#!/usr/bin/python3 # -*- coding: utf-8 -*- misp_url = 'YOUR_MISP_URL' misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web interface under the automation section misp_verifycert = True debug = False nameservers = ['149.13.33.69'] email_subject_prefix = b'M2M - ' excludelist = (b'google.com', b'microsoft.com') externallist = (b'virustotal.com', b'malwr.com', b'hybrid-analysis.com', b'emergingthreats.net') internallist = (b'internal.system.local') noidsflaglist = (b'myexternalip.com', b'ipinfo.io', b'icanhazip.com', b'wtfismyip.com', b'ipecho.net', b'api.ipify.org', b'checkip.amazonaws.com', b'whatismyipaddress.com', b'google.com', b'dropbox.com') # Stop parsing when this term is found stopword = b'Whois & IP Information' # Ignore lines in body of message containing: ignorelist = (b".*From: .*\n?", b".*Sender: .*\n?", b".*Received: .*\n?", b".*Sender IP: .*\n?", b".*Reply-To: .*\n?", b".*Registrar WHOIS Server: .*\n?", b".*Registrar: .*\n?", b".*Domain Status: .*\n?", b".*Registrant Email: .*\n?", b".*IP Location: .*\n?") # Remove "[tags]", "Re: ", "Fwd: " from subject removelist = (b"[\(\[].*?[\)\]]", b"Re: ", b"Fwd: ") # TLP tag setup # Tuples contain different variations of spelling tlptags = { 'tlp:amber': [ 'tlp:amber', 'tlp: amber', 'tlp amber' ], 'tlp:green': [ 'tlp:green', 'tlp: green', 'tlp green' ], 'tlp:white': [ 'tlp:white', 'tlp: white', 'tlp white' ] } tlptag_default = sorted(tlptags.keys())[0] malwaretags = { 'locky': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"' ], 'dridex': [ 'misp-galaxy:tool="dridex"' ], 'netwire': [ 'Netwire RAT' ] } # Tags to be set depending on the presence of other tags dependingtags = { 'tlp:white': [ 'circl:osint-feed' ] } # Known identifiers for forwarded messages forward_identifiers = { b'-------- Forwarded Message --------', b'Begin forwarded message:' } # Tags to add when hashes are found (e.g. to do automatic expansion) hash_only_tags = { 'TODO:VT-ENRICHMENT' }