From e8c7f4e045352cf7ad0899ff4d29517ffa5aba63 Mon Sep 17 00:00:00 2001
From: Sascha Rommelfangen <sascha@rommelfangen.de>
Date: Mon, 29 May 2017 17:06:46 +0200
Subject: [PATCH] forwarding filter and internallist

---
 mail_to_misp.py                | 8 +++++++-
 mail_to_misp_config.py-example | 9 +++++----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/mail_to_misp.py b/mail_to_misp.py
index 4421a58..c428135 100755
--- a/mail_to_misp.py
+++ b/mail_to_misp.py
@@ -83,6 +83,7 @@ resolver.nameservers = config.nameservers
 
 excludelist = config.excludelist
 externallist = config.externallist
+internallist = config.internallist
 noidsflaglist = config.noidsflaglist
 malwaretags = config.malwaretags
 dependingtags = config.dependingtags
@@ -141,9 +142,12 @@ position = 99999
 t_email_data = email_data
 for identifier in forward_identifiers:
     new_position = email_data.find(identifier)
+    if new_position == -1:
+        new_position = position
     if new_position < position:
         t_before, t_split, t_email_data = email_data.partition(identifier)
         position = new_position
+        print(position)
 email_data = t_email_data
 
 # Refang email data
@@ -194,7 +198,9 @@ for entry in urllist:
     if debug:
         target.write(domainname + "\n")
     if domainname not in excludelist:
-        if domainname in externallist:
+        if domainname in internallist:
+            misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0)
+        elif domainname in externallist:
             misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False)
         else:
             if (domainname in noidsflaglist) or (hostname in noidsflaglist):
diff --git a/mail_to_misp_config.py-example b/mail_to_misp_config.py-example
index d98f91f..b2ae80f 100644
--- a/mail_to_misp_config.py-example
+++ b/mail_to_misp_config.py-example
@@ -8,12 +8,13 @@ debug = False
 debug_out_file = '/tmp/mail_to_misp-debug.txt'
 nameservers = ['149.13.33.69']
 
-excludelist = ('google.com', 'microsoft.com')
-externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')
-noidsflaglist = ('myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip.com', 'ipecho.net', 'api.ipify.org', 'checkip.amazonaws.com', 'whatismyipaddress.com', 'google.com', 'dropbox.com')
+excludelist = (b'google.com', b'microsoft.com')
+externallist = (b'virustotal.com', b'malwr.com', b'hybrid-analysis.com', b'emergingthreats.net')
+internallist = (b'internal.system.local')
+noidsflaglist = (b'myexternalip.com', b'ipinfo.io', b'icanhazip.com', b'wtfismyip.com', b'ipecho.net', b'api.ipify.org', b'checkip.amazonaws.com', b'whatismyipaddress.com', b'google.com', b'dropbox.com')
 
 # Stop parsing when this term is found
-stopword = 'Whois & IP Information'
+stopword = b'Whois & IP Information'
 
 # TLP tag setup
 # Tuples contain different variations of spelling