MISP
/
mail_to_misp
mirror of https://github.com/MISP/mail_to_misp
2
0
Fork 0
Code Issues Releases Wiki Activity

made ignorelists even more configurable

pull/4/head
Sascha Rommelfangen 2017-05-30 16:35:29 +02:00
parent 03180dbc23
commit 9f1b54377e
2 changed files with 15 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
mail_to_misp.py
View File

@ -85,6 +85,8 @@ excludelist = config.excludelist
externallist = config.externallist externallist = config.externallist
internallist = config.internallist internallist = config.internallist
noidsflaglist = config.noidsflaglist noidsflaglist = config.noidsflaglist
ignorelist = config.ignorelist
removelist = config.removelist
malwaretags = config.malwaretags malwaretags = config.malwaretags
dependingtags = config.dependingtags dependingtags = config.dependingtags
tlptag_default = config.tlptag_default tlptag_default = config.tlptag_default
@ -93,24 +95,12 @@ hash_only_tags = config.hash_only_tags
forward_identifiers = config.forward_identifiers forward_identifiers = config.forward_identifiers
# Ignore lines in body of message # Ignore lines in body of message
email_data = re.sub(b".*From: .*\n?",b"", email_data) for ignoreline in ignorelist:
email_data = re.sub(b".*Sender: .*\n?",b"", email_data) email_data = re.sub(ignoreline, b"", email_data)
email_data = re.sub(b".*Received: .*\n?",b"", email_data)
email_data = re.sub(b".*Sender IP: .*\n?",b"", email_data)
email_data = re.sub(b".*Reply-To: .*\n?",b"", email_data)
email_data = re.sub(b".*Registrar WHOIS Server: .*\n?",b"", email_data)
email_data = re.sub(b".*Registrar: .*\n?",b"", email_data)
email_data = re.sub(b".*Domain Status: .*\n?",b"", email_data)
email_data = re.sub(b".*Registrant Email: .*\n?",b"", email_data)
email_data = re.sub(b".*IP Location: .*\n?",b"", email_data)
# Remove "[tags]" from subject
email_subject = re.sub(b"[\(\[].*?[\)\]]", b"", email_subject)
# Remove "Re: " from subject
email_subject = re.sub(b"Re: ", b"", email_subject)
# Remove "Fwd: " from subject
email_subject = re.sub(b"Fwd: ", b"", email_subject)
# Remove words from subject
for removeword in removelist:
email_subject = re.sub(removeword, b"", email_subject)
def init(url, key): def init(url, key):
return PyMISP(url, key, misp_verifycert, 'json') return PyMISP(url, key, misp_verifycert, 'json')

8
mail_to_misp_config.py-example
View File

@ -17,6 +17,14 @@ noidsflaglist = (b'myexternalip.com', b'ipinfo.io', b'icanhazip.com', b'wtfismyi
# Stop parsing when this term is found # Stop parsing when this term is found
stopword = b'Whois & IP Information' stopword = b'Whois & IP Information'
# Ignore lines in body of message containing:
ignorelist = (b".*From: .*\n?", b".*Sender: .*\n?", b".*Received: .*\n?", b".*Sender IP: .*\n?",
b".*Reply-To: .*\n?", b".*Registrar WHOIS Server: .*\n?", b".*Registrar: .*\n?",
b".*Domain Status: .*\n?", b".*Registrant Email: .*\n?", b".*IP Location: .*\n?")
# Remove "[tags]", "Re: ", "Fwd: " from subject
removelist = (b"[\(\[].*?[\)\]]", b"Re: ", b"Fwd: ")
# TLP tag setup # TLP tag setup
# Tuples contain different variations of spelling # Tuples contain different variations of spelling
tlptags = { 'tlp:amber': [ 'tlp:amber', 'tlp: amber', 'tlp amber' ], tlptags = { 'tlp:amber': [ 'tlp:amber', 'tlp: amber', 'tlp amber' ],