mirror of https://github.com/MISP/mail_to_misp
116 lines
5.3 KiB
Python
116 lines
5.3 KiB
Python
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
|
|
misp_url = 'YOUR_MISP_URL'
|
|
misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web interface under the automation section
|
|
misp_verifycert = True
|
|
spamtrap = False
|
|
default_distribution = 0
|
|
default_threat_level = 4
|
|
default_analysis = 1
|
|
id_tag = 'host:m2m:tld'
|
|
freetext = False
|
|
|
|
# O365MISPClient config
|
|
o365_freetext = False # must be enabled in addition to the above freetext to use this on o365 email messages
|
|
o365_client_id = 'YOUR_O365_CLIENT_ID'
|
|
o365_client_secret = 'YOUR_O365_CLIENT_SECRET'
|
|
o365_tenant_id = 'YOUR_O365_TENANT_ID'
|
|
o365_resource = 'YOUR_O365_INBOX' # misp@yourdomain.com or whatever inbox you are reading mail from
|
|
o365_scopes = [
|
|
'offline_access', # Highly recommended to add this. If not you will have to re-authenticate every hour.
|
|
'https://graph.microsoft.com/Mail.Read', # To read my mailbox
|
|
# 'https://graph.microsoft.com/Mail.Read.Shared' # To read another user/shared mailbox
|
|
]
|
|
|
|
body_config_prefix = 'm2m' # every line in the body starting with this value will be skipped from the IOCs
|
|
m2m_key = 'YOUSETYOURKEYHERE'
|
|
m2m_benign_attachment_keyword = 'benign'
|
|
|
|
enable_dns = True
|
|
debug = False
|
|
nameservers = ['149.13.33.69']
|
|
email_subject_prefix = 'M2M'
|
|
attach_original_mail = False
|
|
ignore_carrier_mail = False
|
|
ignore_nullsize_attachments = False
|
|
|
|
excludelist = ('google.com', 'microsoft.com')
|
|
externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net', 'urlscan.io',
|
|
'abuse.ch', 'tria.ge', 'bleepingcomputer.com', 'any.run', 'urlvoid.com', 'intezer.com')
|
|
internallist = ('internal.system.local')
|
|
noidsflaglist = ('myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip.com', 'ipecho.net',
|
|
'api.ipify.org', 'checkip.amazonaws.com', 'whatismyipaddress.com', 'google.com',
|
|
'dropbox.com'
|
|
)
|
|
|
|
# Stop parsing when this term is found
|
|
stopword = 'Whois & IP Information'
|
|
|
|
# Ignore lines in body of message containing:
|
|
ignorelist = ("From:", "Sender:", "Received:", "Sender IP:", "Reply-To:", "Registrar WHOIS Server:",
|
|
"Registrar:", "Domain Status:", "Registrant Email:", "IP Location:",
|
|
"X-Get-Message-Sender-Via:", "X-Authenticated-Sender:")
|
|
|
|
# Ignore (don't add) attributes that are on server side warning list
|
|
enforcewarninglist = True
|
|
|
|
# Add a sighting for each value
|
|
sighting = True
|
|
sighting_source = "YOUR_MAIL_TO_MISP_IDENTIFIER"
|
|
|
|
# Remove "Re:", "Fwd:" and {Spam?} from subject
|
|
# add: "[\(\[].*?[\)\]]" to remove everything between [] and (): i.e. [tag]
|
|
removelist = (r"Re:", r"Fwd:", r"\{Spam\?\} ", r"RE:", r"FW:")
|
|
|
|
# TLP tag setup
|
|
# Tuples contain different variations of spelling
|
|
tlptags = {'tlp:amber': ['tlp:amber', 'tlp: amber', 'tlp amber', 'tlp :amber'],
|
|
'tlp:amber+strict': ['tlp:amber+strict', 'tlp: amber+strict', 'tlp amber+strict', 'tlp :amber+strict'],
|
|
'tlp:green': ['tlp:green', 'tlp: green', 'tlp green', 'tlp :green'],
|
|
'tlp:white': ['tlp:white', 'tlp: white', 'tlp white', 'tlp :white'],
|
|
'tlp:clear': ['tlp:clear', 'tlp: clear', 'tlp clear', 'tlp :clear'],
|
|
'tlp:red': ['tlp:red', 'tlp: red', 'tlp red', 'tlp :red']
|
|
}
|
|
tlptag_default = sorted(tlptags.keys())[0]
|
|
|
|
malwaretags = {'locky': ['ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"'],
|
|
'jaff': ['ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Jaff"'],
|
|
'dridex': ['misp-galaxy:tool="dridex"'],
|
|
'netwire': ['Netwire RAT'],
|
|
'Pony': ['misp-galaxy:tool="Hancitor"'],
|
|
'ursnif': ['misp-galaxy:tool="Snifula"'],
|
|
'NanoCore': ['misp-galaxy:tool="NanoCoreRAT"'],
|
|
'trickbot': ['misp-galaxy:tool="Trick Bot"'],
|
|
'agenttesla': ['misp-galaxy:mitre-malware="Agent Tesla - S0331"'],
|
|
'formbook': ['misp-galaxy:malpedia="Formbook"'],
|
|
'remcos': ['misp-galaxy:mitre-tool="Remcos - S0332"'],
|
|
'snake keylogger': ['misp-galaxy:malpedia="404 Keylogger"'],
|
|
'icedid': ['misp-galaxy:malpedia="IcedID"'],
|
|
'zloader': ['misp-galaxy:malpedia="Zloader"'],
|
|
'lokibot': ['misp-galaxy:mitre-malware="Lokibot - S0447"'],
|
|
'valyria': ['misp-galaxy:malpedia="POWERSTATS"'],
|
|
'guloader': ['misp-galaxy:mitre-malware="GuLoader - S0561"'],
|
|
'avemaria': ['misp-galaxy:mitre-malware="WarzoneRAT - S0670"'],
|
|
'warzone': ['misp-galaxy:mitre-malware="WarzoneRAT - S0670"'],
|
|
'hancitor': ['misp-galaxy:malpedia="Hancitor"'],
|
|
'async': ['misp-galaxy:malpedia="AsyncRAT"'],
|
|
'emotet': ['misp-galaxy:mitre-malware="Emotet - S0367"']
|
|
}
|
|
|
|
# Tags to be set depending on the presence of other tags
|
|
dependingtags = {'tlp:white': ['circl:osint-feed'],
|
|
'tlp:clear': ['circl:osint-feed']
|
|
}
|
|
|
|
# Known identifiers for forwarded messages
|
|
forward_identifiers = {'-------- Forwarded Message --------', 'Begin forwarded message:'}
|
|
|
|
# Tags to add when hashes are found (e.g. to do automatic expansion)
|
|
hash_only_tags = {'TODO:VT-ENRICHMENT'}
|
|
|
|
# If an attribute is on any MISP server side `warning list`, skip the creation of the attribute
|
|
skip_item_on_warninglist = True
|
|
|
|
vt_key = None
|