From a85a56da5e496fdf591f929edefe213ecff75216 Mon Sep 17 00:00:00 2001
From: Sascha Rommelfangen <sascha@rommelfangen.de>
Date: Thu, 21 Dec 2017 11:55:23 +0100
Subject: [PATCH] fixed distribution, added sighting source

---
 README.md                      | 2 +-
 mail_to_misp.py                | 8 +++++---
 mail_to_misp_config.py-example | 1 +
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 016cc57..406516f 100644
--- a/README.md
+++ b/README.md
@@ -27,7 +27,7 @@ Connect your mail infrastructure to [MISP](https://github.com/MISP/MISP) in orde
 - Optionally attach entire mail to event
 - Contains now a fake-smtpd spamtrap which delivers IoCs/mails to MISP
 - Automatically filter out attributes that are on a server side warning list (enforcewarninglist=True)
-- Support for value sighting (sighting=True)
+- Support for value sighting (sighting=True, sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER")
 
 ## Implementation
 
diff --git a/mail_to_misp.py b/mail_to_misp.py
index fa697b3..edf24ab 100755
--- a/mail_to_misp.py
+++ b/mail_to_misp.py
@@ -54,13 +54,14 @@ def is_valid_ipv6_address(address):
 # Add a sighting
 def sight(sighting, value):
     if sighting:
-        d = {'value': value}
+        d = {'value': value, 'source': sighting_source}
         misp.set_sightings(d)
 
 # Add named attribute and sight if configured
 def add_attribute(event, attribute_type, value, category, ids_flag, warninglist, sighting, comment=None):
     syslog.syslog("Event " + event['Event']['id'] + ": Adding attribute (" + attribute_type + ") " + value)
-    misp.add_named_attribute(event, attribute_type, value, category, comment=comment, to_ids=ids_flag, distribution=0, enforceWarninglist=warninglist)
+    misp.add_named_attribute(event, attribute_type, value, category, distribution=5, 
+                                comment=comment, to_ids=ids_flag, enforceWarninglist=warninglist)
     sight(sighting, value)
 
 syslog.syslog("Job started.")
@@ -144,6 +145,7 @@ noidsflaglist = config.noidsflaglist
 ignorelist = config.ignorelist
 enforcewarninglist = config.enforcewarninglist
 sighting = config.sighting
+sighting_source = config.sighting_source
 removelist = config.removelist
 malwaretags = config.malwaretags
 dependingtags = config.dependingtags
@@ -318,7 +320,7 @@ if stdin_used:
             if debug:
                 syslog.syslog(str(attachment)[:200])
             event_id = misp_event.id
-            misp.upload_sample(filename, output_path, event_id, distribution=None, to_ids=True)
+            misp.upload_sample(filename, output_path, event_id, distribution=5, to_ids=True)
             file_hash = hashlib.sha256(open(output_path, 'rb').read()).hexdigest()
             sight(sighting, file_hash)
 
diff --git a/mail_to_misp_config.py-example b/mail_to_misp_config.py-example
index 4e46df3..6f61e92 100644
--- a/mail_to_misp_config.py-example
+++ b/mail_to_misp_config.py-example
@@ -44,6 +44,7 @@ enforcewarninglist=True
 
 # Add a sighting for each value
 sighting=True
+sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER"
 
 # Remove "[tags]", "Re: ", "Fwd: " from subject
 removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")