fixed distribution, added sighting source

2017-12-21 11:55:23 +01:00 · 2017-12-21 11:55:23 +01:00 · a85a56da5e
parent cbe35f8b1a
commit a85a56da5e
3 changed files with 7 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -27,7 +27,7 @@ Connect your mail infrastructure to [MISP](https://github.com/MISP/MISP) in orde
 - Optionally attach entire mail to event
 - Contains now a fake-smtpd spamtrap which delivers IoCs/mails to MISP
 - Automatically filter out attributes that are on a server side warning list (enforcewarninglist=True)
- Support for value sighting (sighting=True)
+- Support for value sighting (sighting=True, sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER")

 ## Implementation

--- a/mail_to_misp.py
+++ b/mail_to_misp.py
@ -54,13 +54,14 @@ def is_valid_ipv6_address(address):
 # Add a sighting
 def sight(sighting, value):
    if sighting:
-        d = {'value': value}
+        d = {'value': value, 'source': sighting_source}
        misp.set_sightings(d)

 # Add named attribute and sight if configured
 def add_attribute(event, attribute_type, value, category, ids_flag, warninglist, sighting, comment=None):
    syslog.syslog("Event " + event['Event']['id'] + ": Adding attribute (" + attribute_type + ") " + value)
-    misp.add_named_attribute(event, attribute_type, value, category, comment=comment, to_ids=ids_flag, distribution=0, enforceWarninglist=warninglist)
+    misp.add_named_attribute(event, attribute_type, value, category, distribution=5, 
+                                comment=comment, to_ids=ids_flag, enforceWarninglist=warninglist)
    sight(sighting, value)

 syslog.syslog("Job started.")
@ -144,6 +145,7 @@ noidsflaglist = config.noidsflaglist
 ignorelist = config.ignorelist
 enforcewarninglist = config.enforcewarninglist
 sighting = config.sighting
+sighting_source = config.sighting_source
 removelist = config.removelist
 malwaretags = config.malwaretags
 dependingtags = config.dependingtags
@ -318,7 +320,7 @@ if stdin_used:
            if debug:
                syslog.syslog(str(attachment)[:200])
            event_id = misp_event.id
-            misp.upload_sample(filename, output_path, event_id, distribution=None, to_ids=True)
+            misp.upload_sample(filename, output_path, event_id, distribution=5, to_ids=True)
            file_hash = hashlib.sha256(open(output_path, 'rb').read()).hexdigest()
            sight(sighting, file_hash)

--- a/mail_to_misp_config.py-example
+++ b/mail_to_misp_config.py-example
@ -44,6 +44,7 @@ enforcewarninglist=True

 # Add a sighting for each value
 sighting=True
+sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER"

 # Remove "[tags]", "Re: ", "Fwd: " from subject
 removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")