def _make_mail(self, tup):
raw_mail = tup.values[0]
mail_type = tup.values[5]
rand = '_' + ''.join(random.choice('0123456789') for i in range(10))
self.parser = self.mailparser[mail_type](raw_mail)
# get only the mains headers because this number can explode
# Elastic can't manage all possible headers
mail = self.parser.mail_partial
mail["headers"] = self.parser.headers_json
# Data mail sources
mail["mail_server"] = tup.values[1]
mail["mailbox"] = tup.values[2]
mail["priority"] = tup.values[3]
mail["sender_ip"] = self.parser.get_server_ipaddress(tup.values[4])
# Fingerprints of body mail
(mail["md5"], mail["sha1"], mail["sha256"], mail["sha512"],
mail["ssdeep"]) = fingerprints(self.parser.body.encode('utf-8'))
sha256_rand = mail["sha256"] + rand
if mail_type in (MAIL_PATH, MAIL_PATH_OUTLOOK):
mail_string = raw_mail.split("/")[-1].replace(".processing", "")
self.log("{}: {}".format(mail_string, mail["sha256"]))
with open(raw_mail) as f:
mail["size"] = len(f.read())
elif mail_type in (MAIL_STRING):
mail["size"] = len(raw_mail)
# Add path to result
if mail_type == MAIL_PATH:
mail["mail_file"] = raw_mail.split("/")[-1].replace(
".processing", "")
# Dates
if mail.get('date'):
mail["date"] = mail.get('date').isoformat()
else:
mail["date"] = datetime.datetime.utcnow().isoformat()
mail["analisys_date"] = datetime.datetime.utcnow().isoformat()
# Adding custom headers
for h in tup.values[6]:
mail["custom_" + h] = get_header(self.parser.message, h)
# Remove attachments
mail.pop("attachments", None)
return sha256_rand, mail
def get_dialect_fingerprints(dialect):
"""
Given a dialect list returns the hashes of its string
version
Arguments:
dialect {list} -- output of get_dialect
Returns:
namedtuple -- fingerprints md5, sha1, sha256, sha512, ssdeep
"""
dialect_str = get_dialect_str(dialect)
return fingerprints(dialect_str)
def _make_mail(self, tup):
raw_mail = tup.values[0]
mail_format = tup.values[5]
rand = '_' + ''.join(random.choice('0123456789') for i in range(10))
# Check if kind_data is correct
if mail_format != STRING and mail_format != PATH:
raise InvalidMailFormat(
"Invalid mail format {!r}. Choose {!r} or {!r}".format(
mail_format, STRING, PATH))
# Parsing mail
if mail_format == PATH:
if os.path.exists(raw_mail):
self.parser.parse_from_file(raw_mail)
else:
self.parser.parse_from_string(raw_mail)
# Getting all parts
mail = self.parser.parsed_mail_obj
# Data mail sources
mail["mail_server"] = tup.values[1]
mail["mailbox"] = tup.values[2]
mail["priority"] = tup.values[3]
mail["sender_ip"] = self.parser.get_server_ipaddress(tup.values[4])
# Fingerprints of body mail
(mail["md5"], mail["sha1"], mail["sha256"], mail["sha512"],
mail["ssdeep"]) = fingerprints(self.parser.body.encode('utf-8'))
sha256_rand = mail["sha256"] + rand
# Add path to result
if mail_format == PATH:
mail["path_mail"] = raw_mail
# Dates
if mail.get('date'):
mail["date"] = mail.get('date').isoformat()
else:
mail["date"] = datetime.datetime.utcnow().isoformat()
mail["analisys_date"] = datetime.datetime.utcnow().isoformat()
# Remove attachments
mail.pop("attachments", None)
return sha256_rand, mail
def _make_mail(self, tup):
raw_mail = tup.values[0]
mail_type = tup.values[5]
rand = '_' + ''.join(random.choice('0123456789') for i in range(10))
self.parser = self.mailparser[mail_type](raw_mail)
mail = self.parser.mail
# Data mail sources
mail["mail_server"] = tup.values[1]
mail["mailbox"] = tup.values[2]
mail["priority"] = tup.values[3]
mail["sender_ip"] = self.parser.get_server_ipaddress(tup.values[4])
# Fingerprints of body mail
(mail["md5"], mail["sha1"], mail["sha256"], mail["sha512"],
mail["ssdeep"]) = fingerprints(self.parser.body.encode('utf-8'))
sha256_rand = mail["sha256"] + rand
# Add path to result
if mail_type == MAIL_PATH:
mail["path_mail"] = raw_mail
# Dates
if mail.get('date'):
mail["date"] = mail.get('date').isoformat()
else:
mail["date"] = datetime.datetime.utcnow().isoformat()
mail["analisys_date"] = datetime.datetime.utcnow().isoformat()
# Adding custom headers
for h in tup.values[6]:
mail["custom_" + h] = self.parser.message.get(h)
# Remove attachments
mail.pop("attachments", None)
return sha256_rand, mail