MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

Improve support of email importer if headers are missing 

Fix #88
pull/86/merge
Raphaël Vinot 2017-01-07 10:25:38 -05:00
parent 3b56abd70e
commit b51806ac9f
1 changed files with 37 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
misp_modules/modules/import_mod/email_import.py
View File

@ -48,55 +48,63 @@ def handler(q=False):
"types": ['email-header']})
# E-Mail MIME Boundry
results.append({"values": message.get_boundary(),
"types": ['email-mime-boundary']})
if message.get_boundary():
results.append({"values": message.get_boundary(),
"types": ['email-mime-boundary']})
# E-Mail Reply To
results.append({"values": message.get('In-Reply-To').strip(),
"types": ['email-reply-to']})
if message.get('In-Reply-To'):
results.append({"values": message.get('In-Reply-To').strip(),
"types": ['email-reply-to']})
# X-Mailer
results.append({"values": message.get('X-Mailer'),
"types": ['email-x-mailer']})
if message.get('X-Mailer'):
results.append({"values": message.get('X-Mailer'),
"types": ['email-x-mailer']})
# Thread Index
results.append({"values": message.get('Thread-Index'),
"types": ['email-thread-index']})
if message.get('Thread-Index'):
results.append({"values": message.get('Thread-Index'),
"types": ['email-thread-index']})
# Email Message ID
results.append({"values": message.get('Message-ID'),
"types": ['email-message-id']})
if message.get('Message-ID'):
results.append({"values": message.get('Message-ID'),
"types": ['email-message-id']})
# Subject
results.append({"values": message.get('Subject'),
"types": ['email-subject']})
if message.get('Subject'):
results.append({"values": message.get('Subject'),
"types": ['email-subject']})
# Source
from_addr = message.get('From')
results.append({"values": parseaddr(from_addr)[1],
"types": ['email-src'],
"comment": "From: {0}".format(from_addr)})
results.append({"values": parseaddr(from_addr)[0],
"types": ['email-src-display-name'],
"comment": "From: {0}".format(from_addr)})
if from_addr:
results.append({"values": parseaddr(from_addr)[1],
"types": ['email-src'],
"comment": "From: {0}".format(from_addr)})
results.append({"values": parseaddr(from_addr)[0],
"types": ['email-src-display-name'],
"comment": "From: {0}".format(from_addr)})
# Return Path
return_path = message.get('Return-Path')
# E-Mail Source
results.append({"values": parseaddr(return_path)[1],
"types": ['email-src'],
"comment": "Return Path: {0}".format(return_path)})
# E-Mail Source Name
results.append({"values": parseaddr(return_path)[0],
"types": ['email-src-display-name'],
"comment": "Return Path: {0}".format(return_path)})
if return_path:
# E-Mail Source
results.append({"values": parseaddr(return_path)[1],
"types": ['email-src'],
"comment": "Return Path: {0}".format(return_path)})
# E-Mail Source Name
results.append({"values": parseaddr(return_path)[0],
"types": ['email-src-display-name'],
"comment": "Return Path: {0}".format(return_path)})
# Destinations
# Split and sort destination header values
recipient_headers = ['To', 'Cc', 'Bcc']
for hdr_val in recipient_headers:
try:
if message.get(hdr_val):
addrs = message.get(hdr_val).split(',')
for addr in addrs:
# Parse and add destination header values
@ -110,15 +118,12 @@ def handler(q=False):
"comment": "{0}: {1}".format(hdr_val,
addr)})
except AttributeError:
continue
# Get E-Mail Targets
# Get the addresses that received the email.
# As pulled from the Received header
received = message.get_all('Received')
email_targets = set()
try:
if received:
email_targets = set()
for rec in received:
try:
email_check = re.search("for\s(.*@.*);", rec).group(1)
@ -130,8 +135,6 @@ def handler(q=False):
results.append({"values": tar,
"types": ["target-email"],
"comment": "Extracted from email 'Received' header"})
except TypeError:
pass # If received header is missing we can't iterate over NoneType
# Check if we were given a configuration
config = request.get("config", {})