mirror of https://github.com/MISP/misp-modules
Raphaël Vinot
parent
3b56abd70e
commit
b51806ac9f
|
|
@ -48,55 +48,63 @@ def handler(q=False):
|
||||||
"types": ['email-header']})
|
"types": ['email-header']})
|
||||||
|
|
||||||
# E-Mail MIME Boundry
|
# E-Mail MIME Boundry
|
||||||
results.append({"values": message.get_boundary(),
|
if message.get_boundary():
|
||||||
"types": ['email-mime-boundary']})
|
results.append({"values": message.get_boundary(),
|
||||||
|
"types": ['email-mime-boundary']})
|
||||||
|
|
||||||
# E-Mail Reply To
|
# E-Mail Reply To
|
||||||
results.append({"values": message.get('In-Reply-To').strip(),
|
if message.get('In-Reply-To'):
|
||||||
"types": ['email-reply-to']})
|
results.append({"values": message.get('In-Reply-To').strip(),
|
||||||
|
"types": ['email-reply-to']})
|
||||||
|
|
||||||
# X-Mailer
|
# X-Mailer
|
||||||
results.append({"values": message.get('X-Mailer'),
|
if message.get('X-Mailer'):
|
||||||
"types": ['email-x-mailer']})
|
results.append({"values": message.get('X-Mailer'),
|
||||||
|
"types": ['email-x-mailer']})
|
||||||
|
|
||||||
# Thread Index
|
# Thread Index
|
||||||
results.append({"values": message.get('Thread-Index'),
|
if message.get('Thread-Index'):
|
||||||
"types": ['email-thread-index']})
|
results.append({"values": message.get('Thread-Index'),
|
||||||
|
"types": ['email-thread-index']})
|
||||||
|
|
||||||
# Email Message ID
|
# Email Message ID
|
||||||
results.append({"values": message.get('Message-ID'),
|
if message.get('Message-ID'):
|
||||||
"types": ['email-message-id']})
|
results.append({"values": message.get('Message-ID'),
|
||||||
|
"types": ['email-message-id']})
|
||||||
|
|
||||||
# Subject
|
# Subject
|
||||||
results.append({"values": message.get('Subject'),
|
if message.get('Subject'):
|
||||||
"types": ['email-subject']})
|
results.append({"values": message.get('Subject'),
|
||||||
|
"types": ['email-subject']})
|
||||||
|
|
||||||
# Source
|
# Source
|
||||||
from_addr = message.get('From')
|
from_addr = message.get('From')
|
||||||
results.append({"values": parseaddr(from_addr)[1],
|
if from_addr:
|
||||||
"types": ['email-src'],
|
results.append({"values": parseaddr(from_addr)[1],
|
||||||
"comment": "From: {0}".format(from_addr)})
|
"types": ['email-src'],
|
||||||
results.append({"values": parseaddr(from_addr)[0],
|
"comment": "From: {0}".format(from_addr)})
|
||||||
"types": ['email-src-display-name'],
|
results.append({"values": parseaddr(from_addr)[0],
|
||||||
"comment": "From: {0}".format(from_addr)})
|
"types": ['email-src-display-name'],
|
||||||
|
"comment": "From: {0}".format(from_addr)})
|
||||||
|
|
||||||
# Return Path
|
# Return Path
|
||||||
return_path = message.get('Return-Path')
|
return_path = message.get('Return-Path')
|
||||||
# E-Mail Source
|
if return_path:
|
||||||
results.append({"values": parseaddr(return_path)[1],
|
# E-Mail Source
|
||||||
"types": ['email-src'],
|
results.append({"values": parseaddr(return_path)[1],
|
||||||
"comment": "Return Path: {0}".format(return_path)})
|
"types": ['email-src'],
|
||||||
# E-Mail Source Name
|
"comment": "Return Path: {0}".format(return_path)})
|
||||||
results.append({"values": parseaddr(return_path)[0],
|
# E-Mail Source Name
|
||||||
"types": ['email-src-display-name'],
|
results.append({"values": parseaddr(return_path)[0],
|
||||||
"comment": "Return Path: {0}".format(return_path)})
|
"types": ['email-src-display-name'],
|
||||||
|
"comment": "Return Path: {0}".format(return_path)})
|
||||||
|
|
||||||
# Destinations
|
# Destinations
|
||||||
# Split and sort destination header values
|
# Split and sort destination header values
|
||||||
recipient_headers = ['To', 'Cc', 'Bcc']
|
recipient_headers = ['To', 'Cc', 'Bcc']
|
||||||
|
|
||||||
for hdr_val in recipient_headers:
|
for hdr_val in recipient_headers:
|
||||||
try:
|
if message.get(hdr_val):
|
||||||
addrs = message.get(hdr_val).split(',')
|
addrs = message.get(hdr_val).split(',')
|
||||||
for addr in addrs:
|
for addr in addrs:
|
||||||
# Parse and add destination header values
|
# Parse and add destination header values
|
||||||
|
|
@ -110,15 +118,12 @@ def handler(q=False):
|
||||||
"comment": "{0}: {1}".format(hdr_val,
|
"comment": "{0}: {1}".format(hdr_val,
|
||||||
addr)})
|
addr)})
|
||||||
|
|
||||||
except AttributeError:
|
|
||||||
continue
|
|
||||||
|
|
||||||
# Get E-Mail Targets
|
# Get E-Mail Targets
|
||||||
# Get the addresses that received the email.
|
# Get the addresses that received the email.
|
||||||
# As pulled from the Received header
|
# As pulled from the Received header
|
||||||
received = message.get_all('Received')
|
received = message.get_all('Received')
|
||||||
email_targets = set()
|
if received:
|
||||||
try:
|
email_targets = set()
|
||||||
for rec in received:
|
for rec in received:
|
||||||
try:
|
try:
|
||||||
email_check = re.search("for\s(.*@.*);", rec).group(1)
|
email_check = re.search("for\s(.*@.*);", rec).group(1)
|
||||||
|
|
@ -130,8 +135,6 @@ def handler(q=False):
|
||||||
results.append({"values": tar,
|
results.append({"values": tar,
|
||||||
"types": ["target-email"],
|
"types": ["target-email"],
|
||||||
"comment": "Extracted from email 'Received' header"})
|
"comment": "Extracted from email 'Received' header"})
|
||||||
except TypeError:
|
|
||||||
pass # If received header is missing we can't iterate over NoneType
|
|
||||||
|
|
||||||
# Check if we were given a configuration
|
# Check if we were given a configuration
|
||||||
config = request.get("config", {})
|
config = request.get("config", {})
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue