mirror of https://github.com/MISP/mail_to_misp
fixed distribution, added sighting source
parent
cbe35f8b1a
commit
a85a56da5e
|
@ -27,7 +27,7 @@ Connect your mail infrastructure to [MISP](https://github.com/MISP/MISP) in orde
|
||||||
- Optionally attach entire mail to event
|
- Optionally attach entire mail to event
|
||||||
- Contains now a fake-smtpd spamtrap which delivers IoCs/mails to MISP
|
- Contains now a fake-smtpd spamtrap which delivers IoCs/mails to MISP
|
||||||
- Automatically filter out attributes that are on a server side warning list (enforcewarninglist=True)
|
- Automatically filter out attributes that are on a server side warning list (enforcewarninglist=True)
|
||||||
- Support for value sighting (sighting=True)
|
- Support for value sighting (sighting=True, sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER")
|
||||||
|
|
||||||
## Implementation
|
## Implementation
|
||||||
|
|
||||||
|
|
|
@ -54,13 +54,14 @@ def is_valid_ipv6_address(address):
|
||||||
# Add a sighting
|
# Add a sighting
|
||||||
def sight(sighting, value):
|
def sight(sighting, value):
|
||||||
if sighting:
|
if sighting:
|
||||||
d = {'value': value}
|
d = {'value': value, 'source': sighting_source}
|
||||||
misp.set_sightings(d)
|
misp.set_sightings(d)
|
||||||
|
|
||||||
# Add named attribute and sight if configured
|
# Add named attribute and sight if configured
|
||||||
def add_attribute(event, attribute_type, value, category, ids_flag, warninglist, sighting, comment=None):
|
def add_attribute(event, attribute_type, value, category, ids_flag, warninglist, sighting, comment=None):
|
||||||
syslog.syslog("Event " + event['Event']['id'] + ": Adding attribute (" + attribute_type + ") " + value)
|
syslog.syslog("Event " + event['Event']['id'] + ": Adding attribute (" + attribute_type + ") " + value)
|
||||||
misp.add_named_attribute(event, attribute_type, value, category, comment=comment, to_ids=ids_flag, distribution=0, enforceWarninglist=warninglist)
|
misp.add_named_attribute(event, attribute_type, value, category, distribution=5,
|
||||||
|
comment=comment, to_ids=ids_flag, enforceWarninglist=warninglist)
|
||||||
sight(sighting, value)
|
sight(sighting, value)
|
||||||
|
|
||||||
syslog.syslog("Job started.")
|
syslog.syslog("Job started.")
|
||||||
|
@ -144,6 +145,7 @@ noidsflaglist = config.noidsflaglist
|
||||||
ignorelist = config.ignorelist
|
ignorelist = config.ignorelist
|
||||||
enforcewarninglist = config.enforcewarninglist
|
enforcewarninglist = config.enforcewarninglist
|
||||||
sighting = config.sighting
|
sighting = config.sighting
|
||||||
|
sighting_source = config.sighting_source
|
||||||
removelist = config.removelist
|
removelist = config.removelist
|
||||||
malwaretags = config.malwaretags
|
malwaretags = config.malwaretags
|
||||||
dependingtags = config.dependingtags
|
dependingtags = config.dependingtags
|
||||||
|
@ -318,7 +320,7 @@ if stdin_used:
|
||||||
if debug:
|
if debug:
|
||||||
syslog.syslog(str(attachment)[:200])
|
syslog.syslog(str(attachment)[:200])
|
||||||
event_id = misp_event.id
|
event_id = misp_event.id
|
||||||
misp.upload_sample(filename, output_path, event_id, distribution=None, to_ids=True)
|
misp.upload_sample(filename, output_path, event_id, distribution=5, to_ids=True)
|
||||||
file_hash = hashlib.sha256(open(output_path, 'rb').read()).hexdigest()
|
file_hash = hashlib.sha256(open(output_path, 'rb').read()).hexdigest()
|
||||||
sight(sighting, file_hash)
|
sight(sighting, file_hash)
|
||||||
|
|
||||||
|
|
|
@ -44,6 +44,7 @@ enforcewarninglist=True
|
||||||
|
|
||||||
# Add a sighting for each value
|
# Add a sighting for each value
|
||||||
sighting=True
|
sighting=True
|
||||||
|
sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER"
|
||||||
|
|
||||||
# Remove "[tags]", "Re: ", "Fwd: " from subject
|
# Remove "[tags]", "Re: ", "Fwd: " from subject
|
||||||
removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")
|
removelist = ("[\(\[].*?[\)\]]", "Re: ", "Fwd: ")
|
||||||
|
|
Loading…
Reference in New Issue