add urlonly to event feature added

pull/38/head
Sascha Rommelfangen 2019-07-19 12:20:56 +02:00
parent ee56a47e4e
commit c30c706a2d
2 changed files with 15 additions and 9 deletions

View File

@ -31,13 +31,16 @@ def is_ip(address):
class Mail2MISP():
def __init__(self, misp_url, misp_key, verifycert, config, offline=False):
def __init__(self, misp_url, misp_key, verifycert, config, offline=False, urlsonly=False):
self.offline = offline
if not self.offline:
self.misp = ExpandedPyMISP(misp_url, misp_key, verifycert, debug=config.debug)
self.config = config
self.urlsonly = urlsonly
if not hasattr(self.config, 'enable_dns'):
setattr(self.config, 'enable_dns', True)
if self.urlsonly is False:
setattr(self.config, 'enable_dns', False)
self.debug = self.config.debug
self.config_from_email_body = {}
# Init Faup
@ -259,11 +262,14 @@ class Mail2MISP():
to_ids=False, enforceWarninglist=False)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
elif domainname in self.config.externallist: # External analysis
elif domainname in self.config.externallist or self.urlsonly is False: # External analysis
attribute = self.misp_event.add_attribute('link', entry, category='External analysis',
to_ids=False, enforceWarninglist=False)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')
elif domainname in self.config.externallist or self.urlsonly: # External analysis
attribute = self.misp.add_attribute(self.urlsonly, {"type": 'link', "value": entry, "category": 'External analysis',
"to_ids": False})
else: # The URL is probably an indicator.
comment = ""
if (domainname in self.config.noidsflaglist) or (hostname in self.config.noidsflaglist):
@ -339,9 +345,10 @@ class Mail2MISP():
if email_object:
email_object.add_reference(hip.uuid, 'contains')
else:
attribute = self.misp_event.add_attribute('hostname', value=hostname,
to_ids=ids_flag, enforceWarninglist=self.config.enforcewarninglist,
comment=comment)
if self.urlsonly is False:
attribute = self.misp_event.add_attribute('hostname', value=hostname,
to_ids=ids_flag, enforceWarninglist=self.config.enforcewarninglist,
comment=comment)
if email_object:
email_object.add_reference(attribute.uuid, 'contains')

View File

@ -16,6 +16,7 @@ if __name__ == '__main__':
parser.add_argument("-r", "--read", help="Read from tempfile.")
parser.add_argument("-t", "--trap", action='store_true', default=False, help="Import the Email as-is.")
parser.add_argument("-e", "--event", default=False, help="Add indicators to this MISP event.")
parser.add_argument("-u", "--urlsonly", default=False, action='store_true', help="Extract only URLs.")
parser.add_argument('infile', nargs='?', type=argparse.FileType('rb'))
args = parser.parse_args()
@ -54,7 +55,7 @@ if __name__ == '__main__':
# receive data and subject through arguments
raise Exception('This is not implemented anymore.')
mail2misp = Mail2MISP(misp_url, misp_key, misp_verifycert, config=config)
mail2misp = Mail2MISP(misp_url, misp_key, misp_verifycert, config=config, urlsonly=args.event)
mail2misp.load_email(pseudofile)
if debug:
@ -67,8 +68,6 @@ if __name__ == '__main__':
mail2misp.process_body_iocs()
if args.event:
mail2misp.update_event(args.event)
else:
if not args.event:
mail2misp.add_event()
syslog.syslog("Job finished.")