mirror of https://github.com/MISP/mail_to_misp
add urlonly to event feature added
parent
ee56a47e4e
commit
c30c706a2d
|
@ -31,13 +31,16 @@ def is_ip(address):
|
||||||
|
|
||||||
class Mail2MISP():
|
class Mail2MISP():
|
||||||
|
|
||||||
def __init__(self, misp_url, misp_key, verifycert, config, offline=False):
|
def __init__(self, misp_url, misp_key, verifycert, config, offline=False, urlsonly=False):
|
||||||
self.offline = offline
|
self.offline = offline
|
||||||
if not self.offline:
|
if not self.offline:
|
||||||
self.misp = ExpandedPyMISP(misp_url, misp_key, verifycert, debug=config.debug)
|
self.misp = ExpandedPyMISP(misp_url, misp_key, verifycert, debug=config.debug)
|
||||||
self.config = config
|
self.config = config
|
||||||
|
self.urlsonly = urlsonly
|
||||||
if not hasattr(self.config, 'enable_dns'):
|
if not hasattr(self.config, 'enable_dns'):
|
||||||
setattr(self.config, 'enable_dns', True)
|
setattr(self.config, 'enable_dns', True)
|
||||||
|
if self.urlsonly is False:
|
||||||
|
setattr(self.config, 'enable_dns', False)
|
||||||
self.debug = self.config.debug
|
self.debug = self.config.debug
|
||||||
self.config_from_email_body = {}
|
self.config_from_email_body = {}
|
||||||
# Init Faup
|
# Init Faup
|
||||||
|
@ -259,11 +262,14 @@ class Mail2MISP():
|
||||||
to_ids=False, enforceWarninglist=False)
|
to_ids=False, enforceWarninglist=False)
|
||||||
if email_object:
|
if email_object:
|
||||||
email_object.add_reference(attribute.uuid, 'contains')
|
email_object.add_reference(attribute.uuid, 'contains')
|
||||||
elif domainname in self.config.externallist: # External analysis
|
elif domainname in self.config.externallist or self.urlsonly is False: # External analysis
|
||||||
attribute = self.misp_event.add_attribute('link', entry, category='External analysis',
|
attribute = self.misp_event.add_attribute('link', entry, category='External analysis',
|
||||||
to_ids=False, enforceWarninglist=False)
|
to_ids=False, enforceWarninglist=False)
|
||||||
if email_object:
|
if email_object:
|
||||||
email_object.add_reference(attribute.uuid, 'contains')
|
email_object.add_reference(attribute.uuid, 'contains')
|
||||||
|
elif domainname in self.config.externallist or self.urlsonly: # External analysis
|
||||||
|
attribute = self.misp.add_attribute(self.urlsonly, {"type": 'link', "value": entry, "category": 'External analysis',
|
||||||
|
"to_ids": False})
|
||||||
else: # The URL is probably an indicator.
|
else: # The URL is probably an indicator.
|
||||||
comment = ""
|
comment = ""
|
||||||
if (domainname in self.config.noidsflaglist) or (hostname in self.config.noidsflaglist):
|
if (domainname in self.config.noidsflaglist) or (hostname in self.config.noidsflaglist):
|
||||||
|
@ -339,9 +345,10 @@ class Mail2MISP():
|
||||||
if email_object:
|
if email_object:
|
||||||
email_object.add_reference(hip.uuid, 'contains')
|
email_object.add_reference(hip.uuid, 'contains')
|
||||||
else:
|
else:
|
||||||
attribute = self.misp_event.add_attribute('hostname', value=hostname,
|
if self.urlsonly is False:
|
||||||
to_ids=ids_flag, enforceWarninglist=self.config.enforcewarninglist,
|
attribute = self.misp_event.add_attribute('hostname', value=hostname,
|
||||||
comment=comment)
|
to_ids=ids_flag, enforceWarninglist=self.config.enforcewarninglist,
|
||||||
|
comment=comment)
|
||||||
if email_object:
|
if email_object:
|
||||||
email_object.add_reference(attribute.uuid, 'contains')
|
email_object.add_reference(attribute.uuid, 'contains')
|
||||||
|
|
||||||
|
|
|
@ -16,6 +16,7 @@ if __name__ == '__main__':
|
||||||
parser.add_argument("-r", "--read", help="Read from tempfile.")
|
parser.add_argument("-r", "--read", help="Read from tempfile.")
|
||||||
parser.add_argument("-t", "--trap", action='store_true', default=False, help="Import the Email as-is.")
|
parser.add_argument("-t", "--trap", action='store_true', default=False, help="Import the Email as-is.")
|
||||||
parser.add_argument("-e", "--event", default=False, help="Add indicators to this MISP event.")
|
parser.add_argument("-e", "--event", default=False, help="Add indicators to this MISP event.")
|
||||||
|
parser.add_argument("-u", "--urlsonly", default=False, action='store_true', help="Extract only URLs.")
|
||||||
parser.add_argument('infile', nargs='?', type=argparse.FileType('rb'))
|
parser.add_argument('infile', nargs='?', type=argparse.FileType('rb'))
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
@ -54,7 +55,7 @@ if __name__ == '__main__':
|
||||||
# receive data and subject through arguments
|
# receive data and subject through arguments
|
||||||
raise Exception('This is not implemented anymore.')
|
raise Exception('This is not implemented anymore.')
|
||||||
|
|
||||||
mail2misp = Mail2MISP(misp_url, misp_key, misp_verifycert, config=config)
|
mail2misp = Mail2MISP(misp_url, misp_key, misp_verifycert, config=config, urlsonly=args.event)
|
||||||
mail2misp.load_email(pseudofile)
|
mail2misp.load_email(pseudofile)
|
||||||
|
|
||||||
if debug:
|
if debug:
|
||||||
|
@ -67,8 +68,6 @@ if __name__ == '__main__':
|
||||||
|
|
||||||
mail2misp.process_body_iocs()
|
mail2misp.process_body_iocs()
|
||||||
|
|
||||||
if args.event:
|
if not args.event:
|
||||||
mail2misp.update_event(args.event)
|
|
||||||
else:
|
|
||||||
mail2misp.add_event()
|
mail2misp.add_event()
|
||||||
syslog.syslog("Job finished.")
|
syslog.syslog("Job finished.")
|
||||||
|
|
Loading…
Reference in New Issue