MISP
/
mail_to_misp
mirror of https://github.com/MISP/mail_to_misp
2
0
Fork 0
Code Issues Releases Wiki Activity

changes do to PyMISP improvements

slight_refactoring
Sascha Rommelfangen 2017-12-14 11:27:48 +01:00
parent 4bd1d6179a
commit a854a2ae15
1 changed files with 29 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
mail_to_misp.py
View File

@ -13,7 +13,7 @@ try:
import hashmarker import hashmarker
import re import re
from pyfaup.faup import Faup from pyfaup.faup import Faup
from pymisp import PyMISP from pymisp import PyMISP, MISPEvent
from defang import refang from defang import refang
import dns.resolver import dns.resolver
import email import email
@ -150,9 +150,15 @@ for ignoreline in ignorelist:
# Remove words from subject # Remove words from subject
for removeword in removelist: for removeword in removelist:
email_subject = re.sub(removeword, "", email_subject) email_subject = re.sub(removeword, "", email_subject)
if debug:
import logging
logger = logging.getLogger('pymisp')
logging.basicConfig(level=logging.DEBUG, filename="/tmp/mail_to_misp_debug.log", filemode='w')
def init(url, key): def init(url, key):
return PyMISP(url, key, misp_verifycert, 'json') return PyMISP(url, key, misp_verifycert, 'json', debug=debug)
# Evaluate classification # Evaluate classification
tlp_tag = tlptag_default tlp_tag = tlptag_default
@ -165,7 +171,10 @@ for tag in tlptags:
# Create the MISP event # Create the MISP event
misp = init(misp_url, misp_key) misp = init(misp_url, misp_key)
new_event = misp.new_event(info=email_subject, distribution=0, threat_level_id=3, analysis=1) new_event = misp.new_event(info=email_subject, distribution=0, threat_level_id=3, analysis=1)
misp.add_tag(new_event, tlp_tag) misp_event = MISPEvent()
misp_event.load(new_event)
misp.tag(misp_event.uuid, tlp_tag)
if attach_original_mail and original_email_data: if attach_original_mail and original_email_data:
misp.add_named_attribute(new_event, 'email-body', original_email_data, category='Payload delivery', to_ids=False) misp.add_named_attribute(new_event, 'email-body', original_email_data, category='Payload delivery', to_ids=False)
@ -173,7 +182,7 @@ if attach_original_mail and original_email_data:
for tag in dependingtags: for tag in dependingtags:
if tag in tlp_tag: if tag in tlp_tag:
for dependingtag in dependingtags[tag]: for dependingtag in dependingtags[tag]:
misp.add_tag(new_event, dependingtag) misp.tag(misp_event.uuid, dependingtag)
## Prepare extraction of IOCs ## Prepare extraction of IOCs
@ -211,7 +220,7 @@ f = Faup()
for malware in malwaretags: for malware in malwaretags:
if malware in email_subject.lower(): if malware in email_subject.lower():
for tag in malwaretags[malware]: for tag in malwaretags[malware]:
misp.add_tag(new_event, tag) misp.tag(misp_event, tag)
# Extract and add hashes # Extract and add hashes
hashlist_md5 = re.findall(hashmarker.MD5_REGEX, email_data) hashlist_md5 = re.findall(hashmarker.MD5_REGEX, email_data)
@ -227,7 +236,7 @@ for h in hashlist_sha256:
if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0): if (len(hashlist_md5) > 0) or (len(hashlist_sha1) > 0) or (len(hashlist_sha256) > 0):
for tag in hash_only_tags: for tag in hash_only_tags:
misp.add_tag(new_event, tag) misp.tag(misp_event, tag)
# Add IOCs and expanded information to MISP # Add IOCs and expanded information to MISP
for entry in urllist: for entry in urllist:
@ -247,8 +256,10 @@ for entry in urllist:
elif domainname in externallist: elif domainname in externallist:
misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False) misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False)
else: else:
comment = ""
if (domainname in noidsflaglist) or (hostname in noidsflaglist): if (domainname in noidsflaglist) or (hostname in noidsflaglist):
ids_flag = False ids_flag = False
comment = "Known host (mostly for connectivity test or IP lookup)"
if debug: if debug:
syslog.syslog(str(entry)) syslog.syslog(str(entry))
if hostname: if hostname:
@ -256,13 +267,16 @@ for entry in urllist:
if is_valid_ipv4_address(hostname): if is_valid_ipv4_address(hostname):
misp.add_url(new_event, entry, category='Network activity', to_ids=False) misp.add_url(new_event, entry, category='Network activity', to_ids=False)
else: else:
misp.add_url(new_event, entry, category='Network activity', to_ids=ids_flag) misp.add_url(new_event, entry, comment=comment, category='Network activity', to_ids=ids_flag)
if debug: if debug:
syslog.syslog(hostname) syslog.syslog(hostname)
port = f.get_port() try:
port = f.get_port().decode('utf-8', 'ignore')
except:
port = None
comment = "" comment = ""
if port: if port:
comment = "on port: " + str(port) comment = "on port: " + port
if is_valid_ipv4_address(hostname): if is_valid_ipv4_address(hostname):
misp.add_ipdst(new_event, hostname, comment=comment, category='Network activity', to_ids=False) misp.add_ipdst(new_event, hostname, comment=comment, category='Network activity', to_ids=False)
else: else:
@ -286,8 +300,11 @@ if stdin_used:
_, output_path = tempfile.mkstemp() _, output_path = tempfile.mkstemp()
output = open(output_path, 'wb') output = open(output_path, 'wb')
output.write(part.get_payload(decode=True)) output.write(part.get_payload(decode=True))
event_id = new_event['Event']['id'] attachment = part.get_payload(decode=True)
misp.upload_sample(filename, output_path, event_id, distribution=None, to_ids=True, category=None, comment=None, info='My Info', analysis=None, threat_level_id=None) event_id = misp_event.id
#misp.add_attachment(new_event, output_path, distribution=None, to_ids=True, category='Payload delivery', comment=None, info='My Info', analysis=None, threat_level_id=None)
misp.upload_sample(filename, output_path, event_id, distribution=None, to_ids=True)
output.close() output.close()
syslog.syslog("Job finished.") if debug:
syslog.syslog("Job finished.")