Phish2MISP v.1.0 released
We are happy to announce the release of Phish2MISP a small python script that can be used to gather information related to a phishing site and add it as an event in MISP.
We have often had the case of phishing sites that needs to be added to MISP as an event, and spending time on gathering the relevant attributes.
With Phish2MISP we have tried to make this as easy as possible.
Relevant information from a phishing site
We have attempted to gather the minimal relevant information in this first released version where we are collecting
URL
Hostname and IP
Domain name and IP
Target
Screenshoot
The phishing site
Getting data into MISP
phish2MISP makes use CutyCapt for the screendumping part, besides this it automates the collection of attributes.
That will automatically create the event in MISP
Configure Phish2MISP
In the configuration sample below we are using TOR as proxy when visiting the phishing site
#!/usr/bin/env python3 # -*- coding: utf-8 -*- misp_url = 'https://<YOUR MISP INSTANCE>/' misp_key = '<MISP API KEY> ' misp_verifycert = True misp_tags = ['tlp:green', 'misp-galaxy:financial-fraud="Phishing"'] misp_distribution = 0 # 0 = Organisation only, 1 = This community only, 2 = Connected communities, 3 = All communities, 4 = Sharing Group sharing_group_id = 1 # Only to be used in combination with misp_distribution = 4 misp_threat_level_id = 1 # 0 = Undefined, 1 = Low, 2 = Medium, 3 = High misp_analysis = 0 # 0 = Completed, 1 = Ongoing, 2 = Initial auto_publish = True # True means auto publish event, False will not publish event make_screenshot = True misp_proxies = { }
The code can be fetched from github on the following URL: https://github.com/eCrimeLabs/phish2MISP/