amorfo77/parsedmarc
1
0
Fork 0
mirror of https://github.com/domainaware/parsedmarc.git synced 2026-02-18 23:46:25 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: amorfo77:copilot/refactor-codebase-typing-standards
Branches Tags
amorfo77:master amorfo77:copilot/optimize-tests-for-github-actions amorfo77:copilot/add-tcp-support-tls amorfo77:gh-pages amorfo77:copilot/add-google-secops-output-module amorfo77:copilot/fix-msgraph-root-not-found amorfo77:copilot/fix-logging-config-propagation amorfo77:copilot/fix-imap-sense-option amorfo77:copilot/improve-typing-for-library-users amorfo77:copilot/refactor-codebase-typing-standards amorfo77:9.0.0 amorfo77:update-elasticsearch-dsl amorfo77:ramspoluri-master
amorfo77:9.0.10 amorfo77:9.0.7 amorfo77:9.0.6 amorfo77:9.0.3 amorfo77:9.0.2 amorfo77:8.19.1 amorfo77:8.18.7 amorfo77:8.19.0 amorfo77:8.18.6 amorfo77:8.18.5 amorfo77:8.18.4 amorfo77:8.18.3 amorfo77:8.18.2 amorfo77:8.18.1 amorfo77:8.17.0 amorfo77:8.16.1 amorfo77:8.16.0 amorfo77:5.17.0 amorfo77:5.16.0 amorfo77:8.15.4 amorfo77:8.15.2 amorfo77:8.15.1
..
compare: amorfo77:9.0.0
Branches Tags
amorfo77:master amorfo77:copilot/optimize-tests-for-github-actions amorfo77:copilot/add-tcp-support-tls amorfo77:gh-pages amorfo77:copilot/add-google-secops-output-module amorfo77:copilot/fix-msgraph-root-not-found amorfo77:copilot/fix-logging-config-propagation amorfo77:copilot/fix-imap-sense-option amorfo77:copilot/improve-typing-for-library-users amorfo77:copilot/refactor-codebase-typing-standards amorfo77:9.0.0 amorfo77:update-elasticsearch-dsl amorfo77:ramspoluri-master
amorfo77:9.0.10 amorfo77:9.0.7 amorfo77:9.0.6 amorfo77:9.0.3 amorfo77:9.0.2 amorfo77:8.19.1 amorfo77:8.18.7 amorfo77:8.19.0 amorfo77:8.18.6 amorfo77:8.18.5 amorfo77:8.18.4 amorfo77:8.18.3 amorfo77:8.18.2 amorfo77:8.18.1 amorfo77:8.17.0 amorfo77:8.16.1 amorfo77:8.16.0 amorfo77:5.17.0 amorfo77:5.16.0 amorfo77:8.15.4 amorfo77:8.15.2 amorfo77:8.15.1

