mirror of https://github.com/MISP/mail_to_misp
changes do to PyMISP improvements
parent
4bd1d6179a
commit
a854a2ae15
|
@ -13,7 +13,7 @@ try:
|
||||||
import hashmarker
|
import hashmarker
|
||||||
import re
|
import re
|
||||||
from pyfaup.faup import Faup
|
from pyfaup.faup import Faup
|
||||||
from pymisp import PyMISP
|
from pymisp import PyMISP, MISPEvent
|
||||||
from defang import refang
|
from defang import refang
|
||||||
import dns.resolver
|
import dns.resolver
|
||||||
import email
|
import email
|
||||||
|
@ -151,8 +151,14 @@ for ignoreline in ignorelist:
|
||||||
for removeword in removelist:
|
for removeword in removelist:
|
||||||
email_subject = re.sub(removeword, "", email_subject)
|
email_subject = re.sub(removeword, "", email_subject)
|
||||||
|
|
||||||
|
if debug:
|
||||||
|
import logging
|
||||||
|
logger = logging.getLogger('pymisp')
|
||||||
|
logging.basicConfig(level=logging.DEBUG, filename="/tmp/mail_to_misp_debug.log", filemode='w')
|
||||||
|
|
||||||
def init(url, key):
|
def init(url, key):
|
||||||
return PyMISP(url, key, misp_verifycert, 'json')
|
return PyMISP(url, key, misp_verifycert, 'json', debug=debug)
|
||||||
|
|
||||||
|
|
||||||
# Evaluate classification
|
# Evaluate classification
|
||||||
tlp_tag = tlptag_default
|
tlp_tag = tlptag_default
|
||||||
|
@ -165,7 +171,10 @@ for tag in tlptags:
|
||||||
# Create the MISP event
|
# Create the MISP event
|
||||||
misp = init(misp_url, misp_key)
|
misp = init(misp_url, misp_key)
|
||||||
new_event = misp.new_event(info=email_subject, distribution=0, threat_level_id=3, analysis=1)
|
new_event = misp.new_event(info=email_subject, distribution=0, threat_level_id=3, analysis=1)
|
||||||
misp.add_tag(new_event, tlp_tag)
|
misp_event = MISPEvent()
|
||||||
|
misp_event.load(new_event)
|
||||||
|
|
||||||
|
misp.tag(misp_event.uuid, tlp_tag)
|
||||||
|
|
||||||
if attach_original_mail and original_email_data:
|
if attach_original_mail and original_email_data:
|
||||||
misp.add_named_attribute(new_event, 'email-body', original_email_data, category='Payload delivery', to_ids=False)
|
misp.add_named_attribute(new_event, 'email-body', original_email_data, category='Payload delivery', to_ids=False)
|
||||||
|
@ -173,7 +182,7 @@ if attach_original_mail and original_email_data:
|
||||||
for tag in dependingtags:
|
for tag in dependingtags:
|
||||||
if tag in tlp_tag:
|
if tag in tlp_tag:
|
||||||
for dependingtag in dependingtags[tag]:
|
for dependingtag in dependingtags[tag]:
|
||||||
misp.add_tag(new_event, dependingtag)
|
misp.tag(misp_event.uuid, dependingtag)
|
||||||
|
|
||||||
## Prepare extraction of IOCs
|
## Prepare extraction of IOCs
|
||||||
|
|
||||||
|
@ -211,7 +220,7 @@ f = Faup()
|
||||||
for malware in malwaretags:
|
for malware in malwaretags:
|
||||||
if malware in email_subject.lower():
|
if malware in email_subject.lower():
|
||||||
for tag in malwaretags[malware]:
|
for tag in malwaretags[malware]:
|
||||||
misp.add_tag(new_event, tag)
|
misp.tag(misp_event, tag)
|
||||||
|
|
||||||
# Extract and add hashes
|
# Extract and add hashes
|
||||||
hashlist_md5 = re.findall(hashmarker.MD5_REGEX, email_data)
|
hashlist_md5 = re.findall(hashmarker.MD5_REGEX, email_data)
|
||||||
|
@ -227,7 +236,7 @@ for h in hashlist_sha256:
|
||||||
|
|
||||||
