Пример #1
0
def process_text(body, origin_domain, sha):
    extract_urls = ExtractURL(body, origin_domain, sha)
    suspicious_urls = set(extract_urls.processing())
    indicators = extract_urls.indicators
    tok = Tokenizer(body, sha)
    passwordlist = tok.processing()
    return indicators, list(suspicious_urls), passwordlist
Пример #2
0
def process_attachement(attachment, detected_content_type, detected_file_name, origin_domain, passwordlist, sha):
    indicators = 0
    payload_results = []
    suspicious_urls = set()
    try:
        mpart_attachment = mime.from_string(attachment)
        if mpart_attachment.content_type.is_multipart():
            for p in mpart_attachment.walk():
                detected_content_type = str(p.detected_content_type)
                filename = detected_file_name
                ind, s_urls, payload_r = process_attachement(p.body, detected_content_type, filename, origin_domain, passwordlist, sha)
                indicators += ind
                suspicious_urls |= set(s_urls)
                payload_results += payload_r
    except DecodingError:
        # Binary attachement
        pass
    extract_urls = ExtractURL(attachment, origin_domain, sha)
    suspicious_urls |= set(extract_urls.processing())
    indicators += extract_urls.indicators
    content_type = detected_content_type
    filename = detected_file_name
    if filename is not None and len(filename) > 0:
        passwordlist.append(filename)
        prefix, suffix = os.path.splitext(filename)
        passwordlist.append(prefix)
    passwordlist = [i for i in passwordlist if len(i) > 1]
    r_indicators, is_archive, r = process_payload(filename, attachment, content_type, origin_domain, passwordlist, sha)
    r['filename'] = filename
    r['content_type'] = content_type
    indicators += r_indicators
    payload_results.append(r)
    return indicators, list(suspicious_urls), is_archive, payload_results
Пример #3
0
    subject = msg.subject
    passwordlist = ["password", "passw0rd", "infected", "qwerty", "malicious",
                    "archive", "zip"]
    indicators = 0

    examine_headers = ExamineHeaders(msg)
    origin_ip, rbl_listed, rbl_comment, mailfrom, mailto, origin_domain = examine_headers.processing()
    indicators += examine_headers.indicators

    attachements = []
    payload_results = []
    suspicious_urls = set()

    if msg.content_type.is_multipart():
        for p in msg.walk():
            extract_urls = ExtractURL(p.body, origin_domain)
            suspicious_urls |= set(extract_urls.processing())
            indicators += extract_urls.indicators
            if p.is_body():
                content = p.body
                tok = Tokenizer(content)
                passwordlist += tok.processing()
                # TODO process that string
            elif p.is_attachment() or p.is_inline():
                content_type = p.detected_content_type
                filename = p.detected_file_name
                attachements.append((filename, content_type))
                if filename is not None and len(filename) > 0:
                    passwordlist.append(filename)
                    prefix, suffix = os.path.splitext(filename)
                    passwordlist.append(prefix)
Пример #4
0
        "zip"
    ]
    indicators = 0

    examine_headers = ExamineHeaders(msg)
    origin_ip, rbl_listed, rbl_comment, mailfrom, mailto, origin_domain = examine_headers.processing(
    )
    indicators += examine_headers.indicators

    attachements = []
    payload_results = []
    suspicious_urls = set()

    if msg.content_type.is_multipart():
        for p in msg.walk():
            extract_urls = ExtractURL(p.body, origin_domain)
            suspicious_urls |= set(extract_urls.processing())
            indicators += extract_urls.indicators
            if p.is_body():
                content = p.body
                tok = Tokenizer(content)
                passwordlist += tok.processing()
                # TODO process that string
            elif p.is_attachment() or p.is_inline():
                content_type = p.detected_content_type
                filename = p.detected_file_name
                attachements.append((filename, content_type))
                if filename is not None and len(filename) > 0:
                    passwordlist.append(filename)
                    prefix, suffix = os.path.splitext(filename)
                    passwordlist.append(prefix)