27 Commits
copilot/re ... 9.0.0

Author SHA1 Message Date
Sean Whalen
110c6e507d Update docs 2025-12-01 17:04:37 -05:00
Sean Whalen
c8cdd90a1e Normalize timespans for aggregate reports in Elasticsearch and Opensearch 2025-12-01 16:34:40 -05:00
Sean Whalen
46a62cc10a Update launch configuration and metadata key for timespan in aggregate report 2025-12-01 16:10:41 -05:00
Sean Whalen
67fe009145 Add sources my name table to the Kibana DMARC Summary dashboard 
This matches the table in the Splunk DMARC  Aggregate reports dashboard
 2025-11-30 19:43:14 -05:00
Sean Whalen
e405e8fa53 Update changelog to correct timespan threshold for DMARC report normalization 2025-11-30 16:17:07 -05:00
Sean Whalen
a72d08ceb7 Refactor configuration loading for normalize_timespan_threshold_hours 2025-11-30 16:16:32 -05:00
Sean Whalen
2785e3df34 More fixes for normalize_timespan_threshold_hours: 2025-11-30 13:56:50 -05:00
Sean Whalen
f4470a7dd2 Fix normalize_timespan_threshold_hours 2025-11-30 13:46:21 -05:00
Sean Whalen
18b9894a1f Code formatting 2025-11-30 12:40:09 -05:00
Sean Whalen
d1791a97d3 Make timespan normalization hours configurable, with a 24.0 default 2025-11-30 12:23:38 -05:00
Sean Whalen
47ca6561c1 Fix changelog version 2025-11-30 10:46:48 -05:00
Sean Whalen
a0e18206ce Bump version to 9.0.0 2025-11-29 23:01:04 -05:00
Sean Whalen
9e4ffdd54c Add interval_begin, interval_end, and normalized_timespan to the Splunk report 2025-11-29 21:32:33 -05:00
Sean Whalen
434bd49eb3 Fix normalized_timespan in CSV output for aggregate reports 2025-11-29 21:23:39 -05:00
Sean Whalen
589038d2c9 Add normalized_timespan to CSV output for aggregate reports 2025-11-29 21:17:27 -05:00
Sean Whalen
c558224671 Rename normalized_timespan to timespan_requires_normalization and include interval_begin and interval_end in CSV output 2025-11-29 21:16:30 -05:00
Sean Whalen
044aa9e9a0 Include interval_begin in splunk output for accurate timestamping 2025-11-29 20:50:13 -05:00
Sean Whalen
6270468d30 Remove unneeded fields 2025-11-29 17:13:24 -05:00
Sean Whalen
832be7cfa3 Clean up imports 2025-11-29 16:56:12 -05:00
Sean Whalen
04dd11cf54 Fix formatting 2025-11-29 16:51:57 -05:00
Sean Whalen
0b41942916 Always include interval_begin and interval_end in records 2025-11-29 16:46:03 -05:00
Sean Whalen
f14a34202f Add morse type hints 2025-11-29 16:33:40 -05:00
Sean Whalen
daa6653c29 Bump version to 8.20.0 and update changelog for new report volume normalization 2025-11-29 15:26:25 -05:00
Sean Whalen
45d1093a99 Normalize report volumes when a report timespan exceed 24 hours 2025-11-29 14:52:57 -05:00
Sean Whalen
c1a757ca29 Remove outdated launch config 2025-11-29 14:45:21 -05:00
Sean Whalen
69b9d25a99 Revert code formatting 2025-11-29 14:14:54 -05:00
Sean Whalen
94d65f979d Code formatting 2025-11-29 14:04:20 -05:00
34 changed files with 1037 additions and 1360 deletions
Expand all files Collapse all files

10
.github/workflows/docker.yml vendored
View File

@@ -24,11 +24,11 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v5
uses: actions/checkout@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@v3
with:
images: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -40,14 +40,16 @@ jobs:
type=semver,pattern={{major}}.{{minor}}
- name: Log in to the Container registry
uses: docker/login-action@v3
# https://github.com/docker/login-action/releases/tag/v2.0.0
uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v6
# https://github.com/docker/build-push-action/releases/tag/v3.0.0
uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8
with:
context: .
push: ${{ github.event_name == 'release' }}

12
.github/workflows/python-tests.yml vendored
View File

@@ -15,7 +15,7 @@ jobs:
services:
elasticsearch:
image: elasticsearch:8.19.7
image: elasticsearch:8.18.2
env:
discovery.type: single-node
cluster.name: parsedmarc-cluster
@@ -33,15 +33,15 @@ jobs:
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install system dependencies
run: |
sudo apt-get -q update
sudo apt-get -qy install libemail-outlook-message-perl
sudo apt-get update
sudo apt-get install -y libemail-outlook-message-perl
- name: Install Python dependencies
run: |
python -m pip install --upgrade pip
@@ -65,6 +65,6 @@ jobs:
run: |
hatch build
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}

