fix: benign attachment in FW email

Fix #25
2018-08-02 11:51:11 +02:00 · 2018-08-02 11:51:11 +02:00 · c823e5496c
parent 5ec8a2fa90
commit c823e5496c
2 changed files with 19 additions and 7 deletions
--- a/mail2misp/mail2misp.py
+++ b/mail2misp/mail2misp.py
@ -111,13 +111,17 @@ class Mail2MISP():
            for attachment_name, attachment in email_object.attachments:
                if not attachment_name:
                    attachment_name = 'NameMissing.txt'
-                f_object, main_object, sections = make_binary_objects(pseudofile=attachment, filename=attachment_name, standalone=False)
-                self.misp_event.add_object(f_object)
-                if main_object:
-                    self.misp_event.add_object(main_object)
-                    for section in sections:
-                        self.misp_event.add_object(section)
-                email_object.add_reference(f_object.uuid, 'related-to', 'Email attachment')
+                if self.config_from_email_body.get('attachment') == self.config.m2m_benign_attachment_keyword:
+                    a = self.misp_event.add_attribute('attachment', value=attachment_name, data=attachment)
+                    email_object.add_reference(a.uuid, 'related-to', 'Email attachment')
+                else:
+                    f_object, main_object, sections = make_binary_objects(pseudofile=attachment, filename=attachment_name, standalone=False)
+                    self.misp_event.add_object(f_object)
+                    if main_object:
+                        self.misp_event.add_object(main_object)
+                        for section in sections:
+                            self.misp_event.add_object(section)
+                    email_object.add_reference(f_object.uuid, 'related-to', 'Email attachment')
        self.process_body_iocs(email_object)
        if self.config.spamtrap or self.config.attach_original_mail or self.config_from_email_body.get('attach_original_mail'):
            self.misp_event.add_object(email_object)
--- a/tests/tests.py
+++ b/tests/tests.py
@ -52,6 +52,14 @@ class TestMailToMISP(unittest.TestCase):
        event = self.mail2misp.add_event()
        print(event)

+    def test_benign(self):
+        config = importlib.import_module('tests.config_forward')
+        self.mail2misp = Mail2MISP('', '', '', config=config, offline=True)
+        with open('tests/mails/test_benign.eml', 'rb') as f:
+            self.mail2misp.load_email(BytesIO(f.read()))
+        self.mail2misp.process_email_body()
+        self.mail2misp.process_body_iocs()
+        self.assertTrue('attachment' in [a.type for a in self.mail2misp.misp_event.attributes])

 if __name__ == '__main__':
    unittest.main()