns', False)
        self.debug = self.config.debug
        self.config_from_email_body = {}
        if not hasattr(self.config, 'ignore_nullsize_attachments'):
            setattr(self.config, 'ignore_nullsize_attachments', False)
        self.ignore_nullsize_attachments = self.config.ignore_nullsize_attachments
        # Init Faup
        self.f = Faup()
        self.sightings_to_add = []
@ -134,27 +137,28 @@ class Mail2MISP():
        if email_object.attachments:
            # Create file objects for the attachments
            for attachment_name, attachment in email_object.attachments:
-                if not attachment_name:
+                if not (self.ignore_nullsize_attachments == True and attachment.getbuffer().nbytes == 0):
-                    attachment_name = 'NameMissing.txt'
+                    if not attachment_name:
-                if self.config_from_email_body.get('attachment') == self.config.m2m_benign_attachment_keyword:
+                        attachment_name = 'NameMissing.txt'
-                    a = self.misp_event.add_attribute('attachment', value=attachment_name, data=attachment)
+                    if self.config_from_email_body.get('attachment') == self.config.m2m_benign_attachment_keyword:
-                    email_object.add_reference(a.uuid, 'related-to', 'Email attachment')
+                        a = self.misp_event.add_attribute('attachment', value=attachment_name, data=attachment)
-                else:
+                        email_object.add_reference(a.uuid, 'related-to', 'Email attachment')
-                    f_object, main_object, sections = make_binary_objects(pseudofile=attachment, filename=attachment_name, standalone=False)
+                    else:
-                    if self.config.vt_key:
+                        f_object, main_object, sections = make_binary_objects(pseudofile=attachment, filename=attachment_name, standalone=False)
-                        try:
+                        if self.config.vt_key:
-                            vt_object = VTReportObject(self.config.vt_key, f_object.get_attributes_by_relation('sha256')[0].value, standalone=False)
+                            try:
-                            self.misp_event.add_object(vt_object)
+                                vt_object = VTReportObject(self.config.vt_key, f_object.get_attributes_by_relation('sha256')[0].value, standalone=False)
-                            f_object.add_reference(vt_object.uuid, 'analysed-with')
+                                self.misp_event.add_object(vt_object)
-                        except InvalidMISPObject as e:
+                                f_object.add_reference(vt_object.uuid, 'analysed-with')
-                            print(e)
+                            except InvalidMISPObject as e:
-                            pass
+                                print(e)
-                    self.misp_event.add_object(f_object)
+                                pass
-                    if main_object:
+                        self.misp_event.add_object(f_object)
-                        self.misp_event.add_object(main_object)
+                        if main_object:
-                        for section in sections:
+                            self.misp_event.add_object(main_object)
-                            self.misp_event.add_object(section)
+                            for section in sections:
-                    email_object.add_reference(f_object.uuid, 'related-to', 'Email attachment')
+                                self.misp_event.add_object(section)
                        email_object.add_reference(f_object.uuid, 'related-to', 'Email attachment')
        self.process_body_iocs(email_object)
        if self.config.spamtrap or self.config.attach_original_mail or self.config_from_email_body.get('attach_original_mail'):
            self.misp_event.add_object(email_object)
--- a/mail_to_misp_config.py-example
+++ b/mail_to_misp_config.py-example
@ -19,6 +19,7 @@ nameservers = ['149.13.33.69']
 email_subject_prefix = 'M2M'
 attach_original_mail = False
 ignore_carrier_mail = False
 ignore_nullsize_attachments = False
 excludelist = ('google.com', 'microsoft.com')
 externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')