16
.vscode/settings.json vendored
View File

@@ -1,14 +1,4 @@
{
"[python]": {
"editor.defaultFormatter": "charliermarsh.ruff",
"editor.formatOnSave": true,
// Let Ruff handle lint fixes + import sorting on save
"editor.codeActionsOnSave": {
"source.fixAll.ruff": "explicit",
"source.organizeImports.ruff": "explicit"
}
},
"markdownlint.config": {
"MD024": false
},
@@ -46,7 +36,6 @@
"exampleuser",
"expiringdict",
"fieldlist",
"GELF",
"genindex",
"geoip",
"geoipupdate",
@@ -76,20 +65,17 @@
"mailrelay",
"mailsuite",
"maxdepth",
"MAXHEADERS",
"maxmind",
"mbox",
"mfrom",
"michaeldavie",
"mikesiegel",
"Mimecast",
"mitigations",
"MMDB",
"modindex",
"msgconvert",
"msgraph",
"MSSP",
"multiprocess",
"Munge",
"ndjson",
"newkey",
@@ -100,7 +86,6 @@
"nosniff",
"nwettbewerb",
"opensearch",
"opensearchpy",
"parsedmarc",
"passsword",
"Postorius",
@@ -138,7 +123,6 @@
"truststore",
"Übersicht",
"uids",
"Uncategorized",
"unparasable",
"uper",
"urllib",

605
CHANGELOG.md
View File

File diff suppressed because it is too large Load Diff

31
README.md
View File

@@ -23,10 +23,11 @@ ProofPoint Email Fraud Defense, and Valimail.
## Help Wanted
This project is maintained by one developer. Please consider reviewing the open
[issues](https://github.com/domainaware/parsedmarc/issues) to see how you can
contribute code, documentation, or user support. Assistance on the pinned
issues would be particularly helpful.
This project is maintained by one developer. Please consider
reviewing the open
[issues](https://github.com/domainaware/parsedmarc/issues) to see how
you can contribute code, documentation, or user support. Assistance on
the pinned issues would be particularly helpful.
Thanks to all
[contributors](https://github.com/domainaware/parsedmarc/graphs/contributors)!
@@ -41,24 +42,6 @@ Thanks to all
- Consistent data structures
- Simple JSON and/or CSV output
- Optionally email the results
- Optionally send the results to Elasticsearch, Opensearch, and/or Splunk, for
use with premade dashboards
- Optionally send the results to Elasticsearch, Opensearch, and/or Splunk, for use
with premade dashboards
- Optionally send reports to Apache Kafka
## Python Compatibility
This project supports the following Python versions, which are either actively maintained or are the default versions
for RHEL or Debian.
| Version | Supported | Reason |
|---------|-----------|------------------------------------------------------------|
| < 3.6 | ❌ | End of Life (EOL) |
| 3.6 | ❌ | Used in RHEL 8, but not supported by project dependencies |
| 3.7 | ❌ | End of Life (EOL) |
| 3.8 | ❌ | End of Life (EOL) |
| 3.9 | ✅ | Supported until August 2026 (Debian 11); May 2032 (RHEL 9) |
| 3.10 | ✅ | Actively maintained |
| 3.11 | ✅ | Actively maintained; supported until June 2028 (Debian 12) |
| 3.12 | ✅ | Actively maintained; supported until May 2035 (RHEL 10) |
| 3.13 | ✅ | Actively maintained; supported until June 2030 (Debian 13) |
| 3.14 | ❌ | Not currently supported due to Not currently supported due to [this imapclient bug](https://github.com/mjs/imapclient/issues/618)|

3
build.sh
View File

@@ -9,11 +9,12 @@ fi
. venv/bin/activate
pip install .[build]
ruff format .
ruff check .
cd docs
make clean
make html
touch build/html/.nojekyll
if [ -d "../../parsedmarc-docs" ]; then
if [ -d "./../parsedmarc-docs" ]; then
cp -rf build/html/* ../../parsedmarc-docs/
fi
cd ..

