fix: benign attachment in FW email

Fix #25
pull/31/head
Raphaël Vinot 2018-08-02 11:51:11 +02:00
parent 5ec8a2fa90
commit c823e5496c
2 changed files with 19 additions and 7 deletions

View File

@ -111,13 +111,17 @@ class Mail2MISP():
for attachment_name, attachment in email_object.attachments: for attachment_name, attachment in email_object.attachments:
if not attachment_name: if not attachment_name:
attachment_name = 'NameMissing.txt' attachment_name = 'NameMissing.txt'
f_object, main_object, sections = make_binary_objects(pseudofile=attachment, filename=attachment_name, standalone=False) if self.config_from_email_body.get('attachment') == self.config.m2m_benign_attachment_keyword:
self.misp_event.add_object(f_object) a = self.misp_event.add_attribute('attachment', value=attachment_name, data=attachment)
if main_object: email_object.add_reference(a.uuid, 'related-to', 'Email attachment')
self.misp_event.add_object(main_object) else:
for section in sections: f_object, main_object, sections = make_binary_objects(pseudofile=attachment, filename=attachment_name, standalone=False)
self.misp_event.add_object(section) self.misp_event.add_object(f_object)
email_object.add_reference(f_object.uuid, 'related-to', 'Email attachment') if main_object:
self.misp_event.add_object(main_object)
for section in sections:
self.misp_event.add_object(section)
email_object.add_reference(f_object.uuid, 'related-to', 'Email attachment')
self.process_body_iocs(email_object) self.process_body_iocs(email_object)
if self.config.spamtrap or self.config.attach_original_mail or self.config_from_email_body.get('attach_original_mail'): if self.config.spamtrap or self.config.attach_original_mail or self.config_from_email_body.get('attach_original_mail'):
self.misp_event.add_object(email_object) self.misp_event.add_object(email_object)

View File

@ -52,6 +52,14 @@ class TestMailToMISP(unittest.TestCase):
event = self.mail2misp.add_event() event = self.mail2misp.add_event()
print(event) print(event)
def test_benign(self):
config = importlib.import_module('tests.config_forward')
self.mail2misp = Mail2MISP('', '', '', config=config, offline=True)
with open('tests/mails/test_benign.eml', 'rb') as f:
self.mail2misp.load_email(BytesIO(f.read()))
self.mail2misp.process_email_body()
self.mail2misp.process_body_iocs()
self.assertTrue('attachment' in [a.type for a in self.mail2misp.misp_event.attributes])
if __name__ == '__main__': if __name__ == '__main__':
unittest.main() unittest.main()