search

MISP / mail_to_misp

Connect your mail client/infrastructure to MISP in order to create events based on the information contained within mails.
GNU Affero General Public License v3.0
69 stars 25 forks source link

Add the ability to use the warninglists to filter out false positives #1

Closed iglocska closed 6 years ago

iglocska commented 7 years ago

Would be handy to have the filtering already enforced on import.

adulau commented 7 years ago

Thank you for the feedback ;-)

iglocska commented 7 years ago

My pleasure!

rommelfs commented 7 years ago

That's in relation with the (outstanding) PyMISP upgrade using the freetext import of MISP directly. The idea is to make it configurable so either the parsing is done by a) MISP (full benefit of freetext import parser) or b) mail_to_misp (more configurable granularity on how to deal with different types)

In case of a) your proposal will be taken into account and discussed with the MISP lead development team.

adulau commented 7 years ago

Maybe we should have a generic Python library for misp-warninglists to filter out from any datastream? @Rafiot a good challenge?

Rafiot commented 7 years ago

I did this one: https://github.com/MISP/PyMISPWarningLists I still need to figure out a simple way to search in the lists in a more clever way (i.e. cidr blocks) but it is an option already.

Rafiot commented 7 years ago

Done.

davidljohnson commented 6 years ago

Hey guys, I love what you've done with mail_to_misp. Is this feature currently implemented or in the works? Otherwise, I may be able to help add the API call before these attributes are imported.

rommelfs commented 6 years ago

Hi @obsidianpentesting, thank you for your words!

Locally it would be already working, but we are working on a solution using the server's warning list + pymisp. It should come in the following days (hopefully).

rommelfs commented 6 years ago

Hi @obsidianpentesting and others,

with the latest version, you can configure: enforcewarninglist=True

This will look up if a to-be-added attribute is on a server side warning list. If yes, the creation is skipped.

Be sure to implement the following in your config file, it won't be added automatically (mail_to_misp_config.py): # Ignore (don't add) attributes that are on server side warning list enforcewarninglist=True

Thanks @Rafiot and @iglocska for the work you've done on your parts 👍

Rafiot commented 6 years ago

It is the best kind of fixes, I didn't have to do anything \o/

davidljohnson commented 6 years ago

Very nice! So easy to implement.