10
docker-compose.yml
View File

@@ -1,6 +1,8 @@
version: '3.7'
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.19.7
image: docker.elastic.co/elasticsearch/elasticsearch:8.3.1
environment:
- network.host=127.0.0.1
- http.host=0.0.0.0
@@ -12,7 +14,7 @@ services:
- xpack.security.enabled=false
- xpack.license.self_generated.type=basic
ports:
- "127.0.0.1:9200:9200"
- 127.0.0.1:9200:9200
ulimits:
memlock:
soft: -1
@@ -28,7 +30,7 @@ services:
retries: 24
opensearch:
image: opensearchproject/opensearch:2
image: opensearchproject/opensearch:2.18.0
environment:
- network.host=127.0.0.1
- http.host=0.0.0.0
@@ -39,7 +41,7 @@ services:
- bootstrap.memory_lock=true
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
ports:
- "127.0.0.1:9201:9200"
- 127.0.0.1:9201:9200
ulimits:
memlock:
soft: -1

2
docs/source/conf.py
View File

@@ -20,7 +20,7 @@ from parsedmarc import __version__
# -- Project information -----------------------------------------------------
project = "parsedmarc"
copyright = "2018 - 2025, Sean Whalen and contributors"
copyright = "2018 - 2023, Sean Whalen and contributors"
author = "Sean Whalen and contributors"
# The version info for the project you're documenting, acts as replacement for

