A script to submit email intelligence to csirtg
- To demonstrate how to interact with csirtg using the csirtg SDK
- A csirtg account
- A csirtg account token; within csirtg:
- Select your username
- Select "tokens"
- Select "Generate Token
- Create three feeds on csirtg (uce-urls, uce-ip, uce-email-addresses)
- A csirtg feed; within csirtg 1. Select (the plus sign) 1. Select Feed 1. Choose a feed name (e.g. port scanners) 1. Choose a feed description (hosts blocked in firewall logs)
- A Linux mail server with procmail installed
- SSH into your email server with procmail installed
- git clone the wf-email repo
git clone https://github.com/giovino/wf-email.git
- Create a virtual environment within wf-email directory
cd wf-email
virtualenv venv
source venv/bin/activate
- Install py-cgmail and py-csirtgsdk within the virtual environment.
- Copy the config file '.csirtg.yml' to your home directory
cp .csirtg.yml ~/.csirtg.yml
- Fill out the required values in the .csirtg.yml file
- Leverage procmail to feed spam email through standard in. This is just an example, you will want to customize it appropriately.
# Process spam emails to have the email addresses in the message body submitted
# to csirtg
:0 c
* ^X-Spam-Level: \*\*\*\*\*
| /path/to/venv/bin/python2.7 /path/to/wf-email.py