Skip to content

mail_to_misp (mail2misp) version 1.0 released

Latest
Latest
Compare
Choose a tag to compare
@adulau adulau released this 12 Oct 06:25
· 47 commits to main since this release
v1.0
This tag was signed with the committer’s verified signature.
adulau Alexandre Dulaunoy
GPG key ID: 09E2CD4944E6CBCD
Learn about vigilant mode.
1eeaf1c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Connect your mail infrastructure to MISP to create events based on the information contained within mail. The solution can be also used to feed MISP instance with honeypot receiving emails.

A first version 1.0 has been released as the software is used in production in many places.

Features

  • Extraction of URLs and IP addresses (and port numbers) from free text emails
  • Extraction of hostnames from URLs
  • Extraction of hashes (MD5, SHA1, SHA256)
  • DNS expansion
  • Custom filter list for lines containing specific words
  • Subject filters
  • Respecting TLP classification mentioned in free text (including optional spelling robustness)
  • Refanging of URLs ('hxxp://...')
  • Add tags automatically based on key words (configurable)
  • Add tags automatically depending on the presence of other tags (configurable)
  • Add tags automatically depending on presence of hashes (e.g. for automatic expansion)
  • Ignore 'whitelisted' domains (configurable)
  • Specify a stop word term to no further process input
  • Configurable list of attributes not to enable the IDS flag
  • Automatically create 'external analysis' links based on filter list (e.g. VirusTotal, malwr.com)
  • Automatically create 'internal reference' links based on filter list
  • Detection of forwarded messages
  • Process attachments as malware samples or specify that they are processed as benign files (m2m_attachment_keyword)

You can send mails with attachments to mail_to_misp and tell it, to treat the attachment as a benign document (in contrast to the default behaviour: treating it as a malware sample). You need to set a keyword in the configuration:
m2m_attachment_keyword = 'attachment:benign'

  • Logging to syslog
  • Remove "[tags]", "Re:" and "Fwd:" from subjects
  • Optionally attach entire mail to event
  • Contains now a fake-smtpd spamtrap which delivers IoCs/mails to MISP
  • Automatically filter out attributes that are on a server side warning list (enforcewarninglist=True)
  • Support for value sighting (sighting=True, sighting_source="YOUR_MAIL_TO_MISP_IDENTIFIER")
  • Auto-publish when key:yourkey is specified in mail (configurable, m2m_key, m2m_auto_distribution)
    The m2m_key configuration is used to specify a secret only you and your users know. If you know the key, you can send a mail to your mail_to_misp instance, and when this key is present in the body of the message, it will automatically publish the event. So let's assume your config says: m2m_key = 'ABCDEFGHIJKLMN0PQRSTUVWXYZ'
    If you send a mail to mail_to_misp containing: key:ABCDEFGHIJKLMN0PQRSTUVWXYZ the event is automatically published.
    If you don't want to use this feature, just don't put it in the message body.
    The distribution is defined in the configuration as well: m2m_auto_distribution = '3' # 3 = All communities

For OSINT collection purposes (like collecting URLs to OSINT reports), you can tell mail_to_misp to only extract URLs (--urlsonly) and append them to a predefined MISP event (--event N). The subject of such a mail goes into the comment field of the value.

Example:

osinturlcollection: "|/path/to/mail_to_misp.py --urlsonly --event 12345 -"
Assets 2