From abfec603611fdc5ffe2c1c0131affbb10b96e42d Mon Sep 17 00:00:00 2001
From: Sascha Rommelfangen <sascha@rommelfangen.de>
Date: Tue, 3 Apr 2018 11:09:54 +0200
Subject: [PATCH] Feature request #14 - auto publish when key is given

---
 mail_to_misp.py                | 16 +++++++++++++++-
 mail_to_misp_config.py-example |  2 ++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/mail_to_misp.py b/mail_to_misp.py
index db92104..bd25523 100755
--- a/mail_to_misp.py
+++ b/mail_to_misp.py
@@ -131,6 +131,8 @@ if debug:
 misp_url = config.misp_url
 misp_key = config.misp_key
 misp_verifycert = config.misp_verifycert
+m2m_key = config.m2m_key
+m2m_auto_distribution = config.m2m_auto_distribution
 
 resolver = dns.resolver.Resolver(configure=False)
 resolver.nameservers = config.nameservers
@@ -162,9 +164,17 @@ for ignoreline in ignorelist:
 for removeword in removelist:
     email_subject = re.sub(removeword, "", email_subject)
 
+# Check if autopublish key is present and valid
+autopublish_key = "key:" + m2m_key
+if autopublish_key in email_data:
+    auto_publish = True 
+
 # Create the MISP event
 misp = init(misp_url, misp_key)
-new_event = misp.new_event(info=email_subject, distribution=0, threat_level_id=3, analysis=1)
+if auto_publish:
+    new_event = misp.new_event(info=email_subject, distribution=m2m_auto_distribution, threat_level_id=3, analysis=1)
+else:
+    new_event = misp.new_event(info=email_subject, distribution=0, threat_level_id=3, analysis=1)
 
 # Load the MISP event
 misp_event = MISPEvent()
@@ -217,6 +227,7 @@ urllist += re.findall(urlmarker.IP_REGEX, email_data)
 if debug:
     syslog.syslog(str(urllist))
 
+
 # Init Faup
 f = Faup()
 
@@ -324,4 +335,7 @@ if stdin_used:
             file_hash = hashlib.sha256(open(output_path, 'rb').read()).hexdigest()
             sight(sighting, file_hash)
 
+if auto_publish:
+    misp.publish(misp_event, alert=False)
+
 syslog.syslog("Job finished.")
diff --git a/mail_to_misp_config.py-example b/mail_to_misp_config.py-example
index 6f61e92..49c3325 100644
--- a/mail_to_misp_config.py-example
+++ b/mail_to_misp_config.py-example
@@ -6,6 +6,8 @@ import os
 misp_url = 'YOUR_MISP_URL'
 misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web interface under the automation section
 misp_verifycert = True
+m2m_key = 'YOUSETYOURKEYHERE'
+m2m_auto_distribution = '3' # 3 = All communities
 
 debug = False
 nameservers = ['149.13.33.69']