mirror of https://github.com/MISP/mail_to_misp
forwarding filter and internallist
parent
6c63a88579
commit
e8c7f4e045
|
@ -83,6 +83,7 @@ resolver.nameservers = config.nameservers
|
|||
|
||||
excludelist = config.excludelist
|
||||
externallist = config.externallist
|
||||
internallist = config.internallist
|
||||
noidsflaglist = config.noidsflaglist
|
||||
malwaretags = config.malwaretags
|
||||
dependingtags = config.dependingtags
|
||||
|
@ -141,9 +142,12 @@ position = 99999
|
|||
t_email_data = email_data
|
||||
for identifier in forward_identifiers:
|
||||
new_position = email_data.find(identifier)
|
||||
if new_position == -1:
|
||||
new_position = position
|
||||
if new_position < position:
|
||||
t_before, t_split, t_email_data = email_data.partition(identifier)
|
||||
position = new_position
|
||||
print(position)
|
||||
email_data = t_email_data
|
||||
|
||||
# Refang email data
|
||||
|
@ -194,7 +198,9 @@ for entry in urllist:
|
|||
if debug:
|
||||
target.write(domainname + "\n")
|
||||
if domainname not in excludelist:
|
||||
if domainname in externallist:
|
||||
if domainname in internallist:
|
||||
misp.add_named_attribute(new_event, 'link', entry, category='Internal reference', to_ids=False, distribution=0)
|
||||
elif domainname in externallist:
|
||||
misp.add_named_attribute(new_event, 'link', entry, category='External analysis', to_ids=False)
|
||||
else:
|
||||
if (domainname in noidsflaglist) or (hostname in noidsflaglist):
|
||||
|
|
|
@ -8,12 +8,13 @@ debug = False
|
|||
debug_out_file = '/tmp/mail_to_misp-debug.txt'
|
||||
nameservers = ['149.13.33.69']
|
||||
|
||||
excludelist = ('google.com', 'microsoft.com')
|
||||
externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')
|
||||
noidsflaglist = ('myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip.com', 'ipecho.net', 'api.ipify.org', 'checkip.amazonaws.com', 'whatismyipaddress.com', 'google.com', 'dropbox.com')
|
||||
excludelist = (b'google.com', b'microsoft.com')
|
||||
externallist = (b'virustotal.com', b'malwr.com', b'hybrid-analysis.com', b'emergingthreats.net')
|
||||
internallist = (b'internal.system.local')
|
||||
noidsflaglist = (b'myexternalip.com', b'ipinfo.io', b'icanhazip.com', b'wtfismyip.com', b'ipecho.net', b'api.ipify.org', b'checkip.amazonaws.com', b'whatismyipaddress.com', b'google.com', b'dropbox.com')
|
||||
|
||||
# Stop parsing when this term is found
|
||||
stopword = 'Whois & IP Information'
|
||||
stopword = b'Whois & IP Information'
|
||||
|
||||
# TLP tag setup
|
||||
# Tuples contain different variations of spelling
|
||||
|
|
Loading…
Reference in New Issue