mirror of https://github.com/MISP/mail_to_misp
forwarding filter and internallist
parent
6c63a88579
commit
e8c7f4e045
|
@ -83,6 +83,7 @@ resolver.nameservers = config.nameservers
|
||||||
|
|
||||||
excludelist = config.excludelist
|
excludelist = config.excludelist
|
||||||
externallist = config.externallist
|
externallist = config.externallist
|
||||||
|
internallist = config.internallist
|
||||||
noidsflaglist = config.noidsflaglist
|
noidsflaglist = config.noidsflaglist
|
||||||
malwaretags = config.malwaretags
|
malwaretags = config.malwaretags
|
||||||
dependingtags = config.dependingtags
|
dependingtags = config.dependingtags
|
||||||
|
@ -141,9 +142,12 @@ position = 99999
|
||||||
t_email_data = email_data
|
t_email_data = email_data
|
||||||
for identifier in forward_identifiers:
|
for identifier in forward_identifiers:
|
||||||
new_position = email_data.find(identifier)
|
new_position = email_data.find(identifier)
|
||||||
|
if new_position == -1:
|
||||||
|
new_position = position
|
||||||
if new_position < position:
|
if new_position < position:
|
||||||
t_before, t_split, t_email_data = email_data.partition(identifier)
|
t_before, t_split, t_email_data = email_data.partition(identifier)
|
||||||
position = new_position
|
position = new_position
|
||||||
|
print(position)
|
||||||
email_data = t_email_data
|
email_data = t_email_data
|
||||||
|
|
||||||
# Refang email data
|
# Refang email data
|
||||||
|
@ -194,7 +198,9 @@ for entry in urllist:
|
||||||
if debug:
|
if debug:
|
||||||
target.write(domainname + "\n")
|
target.write(domainname + "\n")
|
||||||
if domainname not in excludelist:
|
if domainname not in excludelist:
|
||||||
if domainname in externallist:
|
if domainname in internallist:
|
||||||
|
misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0)
|
||||||
|
elif domainname in externallist:
|
||||||
misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False)
|
misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False)
|
||||||
else:
|
else:
|
||||||
if (domainname in noidsflaglist) or (hostname in noidsflaglist):
|
if (domainname in noidsflaglist) or (hostname in noidsflaglist):
|
||||||
|
|
|
@ -8,12 +8,13 @@ debug = False
|
||||||
debug_out_file = '/tmp/mail_to_misp-debug.txt'
|
debug_out_file = '/tmp/mail_to_misp-debug.txt'
|
||||||
nameservers = ['149.13.33.69']
|
nameservers = ['149.13.33.69']
|
||||||
|
|
||||||
excludelist = ('google.com', 'microsoft.com')
|
excludelist = (b'google.com', b'microsoft.com')
|
||||||
externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')
|
externallist = (b'virustotal.com', b'malwr.com', b'hybrid-analysis.com', b'emergingthreats.net')
|
||||||
noidsflaglist = ('myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip.com', 'ipecho.net', 'api.ipify.org', 'checkip.amazonaws.com', 'whatismyipaddress.com', 'google.com', 'dropbox.com')
|
internallist = (b'internal.system.local')
|
||||||
|
noidsflaglist = (b'myexternalip.com', b'ipinfo.io', b'icanhazip.com', b'wtfismyip.com', b'ipecho.net', b'api.ipify.org', b'checkip.amazonaws.com', b'whatismyipaddress.com', b'google.com', b'dropbox.com')
|
||||||
|
|
||||||
# Stop parsing when this term is found
|
# Stop parsing when this term is found
|
||||||
stopword = 'Whois & IP Information'
|
stopword = b'Whois & IP Information'
|
||||||
|
|
||||||
# TLP tag setup
|
# TLP tag setup
|
||||||
# Tuples contain different variations of spelling
|
# Tuples contain different variations of spelling
|
||||||
|
|
Loading…
Reference in New Issue