MISP
/
mail_to_misp
mirror of https://github.com/MISP/mail_to_misp
2
0
Fork 0
Code Issues Releases Wiki Activity

forwarding filter and internallist

pull/4/head
Sascha Rommelfangen 2017-05-29 17:06:46 +02:00
parent 6c63a88579
commit e8c7f4e045
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
mail_to_misp.py
View File

@ -83,6 +83,7 @@ resolver.nameservers = config.nameservers
excludelist = config.excludelist
externallist = config.externallist
internallist = config.internallist
noidsflaglist = config.noidsflaglist
malwaretags = config.malwaretags
dependingtags = config.dependingtags
@ -141,9 +142,12 @@ position = 99999
t_email_data = email_data
for identifier in forward_identifiers:
new_position = email_data.find(identifier)
if new_position == -1:
new_position = position
if new_position < position:
t_before, t_split, t_email_data = email_data.partition(identifier)
position = new_position
print(position)
email_data = t_email_data
# Refang email data
@ -194,7 +198,9 @@ for entry in urllist:
if debug:
target.write(domainname + "\n")
if domainname not in excludelist:
if domainname in externallist:
if domainname in internallist:
misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0)
elif domainname in externallist:
misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False)
else:
if (domainname in noidsflaglist) or (hostname in noidsflaglist):

9
mail_to_misp_config.py-example
View File

@ -8,12 +8,13 @@ debug = False
debug_out_file = '/tmp/mail_to_misp-debug.txt'
nameservers = ['149.13.33.69']
excludelist = ('google.com', 'microsoft.com')
externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')
noidsflaglist = ('myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip.com', 'ipecho.net', 'api.ipify.org', 'checkip.amazonaws.com', 'whatismyipaddress.com', 'google.com', 'dropbox.com')
excludelist = (b'google.com', b'microsoft.com')
externallist = (b'virustotal.com', b'malwr.com', b'hybrid-analysis.com', b'emergingthreats.net')
internallist = (b'internal.system.local')
noidsflaglist = (b'myexternalip.com', b'ipinfo.io', b'icanhazip.com', b'wtfismyip.com', b'ipecho.net', b'api.ipify.org', b'checkip.amazonaws.com', b'whatismyipaddress.com', b'google.com', b'dropbox.com')
# Stop parsing when this term is found
stopword = 'Whois & IP Information'
stopword = b'Whois & IP Information'
# TLP tag setup
# Tuples contain different variations of spelling