18
docs/source/index.md
View File

@@ -45,24 +45,6 @@ and Valimail.
with premade dashboards
- Optionally send reports to Apache Kafka
## Python Compatibility
This project supports the following Python versions, which are either actively maintained or are the default versions
for RHEL or Debian.
| Version | Supported | Reason |
|---------|-----------|------------------------------------------------------------|
| < 3.6 | ❌ | End of Life (EOL) |
| 3.6 | ❌ | Used in RHEL 8, but not supported by project dependencies |
| 3.7 | ❌ | End of Life (EOL) |
| 3.8 | ❌ | End of Life (EOL) |
| 3.9 | ✅ | Supported until August 2026 (Debian 11); May 2032 (RHEL 9) |
| 3.10 | ✅ | Actively maintained |
| 3.11 | ✅ | Actively maintained; supported until June 2028 (Debian 12) |
| 3.12 | ✅ | Actively maintained; supported until May 2035 (RHEL 10) |
| 3.13 | ✅ | Actively maintained; supported until June 2030 (Debian 13) |
| 3.14 | ❌ | Not currently supported due to [this imapclient bug](https://github.com/mjs/imapclient/issues/618)|
```{toctree}
:caption: 'Contents'
:maxdepth: 2

2
docs/source/installation.md
View File

@@ -199,7 +199,7 @@ sudo apt-get install libemail-outlook-message-perl
[geoipupdate releases page on github]: https://github.com/maxmind/geoipupdate/releases
[ip to country lite database]: https://db-ip.com/db/download/ip-to-country-lite
[license keys]: https://www.maxmind.com/en/accounts/current/license-key
[maxmind geoipupdate page]: https://dev.maxmind.com/geoip/updating-databases/
[maxmind geoipupdate page]: https://dev.maxmind.com/geoip/geoipupdate/
[maxmind geolite2 country database]: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data
[registering for a free geolite2 account]: https://www.maxmind.com/en/geolite2/signup
[to comply with various privacy regulations]: https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/

6
docs/source/usage.md
View File

@@ -172,7 +172,7 @@ The full set of configuration options are:
IDLE response or the number of seconds until the next
mail check (Default: `30`)
- `since` - str: Search for messages since certain time. (Examples: `5m|3h|2d|1w`)
Acceptable units - {"m":"minutes", "h":"hours", "d":"days", "w":"weeks"}.
Acceptable units - {"m":"minutes", "h":"hours", "d":"days", "w":"weeks"}).
Defaults to `1d` if incorrect value is provided.
- `imap`
- `host` - str: The IMAP server hostname or IP address
@@ -257,7 +257,7 @@ The full set of configuration options are:
:::
- `user` - str: Basic auth username
- `password` - str: Basic auth password
- `api_key` - str: API key
- `apiKey` - str: API key
- `ssl` - bool: Use an encrypted SSL/TLS connection
(Default: `True`)
- `timeout` - float: Timeout in seconds (Default: 60)
@@ -280,7 +280,7 @@ The full set of configuration options are:
:::
- `user` - str: Basic auth username
- `password` - str: Basic auth password
- `api_key` - str: API key
- `apiKey` - str: API key
- `ssl` - bool: Use an encrypted SSL/TLS connection
(Default: `True`)
- `timeout` - float: Timeout in seconds (Default: 60)

48
kibana/export.ndjson
View File

File diff suppressed because one or more lines are too long

721
parsedmarc/__init__.py
View File

File diff suppressed because it is too large Load Diff

54
parsedmarc/cli.py
View File

@@ -10,6 +10,7 @@ from glob import glob
import logging
import math
import yaml
from collections import OrderedDict
import json
from ssl import CERT_NONE, create_default_context
from multiprocessing import Pipe, Process
@@ -592,7 +593,7 @@ def _main():
elasticsearch_monthly_indexes=False,
elasticsearch_username=None,
elasticsearch_password=None,
elasticsearch_api_key=None,
elasticsearch_apiKey=None,
opensearch_hosts=None,
opensearch_timeout=60,
opensearch_number_of_shards=1,
@@ -604,7 +605,7 @@ def _main():
opensearch_monthly_indexes=False,
opensearch_username=None,
opensearch_password=None,
opensearch_api_key=None,
opensearch_apiKey=None,
kafka_hosts=None,
kafka_username=None,
kafka_password=None,
@@ -728,11 +729,11 @@ def _main():
)
exit(-1)
