Skip to content
/ es_email_intel Public
forked from xujun10110/es_email_intel

Extract IOCs from emails, store them in ElasticSearch, and generate mails and feeds based on the data

2 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

clverhack/es_email_intel

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
1x1.png
1x1.png
 
 
README.md
README.md
 
 
bounceback_es.py
bounceback_es.py
 
 
common_functions.py
common_functions.py
 
 
domain_exceptions.py
domain_exceptions.py
 
 
es_query_domain_feed.py
es_query_domain_feed.py
 
 
es_query_domain_outhtml_outmail.py
es_query_domain_outhtml_outmail.py
 
 
es_query_ipv4_feed.py
es_query_ipv4_feed.py
 
 
es_query_ipv4_feed_tagged.py
es_query_ipv4_feed_tagged.py
 
 
es_query_ipv4_outhtml_outmail.py
es_query_ipv4_outhtml_outmail.py
 
 
es_query_md5_feed.py
es_query_md5_feed.py
 
 
es_query_md5_outhtml_outmail.py
es_query_md5_outhtml_outmail.py
 
 
es_query_url_feed.py
es_query_url_feed.py
 
 
external_lookups.py
external_lookups.py
 
 
fortunes.py
fortunes.py
 
 
gen_wordcloud.py
gen_wordcloud.py
 
 
ip_exceptions.py
ip_exceptions.py
 
 
mail_parser2json_extract.py
mail_parser2json_extract.py
 
 
url_exceptions.py
url_exceptions.py
 
 
whitelist_domains.txt
whitelist_domains.txt
 
 

Repository files navigation

es_email_intel

Procmail config:

Standard email list extraction:

:0cr

Shoot a mail back to the originator with the extracted IOCs:

:0cr

  • ^To.extract@userid.org. | /usr/local/bin/python /home/pierre/es_email_intel/mail_parser2json.py 1

Crontab entries:

00 04 * * * /bin/sh /home/pierre/es_email_intel/es_feeder.sh 30 06 * * * /usr/local/bin/python /home/pierre/es_email_intel/es_query_ipv4_outhtml_outmail.py 35 06 * * * /usr/local/bin/python /home/pierre/es_email_intel/es_query_domain_outhtml_outmail.py 40 06 * * * /usr/local/bin/python /home/pierre/es_email_intel/es_query_md5_outhtml_outmail.py

Not included, the feeder script, but it's invoked like this:

/usr/local/bin/python /home/pierre/es_email_intel/es_query_ipv4_feed.py > /tmp/es_ipv4feed.txt

==

You'll obviously need to setup your own ElasticSearch box. I also backend to some external boxes for things, you'll need to fix or replace those entries.

About

Extract IOCs from emails, store them in ElasticSearch, and generate mails and feeds based on the data

Resources

Readme
Activity

Stars

2 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%