A script to submit email intelligence to csirtg

1. py-cgmail
2. py-csirtgsdk

1. To demonstrate how to interact with csirtg using the csirtg SDK

1. A csirtg account
2. A csirtg account token; within csirtg:
3. Select your username
4. Select "tokens"
5. Select "Generate Token
6. Create three feeds on csirtg (uce-urls, uce-ip, uce-email-addresses)
7. A csirtg feed; within csirtg 1. Select (the plus sign) 1. Select Feed 1. Choose a feed name (e.g. port scanners) 1. Choose a feed description (hosts blocked in firewall logs)
8. A Linux mail server with procmail installed

1. SSH into your email server with procmail installed
2. git clone the wf-email repo

git clone https://github.com/giovino/wf-email.git

1. Create a virtual environment within wf-email directory

cd wf-email
virtualenv venv
source venv/bin/activate

1. Install py-cgmail and py-csirtgsdk within the virtual environment.
2. Copy the config file '.csirtg.yml' to your home directory

cp .csirtg.yml ~/.csirtg.yml

1. Fill out the required values in the .csirtg.yml file
2. Leverage procmail to feed spam email through standard in. This is just an example, you will want to customize it appropriately.

# Process spam emails to have the email addresses in the message body submitted
# to csirtg
:0 c
* ^X-Spam-Level: \*\*\*\*\*
| /path/to/venv/bin/python2.7 /path/to/wf-email.py