if "save_aggregate" in general_config:
opts.save_aggregate = general_config.getboolean("save_aggregate")
opts.save_aggregate = general_config["save_aggregate"]
if "save_forensic" in general_config:
opts.save_forensic = general_config.getboolean("save_forensic")
opts.save_forensic = general_config["save_forensic"]
if "save_smtp_tls" in general_config:
opts.save_smtp_tls = general_config.getboolean("save_smtp_tls")
opts.save_smtp_tls = general_config["save_smtp_tls"]
if "debug" in general_config:
opts.debug = general_config.getboolean("debug")
if "verbose" in general_config:
@@ -803,9 +804,8 @@ def _main():
if "ssl" in imap_config:
opts.imap_ssl = imap_config.getboolean("ssl")
if "skip_certificate_verification" in imap_config:
opts.imap_skip_certificate_verification = imap_config.getboolean(
"skip_certificate_verification"
)
imap_verify = imap_config.getboolean("skip_certificate_verification")
opts.imap_skip_certificate_verification = imap_verify
if "user" in imap_config:
opts.imap_user = imap_config["user"]
else:
@@ -981,12 +981,8 @@ def _main():
opts.elasticsearch_username = elasticsearch_config["user"]
if "password" in elasticsearch_config:
opts.elasticsearch_password = elasticsearch_config["password"]
# Until 8.20
if "apiKey" in elasticsearch_config:
opts.elasticsearch_apiKey = elasticsearch_config["apiKey"]
# Since 8.20
if "api_key" in elasticsearch_config:
opts.elasticsearch_apiKey = elasticsearch_config["api_key"]
if "opensearch" in config:
opensearch_config = config["opensearch"]
@@ -1021,12 +1017,8 @@ def _main():
opts.opensearch_username = opensearch_config["user"]
if "password" in opensearch_config:
opts.opensearch_password = opensearch_config["password"]
# Until 8.20
if "apiKey" in opensearch_config:
opts.opensearch_apiKey = opensearch_config["apiKey"]
# Since 8.20
if "api_key" in opensearch_config:
opts.opensearch_apiKey = opensearch_config["api_key"]
if "splunk_hec" in config.sections():
hec_config = config["splunk_hec"]
@@ -1183,9 +1175,7 @@ def _main():
)
opts.gmail_api_scopes = _str_to_list(opts.gmail_api_scopes)
if "oauth2_port" in gmail_api_config:
opts.gmail_api_oauth2_port = gmail_api_config.getint(
"oauth2_port", 8080
)
opts.gmail_api_oauth2_port = gmail_api_config.get("oauth2_port", 8080)
if "maildir" in config.sections():
maildir_api_config = config["maildir"]
@@ -1287,11 +1277,11 @@ def _main():
es_smtp_tls_index = "{0}{1}".format(prefix, es_smtp_tls_index)
elastic.set_hosts(
opts.elasticsearch_hosts,
use_ssl=opts.elasticsearch_ssl,
ssl_cert_path=opts.elasticsearch_ssl_cert_path,
username=opts.elasticsearch_username,
password=opts.elasticsearch_password,
api_key=opts.elasticsearch_api_key,
opts.elasticsearch_ssl,
opts.elasticsearch_ssl_cert_path,
opts.elasticsearch_username,
opts.elasticsearch_password,
opts.elasticsearch_apiKey,
timeout=opts.elasticsearch_timeout,
)
elastic.migrate_indexes(
@@ -1319,11 +1309,11 @@ def _main():
os_smtp_tls_index = "{0}{1}".format(prefix, os_smtp_tls_index)
opensearch.set_hosts(
opts.opensearch_hosts,
use_ssl=opts.opensearch_ssl,
ssl_cert_path=opts.opensearch_ssl_cert_path,
username=opts.opensearch_username,
password=opts.opensearch_password,
api_key=opts.opensearch_api_key,
opts.opensearch_ssl,
opts.opensearch_ssl_cert_path,
opts.opensearch_username,
opts.opensearch_password,
opts.opensearch_apiKey,
timeout=opts.opensearch_timeout,
)
opensearch.migrate_indexes(
@@ -1480,7 +1470,7 @@ def _main():
pbar.update(counter - pbar.n)
for result in results:
if isinstance(result[0], ParserError) or result[0] is None:
if type(result[0]) is ParserError:
logger.error("Failed to parse {0} - {1}".format(result[1], result[0]))
else:
if result[0]["report_type"] == "aggregate":
@@ -1531,7 +1521,7 @@ def _main():
if opts.imap_skip_certificate_verification:
logger.debug("Skipping IMAP certificate verification")
verify = False
if not opts.imap_ssl:
if opts.imap_ssl is False:
ssl = False
mailbox_connection = IMAPConnection(
@@ -1633,7 +1623,7 @@ def _main():
logger.exception("Mailbox Error")
