mirror of https://github.com/MISP/mail_to_misp
add urlonly to event feature added
parent
ee56a47e4e
commit
c30c706a2d
|
@ -31,13 +31,16 @@ def is_ip(address):
|
|||
|
||||
class Mail2MISP():
|
||||
|
||||
def __init__(self, misp_url, misp_key, verifycert, config, offline=False):
|
||||
def __init__(self, misp_url, misp_key, verifycert, config, offline=False, urlsonly=False):
|
||||
self.offline = offline
|
||||
if not self.offline:
|
||||
self.misp = ExpandedPyMISP(misp_url, misp_key, verifycert, debug=config.debug)
|
||||
self.config = config
|
||||
self.urlsonly = urlsonly
|
||||
if not hasattr(self.config, 'enable_dns'):
|
||||
setattr(self.config, 'enable_dns', True)
|
||||
if self.urlsonly is False:
|
||||
setattr(self.config, 'enable_dns', False)
|
||||
self.debug = self.config.debug
|
||||
self.config_from_email_body = {}
|
||||
# Init Faup
|
||||
|
@ -259,11 +262,14 @@ class Mail2MISP():
|
|||
to_ids=False, enforceWarninglist=False)
|
||||
if email_object:
|
||||
email_object.add_reference(attribute.uuid, 'contains')
|
||||
elif domainname in self.config.externallist: # External analysis
|
||||
elif domainname in self.config.externallist or self.urlsonly is False: # External analysis
|
||||
attribute = self.misp_event.add_attribute('link', entry, category='External analysis',
|
||||
to_ids=False, enforceWarninglist=False)
|
||||
if email_object:
|
||||
email_object.add_reference(attribute.uuid, 'contains')
|
||||
elif domainname in self.config.externallist or self.urlsonly: # External analysis
|
||||
attribute = self.misp.add_attribute(self.urlsonly, {"type": 'link', "value": entry, "category": 'External analysis',
|
||||
"to_ids": False})
|
||||
else: # The URL is probably an indicator.
|
||||
comment = ""
|
||||
if (domainname in self.config.noidsflaglist) or (hostname in self.config.noidsflaglist):
|
||||
|
@ -339,9 +345,10 @@ class Mail2MISP():
|
|||
if email_object:
|
||||
email_object.add_reference(hip.uuid, 'contains')
|
||||
else:
|
||||
attribute = self.misp_event.add_attribute('hostname', value=hostname,
|
||||
to_ids=ids_flag, enforceWarninglist=self.config.enforcewarninglist,
|
||||
comment=comment)
|
||||
if self.urlsonly is False:
|
||||
attribute = self.misp_event.add_attribute('hostname', value=hostname,
|
||||
to_ids=ids_flag, enforceWarninglist=self.config.enforcewarninglist,
|
||||
comment=comment)
|
||||
if email_object:
|
||||
email_object.add_reference(attribute.uuid, 'contains')
|
||||
|
||||
|
|
|
@ -16,6 +16,7 @@ if __name__ == '__main__':
|
|||
parser.add_argument("-r", "--read", help="Read from tempfile.")
|
||||
parser.add_argument("-t", "--trap", action='store_true', default=False, help="Import the Email as-is.")
|
||||
parser.add_argument("-e", "--event", default=False, help="Add indicators to this MISP event.")
|
||||
parser.add_argument("-u", "--urlsonly", default=False, action='store_true', help="Extract only URLs.")
|
||||
parser.add_argument('infile', nargs='?', type=argparse.FileType('rb'))
|
||||
args = parser.parse_args()
|
||||
|
||||
|
@ -54,7 +55,7 @@ if __name__ == '__main__':
|
|||
# receive data and subject through arguments
|
||||
raise Exception('This is not implemented anymore.')
|
||||
|
||||
mail2misp = Mail2MISP(misp_url, misp_key, misp_verifycert, config=config)
|
||||
mail2misp = Mail2MISP(misp_url, misp_key, misp_verifycert, config=config, urlsonly=args.event)
|
||||
mail2misp.load_email(pseudofile)
|
||||
|
||||
if debug:
|
||||
|
@ -67,8 +68,6 @@ if __name__ == '__main__':
|
|||
|
||||
mail2misp.process_body_iocs()
|
||||
|
||||
if args.event:
|
||||
mail2misp.update_event(args.event)
|
||||
else:
|
||||
if not args.event:
|
||||
mail2misp.add_event()
|
||||
syslog.syslog("Job finished.")
|
||||
|
|
Loading…
Reference in New Issue