Go to file
Sascha Rommelfangen 86ef720226 added header, corrected No-IDS flag 2017-05-08 15:47:47 +02:00
MUA script moved 2017-05-03 06:39:46 +02:00
README.md added description of implementation 2017-05-03 06:34:53 +02:00
hashmarker.py new functionalities (hashes, ids_flag) 2017-04-28 09:58:58 +02:00
mail_to_misp.py added header, corrected No-IDS flag 2017-05-08 15:47:47 +02:00
mail_to_misp_config.py-example initial commit 2017-04-27 13:58:49 +02:00
urlmarker.py initial commit 2017-04-27 13:58:49 +02:00

README.md

mail_to_misp

Connect your mail client to MISP in order to create events based on the information contained within mails.

Features

  • Extraction of URLs and IP addresses (and port numbers) from free text emails
  • Extraction of hostnames from URLs
  • Extraction of hashes (MD5, SHA1, SHA256)
  • DNS expansion
  • Custom filter list for lines containing specific words
  • Subject filters
  • Respecting TLP classification mentioned in free text (including optional spelling robustness)
  • Refanging of URLs ('hxxp://...')
  • Add tags automatically based on key words (configurable)
  • Add tags automatically depending on the presence of other tags (configurable)
  • Ignore 'whitelisted' domains (configurable)
  • Configurable list of attributes not to enable the IDS flag
  • Automatically create 'external analysis' links based on filter list (e.g. VirusTotal, malwr.com)

Implementation

For the moment, the implemented workflow is:

  1. Email -> Apple Mail -> Mail rule -> AppleScript -> python script -> PyMISP -> MISP
  2. Email -> Thunderbird -> Mail rule -> filterscript -> thunderbird_wrapper -> python script -> PyMISP -> MISP

Installation

Apple Mail

  1. Mail rule script
  • git clone this repository
  • open the AppleScript file MUA/Apple/Mail/MISP Mail Rule Action.txt in Apple's 'Script Editor'
  • adjust the path to the python installation and location of the mail_to_misp.py script
  • save it in ~/Library/Application Scripts/com.apple.mail/
  1. Create a mail rule based on your needs, executing the AppleScript defined before
  2. Configure mail_to_misp_config.py

Thunderbird

  1. Git clone https://github.com/rommelfs/filterscript and install plugin (instructions within the project description)
  2. Mail rule script
  • git clone this repository
  • open the bash script MUA/Mozilla/Thunderbird/thunderbird_wrapper.sh and adujst the paths
  • adjust the path to the python installation and location of the mail_to_misp.py script
  1. Create a mail rule based on your needs, executing the thunderbird_wrapper.sh script
  2. Configure mail_to_misp_config.py

You should be able to create MISP events now.

Requirements

General

Thunderbird