MISP
/
mail_to_misp
mirror of https://github.com/MISP/mail_to_misp
2
0
Fork 0
Code Issues Releases Wiki Activity

forwarding filter and internallist

pull/4/head
Sascha Rommelfangen 2017-05-29 17:06:46 +02:00
parent 6c63a88579
commit e8c7f4e045
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
mail_to_misp.py
View File

@ -83,6 +83,7 @@ resolver.nameservers = config.nameservers
excludelist = config.excludelist excludelist = config.excludelist
externallist = config.externallist externallist = config.externallist
internallist = config.internallist
noidsflaglist = config.noidsflaglist noidsflaglist = config.noidsflaglist
malwaretags = config.malwaretags malwaretags = config.malwaretags
dependingtags = config.dependingtags dependingtags = config.dependingtags
@ -141,9 +142,12 @@ position = 99999
t_email_data = email_data t_email_data = email_data
for identifier in forward_identifiers: for identifier in forward_identifiers:
new_position = email_data.find(identifier) new_position = email_data.find(identifier)
if new_position == -1:
new_position = position
if new_position < position: if new_position < position:
t_before, t_split, t_email_data = email_data.partition(identifier) t_before, t_split, t_email_data = email_data.partition(identifier)
position = new_position position = new_position
print(position)
email_data = t_email_data email_data = t_email_data
# Refang email data # Refang email data
@ -194,7 +198,9 @@ for entry in urllist:
if debug: if debug:
target.write(domainname + "\n") target.write(domainname + "\n")
if domainname not in excludelist: if domainname not in excludelist:
if domainname in externallist: if domainname in internallist:
misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0)
elif domainname in externallist:
misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False) misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False)
else: else:
if (domainname in noidsflaglist) or (hostname in noidsflaglist): if (domainname in noidsflaglist) or (hostname in noidsflaglist):

9
mail_to_misp_config.py-example
View File

@ -8,12 +8,13 @@ debug = False
debug_out_file = '/tmp/mail_to_misp-debug.txt' debug_out_file = '/tmp/mail_to_misp-debug.txt'
nameservers = ['149.13.33.69'] nameservers = ['149.13.33.69']
excludelist = ('google.com', 'microsoft.com') excludelist = (b'google.com', b'microsoft.com')
externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net') externallist = (b'virustotal.com', b'malwr.com', b'hybrid-analysis.com', b'emergingthreats.net')
noidsflaglist = ('myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip.com', 'ipecho.net', 'api.ipify.org', 'checkip.amazonaws.com', 'whatismyipaddress.com', 'google.com', 'dropbox.com') internallist = (b'internal.system.local')
noidsflaglist = (b'myexternalip.com', b'ipinfo.io', b'icanhazip.com', b'wtfismyip.com', b'ipecho.net', b'api.ipify.org', b'checkip.amazonaws.com', b'whatismyipaddress.com', b'google.com', b'dropbox.com')
# Stop parsing when this term is found # Stop parsing when this term is found
stopword = 'Whois & IP Information' stopword = b'Whois & IP Information'
# TLP tag setup # TLP tag setup
# Tuples contain different variations of spelling # Tuples contain different variations of spelling