diff --git a/mail2misp/mail2misp.py b/mail2misp/mail2misp.py index a5ba335..8ec5587 100644 --- a/mail2misp/mail2misp.py +++ b/mail2misp/mail2misp.py @@ -31,13 +31,16 @@ def is_ip(address): class Mail2MISP(): - def __init__(self, misp_url, misp_key, verifycert, config, offline=False): + def __init__(self, misp_url, misp_key, verifycert, config, offline=False, urlsonly=False): self.offline = offline if not self.offline: self.misp = ExpandedPyMISP(misp_url, misp_key, verifycert, debug=config.debug) self.config = config + self.urlsonly = urlsonly if not hasattr(self.config, 'enable_dns'): setattr(self.config, 'enable_dns', True) + if self.urlsonly is False: + setattr(self.config, 'enable_dns', False) self.debug = self.config.debug self.config_from_email_body = {} # Init Faup @@ -259,11 +262,14 @@ class Mail2MISP(): to_ids=False, enforceWarninglist=False) if email_object: email_object.add_reference(attribute.uuid, 'contains') - elif domainname in self.config.externallist: # External analysis + elif domainname in self.config.externallist or self.urlsonly is False: # External analysis attribute = self.misp_event.add_attribute('link', entry, category='External analysis', to_ids=False, enforceWarninglist=False) if email_object: email_object.add_reference(attribute.uuid, 'contains') + elif domainname in self.config.externallist or self.urlsonly: # External analysis + attribute = self.misp.add_attribute(self.urlsonly, {"type": 'link', "value": entry, "category": 'External analysis', + "to_ids": False}) else: # The URL is probably an indicator. comment = "" if (domainname in self.config.noidsflaglist) or (hostname in self.config.noidsflaglist): @@ -339,9 +345,10 @@ class Mail2MISP(): if email_object: email_object.add_reference(hip.uuid, 'contains') else: - attribute = self.misp_event.add_attribute('hostname', value=hostname, - to_ids=ids_flag, enforceWarninglist=self.config.enforcewarninglist, - comment=comment) + if self.urlsonly is False: + attribute = self.misp_event.add_attribute('hostname', value=hostname, + to_ids=ids_flag, enforceWarninglist=self.config.enforcewarninglist, + comment=comment) if email_object: email_object.add_reference(attribute.uuid, 'contains') diff --git a/mail_to_misp.py b/mail_to_misp.py index 6a6a11b..34ec478 100755 --- a/mail_to_misp.py +++ b/mail_to_misp.py @@ -16,6 +16,7 @@ if __name__ == '__main__': parser.add_argument("-r", "--read", help="Read from tempfile.") parser.add_argument("-t", "--trap", action='store_true', default=False, help="Import the Email as-is.") parser.add_argument("-e", "--event", default=False, help="Add indicators to this MISP event.") + parser.add_argument("-u", "--urlsonly", default=False, action='store_true', help="Extract only URLs.") parser.add_argument('infile', nargs='?', type=argparse.FileType('rb')) args = parser.parse_args() @@ -54,7 +55,7 @@ if __name__ == '__main__': # receive data and subject through arguments raise Exception('This is not implemented anymore.') - mail2misp = Mail2MISP(misp_url, misp_key, misp_verifycert, config=config) + mail2misp = Mail2MISP(misp_url, misp_key, misp_verifycert, config=config, urlsonly=args.event) mail2misp.load_email(pseudofile) if debug: @@ -67,8 +68,6 @@ if __name__ == '__main__': mail2misp.process_body_iocs() - if args.event: - mail2misp.update_event(args.event) - else: + if not args.event: mail2misp.add_event() syslog.syslog("Job finished.")