diff --git a/1.1-misp-viper-integration/slide.vrb b/1.1-misp-viper-integration/slide.vrb deleted file mode 100644 index 04ec09e..0000000 --- a/1.1-misp-viper-integration/slide.vrb +++ /dev/null @@ -1,9 +0,0 @@ -\frametitle{Q\&A} -\includegraphics[scale=0.5]{misplogo.pdf} -\begin{itemize} - \item \url{https://github.com/MISP/PyMISP} - \item \url{https://github.com/MISP/} - \item \url{https://github.com/viper-framework/viper} - \item We welcome new functionalities and pull requests. -\end{itemize} - diff --git a/1.2.1-misp-integration-mail2misp/content.tex b/1.2.1-misp-integration-mail2misp/content.tex new file mode 100644 index 0000000..35eb947 --- /dev/null +++ b/1.2.1-misp-integration-mail2misp/content.tex @@ -0,0 +1,153 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\lstdefinelanguage{json}{ + basicstyle=\ttfamily\footnotesize, + numbers=left, + numberstyle=\ttfamily\footnotesize, + stepnumber=1, + numbersep=8pt, + showstringspaces=false, + breaklines=true, + frame=lines, + backgroundcolor=\color{background}, + literate= + *{0}{{{\color{numb}0}}}{1} + {1}{{{\color{numb}1}}}{1} + {2}{{{\color{numb}2}}}{1} + {3}{{{\color{numb}3}}}{1} + {4}{{{\color{numb}4}}}{1} + {5}{{{\color{numb}5}}}{1} + {6}{{{\color{numb}6}}}{1} + {7}{{{\color{numb}7}}}{1} + {8}{{{\color{numb}8}}}{1} + {9}{{{\color{numb}9}}}{1} + {:}{{{\color{punct}{:}}}}{1} + {,}{{{\color{punct}{,}}}}{1} + {\{}{{{\color{delim}{\{}}}}{1} + {\}}{{{\color{delim}{\}}}}}{1} + {[}{{{\color{delim}{[}}}}{1} + {]}{{{\color{delim}{]}}}}{1}, +} + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{Context} + \begin{itemize} + \item You receive emails with IoC's inside + \item How to create an event out of it? + \item Create event manually and copy paste + \item $\to$ This works once or twice + \item Forwarding the email would be nice + \item $\to$ mail\_to\_misp + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Features: Email handling} + \begin{itemize} + \item Extraction of URLs and IP addresses and port numbers + \item Extraction of hostnames from URLs + \item Extraction of hashes (MD5, SHA1, SHA256) + \item DNS expansion + \item Subject filters + \item Refanging of URLs ('hxxp://...') + \item ... and more + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Features: Support MISP features} + \begin{itemize} + \item Add tags automatically + \item Ignore 'whitelisted' domains + \item Configurable list of attributes not to enable the IDS flag + \item DNS expansion + \item Automatically create 'external analysis' links based on filter list (e.g. VirusTotal, malwr.com) + \item Automatically filter out attributes that are on a server side warning list + \item Support for value sighting + \item ... and more + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Implementation} + \begin{itemize} + \item Legacy + \begin{itemize} + \item Email $\to$ Apple Mail $\to$ Mail rule $\to$ AppleScript + \item[] $\to$ AppleScript $\to$ mail\_to\_misp $\to$ PyMISP $\to$ MISP + \item[] + \item Email $\to$ Thunderbird $\to$ Mail rule $\to$ filterscript $\to$ + \item[]thunderbird\_wrapper $\to$ mail\_to\_misp $\to$ PyMISP $\to$ MISP + \end{itemize} + \item[] + \item Postfix and others + \begin{itemize} + \item Email $\to$ mail\_to\_misp + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Installation} + \begin{itemize} + \item mail\_to\_misp + \begin{enumerate} + \item \texttt{git clone git://github.com/MISP/mail\_to\_misp.git} + \item Install dependencies - See Github site + \end{enumerate} + \item[] + \item MTA (Postfix or alike) + \begin{enumerate} + \item Setup a new email address in the aliases file (e.g. /etc/aliases) + \item[] \texttt{misp\_handler: "|/path/to/mail\_to\_misp.py -"} + \item Rebuild the DB + \item[] \texttt{sudo newaliases} + \item Configure mail\_to\_misp\_config.py +\begin{lstlisting}[basicstyle=\tiny] +misp_url = 'http://127.0.0.1/' +misp_key = 's5jPWCIud36Z8XHgsiCVI7SaL1XsMTyfEsN45tTe' +misp_verifycert = True +body_config_prefix = 'm2m' +... +... +\end{lstlisting} + \end{enumerate} + \end{itemize} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Exercise: mail\_2\_misp.py} + \begin{itemize} + \item Bonus: \texttt{https://github.com/MISP/mail\_to\_misp\_test} +\begin{lstlisting}[basicstyle=\tiny] +./mail_to_misp.py -r mail_to_misp_test/simple_forward.eml +\end{lstlisting} + \item Bonus: Fake-SMTPD spamtrap +\begin{lstlisting}[basicstyle=\tiny] +./fake_smtp.py + +telnet 127.0.0.1 2526 + Trying 127.0.0.1... + Connected to 127.0.0.1. + Escape character is '^]'. + 220 misp Python SMTP 1.1 + helo misp + 250 misp + mail from: mikel + 250 OK + rcpt to: m2m + 250 OK + data + 354 End data with . + +\end{lstlisting} + \end{itemize} +\end{frame} + + + diff --git a/1.2.1-misp-integration-mail2misp/logo-circl.pdf b/1.2.1-misp-integration-mail2misp/logo-circl.pdf new file mode 100644 index 0000000..62c9239 Binary files /dev/null and b/1.2.1-misp-integration-mail2misp/logo-circl.pdf differ diff --git a/1.2.1-misp-integration-mail2misp/misp.pdf b/1.2.1-misp-integration-mail2misp/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/1.2.1-misp-integration-mail2misp/misp.pdf differ diff --git a/1.2.1-misp-integration-mail2misp/misplogo.pdf b/1.2.1-misp-integration-mail2misp/misplogo.pdf new file mode 100644 index 0000000..60da568 Binary files /dev/null and b/1.2.1-misp-integration-mail2misp/misplogo.pdf differ diff --git a/1.2.1-misp-integration-mail2misp/slide.tex b/1.2.1-misp-integration-mail2misp/slide.tex new file mode 100644 index 0000000..8f99965 --- /dev/null +++ b/1.2.1-misp-integration-mail2misp/slide.tex @@ -0,0 +1,29 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} + +\author{\small{\input{../includes/authors.txt}}} + +\title{mail\_to\_misp} +\subtitle{Connect your mail infrastructure to MISP to create events based on the information contained within mails} +\institute{\href{http://www.misp-project.org/}{http://www.misp-project.org/} \\ Twitter: \emph{\href{https://twitter.com/mispproject}{@MISPProject}}} +\date{\input{../includes/location.txt}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} + + +\begin{document} +\include{content} +\end{document} + diff --git a/build.sh b/build.sh index 8c6c9eb..20b3c4d 100644 --- a/build.sh +++ b/build.sh @@ -1,7 +1,7 @@ #!/bin/bash # -slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.1-misp-viper-integration") +slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp") mkdir output export TEXINPUTS=::`pwd`/themes/ echo ${TEXINPUTS} @@ -9,7 +9,7 @@ for slide in ${slidedecks[@]}; do cd ${slide} pdflatex slide.tex pdflatex slide.tex - rm *.aux *.toc *.snm *.log *.out *.nav + rm *.aux *.toc *.snm *.log *.out *.nav *.vrb cp slide.pdf ../output/${slide}.pdf rm slide.pdf cd ..