exit(1)
results = dict(
results = OrderedDict(
[
("aggregate_reports", aggregate_reports),
("forensic_reports", forensic_reports),

3
parsedmarc/constants.py
View File

@@ -1,3 +1,2 @@
__version__ = "9.0.5"
__version__ = "9.0.0"
USER_AGENT = f"parsedmarc/{__version__}"

225
parsedmarc/elastic.py
View File

@@ -1,9 +1,6 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from typing import Optional, Union, Any
from collections import OrderedDict
from elasticsearch_dsl.search import Q
from elasticsearch_dsl import (
@@ -92,15 +89,15 @@ class _AggregateReportDoc(Document):
dkim_results = Nested(_DKIMResult)
spf_results = Nested(_SPFResult)
def add_policy_override(self, type_: str, comment: str):
def add_policy_override(self, type_, comment):
self.policy_overrides.append(_PolicyOverride(type=type_, comment=comment))
def add_dkim_result(self, domain: str, selector: str, result: _DKIMResult):
def add_dkim_result(self, domain, selector, result):
self.dkim_results.append(
_DKIMResult(domain=domain, selector=selector, result=result)
)
def add_spf_result(self, domain: str, scope: str, result: _SPFResult):
def add_spf_result(self, domain, scope, result):
self.spf_results.append(_SPFResult(domain=domain, scope=scope, result=result))
def save(self, **kwargs):
@@ -136,21 +133,21 @@ class _ForensicSampleDoc(InnerDoc):
body = Text()
attachments = Nested(_EmailAttachmentDoc)
def add_to(self, display_name: str, address: str):
def add_to(self, display_name, address):
self.to.append(_EmailAddressDoc(display_name=display_name, address=address))
def add_reply_to(self, display_name: str, address: str):
def add_reply_to(self, display_name, address):
self.reply_to.append(
_EmailAddressDoc(display_name=display_name, address=address)
)
def add_cc(self, display_name: str, address: str):
def add_cc(self, display_name, address):
self.cc.append(_EmailAddressDoc(display_name=display_name, address=address))
def add_bcc(self, display_name: str, address: str):
def add_bcc(self, display_name, address):
self.bcc.append(_EmailAddressDoc(display_name=display_name, address=address))
def add_attachment(self, filename: str, content_type: str, sha256: str):
def add_attachment(self, filename, content_type, sha256):
self.attachments.append(
_EmailAttachmentDoc(
filename=filename, content_type=content_type, sha256=sha256
@@ -202,15 +199,15 @@ class _SMTPTLSPolicyDoc(InnerDoc):
def add_failure_details(
self,
result_type: Optional[str] = None,
ip_address: Optional[str] = None,
receiving_ip: Optional[str] = None,
receiving_mx_helo: Optional[str] = None,
failed_session_count: Optional[int] = None,
sending_mta_ip: Optional[str] = None,
receiving_mx_hostname: Optional[str] = None,
additional_information_uri: Optional[str] = None,
failure_reason_code: Union[str, int, None] = None,
result_type,
ip_address,
receiving_ip,
receiving_mx_helo,
failed_session_count,
sending_mta_ip=None,
receiving_mx_hostname=None,
additional_information_uri=None,
failure_reason_code=None,
):
_details = _SMTPTLSFailureDetailsDoc(
result_type=result_type,
@@ -240,14 +237,13 @@ class _SMTPTLSReportDoc(Document):
def add_policy(
self,
policy_type: str,
policy_domain: str,
successful_session_count: int,
failed_session_count: int,
*,
policy_string: Optional[str] = None,
mx_host_patterns: Optional[list[str]] = None,
failure_details: Optional[str] = None,
policy_type,
policy_domain,
successful_session_count,
failed_session_count,
policy_string=None,
mx_host_patterns=None,
failure_details=None,
):
self.policies.append(
policy_type=policy_type,
@@ -265,25 +261,24 @@ class AlreadySaved(ValueError):
def set_hosts(
hosts: Union[str, list[str]],
*,
use_ssl: Optional[bool] = False,
ssl_cert_path: Optional[str] = None,
username: Optional[str] = None,
password: Optional[str] = None,
api_key: Optional[str] = None,
timeout: Optional[float] = 60.0,
hosts,
use_ssl=False,
ssl_cert_path=None,
username=None,
password=None,
apiKey=None,
timeout=60.0,
):
"""
Sets the Elasticsearch hosts to use
Args:
