mail_to_misp/mail_to_misp_config.py-example

39 lines
1.6 KiB
Python

#!/usr/bin/python
misp_url = 'YOUR_MISP_URL'
misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web interface under the automation section
misp_verifycert = True
debug = False
debug_out_file = '/tmp/mail_to_misp-debug.txt'
nameservers = ['149.13.33.69']
excludelist = ('google.com', 'microsoft.com')
externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net')
noidsflaglist = ('myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip.com', 'ipecho.net', 'api.ipify.org', 'checkip.amazonaws.com', 'whatismyipaddress.com', 'google.com', 'dropbox.com')
# Stop parsing when this term is found
stopword = 'Whois & IP Information'
# TLP tag setup
# Tuples contain different variations of spelling
tlptags = { 'tlp:white': [ 'tlp:white', 'tlp: white', 'tlp white' ],
'tlp:green': [ 'tlp:green', 'tlp: green', 'tlp green' ],
'tlp:amber': [ 'tlp:amber', 'tlp: amber', 'tlp amber' ]
}
tlptag_default = sorted(tlptags.keys())[-1]
malwaretags = { 'locky': [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"' ],
'dridex': [ 'misp-galaxy:tool="dridex"' ],
'netwire': [ 'Netwire RAT' ]
}
# Tags to be set depending on the presence of other tags
dependingtags = { 'tlp:white': [ 'circl:osint-feed' ]
}
# Known identifiers for forwarded messages
forward_identifiers = { b'-------- Forwarded Message --------', b'Begin forwarded message:' }
# Tags to add when hashes are found (e.g. to do automatic expansion)
hash_only_tags = { 'TODO:VT-ENRICHMENT' }