if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0):
|
if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0):
|
||||||
for tag in hash_only_tags:
|
for tag in hash_only_tags:
|
||||||
misp.add_tag(new_event, tag)
|
misp.tag(misp_event, tag)
|
||||||
|
|
||||||
# Add IOCs and expanded information to MISP
|
# Add IOCs and expanded information to MISP
|
||||||
for entry in urllist:
|
for entry in urllist:
|
||||||
|
@ -247,8 +256,10 @@ for entry in urllist:
|
||||||
elif domainname in externallist:
|
elif domainname in externallist:
|
||||||
misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False)
|
misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False)
|
||||||
else:
|
else:
|
||||||
|
comment = ""
|
||||||
if (domainname in noidsflaglist) or (hostname in noidsflaglist):
|
if (domainname in noidsflaglist) or (hostname in noidsflaglist):
|
||||||
ids_flag = False
|
ids_flag = False
|
||||||
|
comment = "Known host (mostly for connectivity test or IP lookup)"
|
||||||
if debug:
|
if debug:
|
||||||
syslog.syslog(str(entry))
|
syslog.syslog(str(entry))
|
||||||
if hostname:
|
if hostname:
|
||||||
|
@ -256,13 +267,16 @@ for entry in urllist:
|
||||||
if is_valid_ipv4_address(hostname):
|
if is_valid_ipv4_address(hostname):
|
||||||
misp.add_url(new_event, entry, category='Network activity', to_ids=False)
|
misp.add_url(new_event, entry, category='Network activity', to_ids=False)
|
||||||
else:
|
else:
|
||||||
misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag)
|
misp.add_url(new_event, entry, comment=comment, category='Network activity', to_ids=ids_flag)
|
||||||
if debug:
|
if debug:
|
||||||
syslog.syslog(hostname)
|
syslog.syslog(hostname)
|
||||||
port = f.get_port()
|
try:
|
||||||
|
port = f.get_port().decode('utf-8', 'ignore')
|
||||||
|
except:
|
||||||
|
port = None
|
||||||
comment = ""
|
comment = ""
|
||||||
if port:
|
if port:
|
||||||
comment = "on port: " + str(port)
|
comment = "on port: " + port
|
||||||
if is_valid_ipv4_address(hostname):
|
if is_valid_ipv4_address(hostname):
|
||||||
misp.add_ipdst(new_event, hostname, comment=comment, category='Network activity', to_ids=False)
|
misp.add_ipdst(new_event, hostname, comment=comment, category='Network activity', to_ids=False)
|
||||||
else:
|
else:
|
||||||
|
@ -286,8 +300,11 @@ if stdin_used:
|
||||||
_, output_path = tempfile.mkstemp()
|
_, output_path = tempfile.mkstemp()
|
||||||
output = open(output_path, 'wb')
|
output = open(output_path, 'wb')
|
||||||
output.write(part.get_payload(decode=True))
|
output.write(part.get_payload(decode=True))
|
||||||
event_id = new_event['Event']['id']
|
attachment = part.get_payload(decode=True)
|
||||||
misp.upload_sample(filename, output_path, event_id, distribution=None, to_ids=True, category=None, comment=None, info='My Info', analysis=None, threat_level_id=None)
|
event_id = misp_event.id
|
||||||
|
#misp.add_attachment(new_event, output_path, distribution=None, to_ids=True, category='Payload delivery', comment=None, info='My Info', analysis=None, threat_level_id=None)
|
||||||
|
misp.upload_sample(filename, output_path, event_id, distribution=None, to_ids=True)
|
||||||
output.close()
|
output.close()
|
||||||
|
|
||||||
|
if debug:
|
||||||
syslog.syslog("Job finished.")
|
syslog.syslog("Job finished.")
|
||||||
|
|
Loading…
Reference in New Issue