hosts (Union[str, list[str]]): A single hostname or URL, or list of hostnames or URLs
use_ssl (bool): Use an HTTPS connection to the server
hosts (str): A single hostname or URL, or list of hostnames or URLs
use_ssl (bool): Use a HTTPS connection to the server
ssl_cert_path (str): Path to the certificate chain
username (str): The username to use for authentication
password (str): The password to use for authentication
api_key (str): The Base64 encoded API key to use for authentication
apiKey (str): The Base64 encoded API key to use for authentication
timeout (float): Timeout in seconds
"""
if not isinstance(hosts, list):
@@ -296,14 +291,14 @@ def set_hosts(
conn_params["ca_certs"] = ssl_cert_path
else:
conn_params["verify_certs"] = False
if username and password:
if username:
conn_params["http_auth"] = username + ":" + password
if api_key:
conn_params["api_key"] = api_key
if apiKey:
conn_params["api_key"] = apiKey
connections.create_connection(**conn_params)
def create_indexes(names: list[str], settings: Optional[dict[str, Any]] = None):
def create_indexes(names, settings=None):
"""
Create Elasticsearch indexes
@@ -326,10 +321,7 @@ def create_indexes(names: list[str], settings: Optional[dict[str, Any]] = None):
raise ElasticsearchError("Elasticsearch error: {0}".format(e.__str__()))
def migrate_indexes(
aggregate_indexes: Optional[list[str]] = None,
forensic_indexes: Optional[list[str]] = None,
):
def migrate_indexes(aggregate_indexes=None, forensic_indexes=None):
"""
Updates index mappings
@@ -376,18 +368,18 @@ def migrate_indexes(
def save_aggregate_report_to_elasticsearch(
aggregate_report: dict[str, Any],
index_suffix: Optional[str] = None,
index_prefix: Optional[str] = None,
monthly_indexes: Optional[bool] = False,
number_of_shards: Optional[int] = 1,
number_of_replicas: Optional[int] = 0,
aggregate_report,
index_suffix=None,
index_prefix=None,
monthly_indexes=False,
number_of_shards=1,
number_of_replicas=0,
):
"""
Saves a parsed DMARC aggregate report to Elasticsearch
Args:
aggregate_report (dict): A parsed forensic report
aggregate_report (OrderedDict): A parsed forensic report
index_suffix (str): The suffix of the name of the index to save to
index_prefix (str): The prefix of the name of the index to save to
monthly_indexes (bool): Use monthly indexes instead of daily indexes
@@ -403,51 +395,7 @@ def save_aggregate_report_to_elasticsearch(
org_name = metadata["org_name"]
report_id = metadata["report_id"]
domain = aggregate_report["policy_published"]["domain"]
begin_date = human_timestamp_to_datetime(metadata["begin_date"], to_utc=True)
end_date = human_timestamp_to_datetime(metadata["end_date"], to_utc=True)
if monthly_indexes:
index_date = begin_date.strftime("%Y-%m")
else:
index_date = begin_date.strftime("%Y-%m-%d")
org_name_query = Q(dict(match_phrase=dict(org_name=org_name)))
report_id_query = Q(dict(match_phrase=dict(report_id=report_id)))
domain_query = Q(dict(match_phrase={"published_policy.domain": domain}))
begin_date_query = Q(dict(match=dict(date_begin=begin_date)))
end_date_query = Q(dict(match=dict(date_end=end_date)))
if index_suffix is not None:
search_index = "dmarc_aggregate_{0}*".format(index_suffix)
else:
search_index = "dmarc_aggregate*"
if index_prefix is not None:
search_index = "{0}{1}".format(index_prefix, search_index)
search = Search(index=search_index)
query = org_name_query & report_id_query & domain_query
query = query & begin_date_query & end_date_query
search.query = query
try:
existing = search.execute()
except Exception as error_:
begin_date_human = begin_date.strftime("%Y-%m-%d %H:%M:%SZ")
end_date_human = end_date.strftime("%Y-%m-%d %H:%M:%SZ")
raise ElasticsearchError(
"Elasticsearch's search for existing report \
error: {}".format(error_.__str__())
)
if len(existing) > 0:
raise AlreadySaved(
"An aggregate report ID {0} from {1} about {2} "
"with a date range of {3} UTC to {4} UTC already "
"exists in "
"Elasticsearch".format(
report_id, org_name, domain, begin_date_human, end_date_human
)
)
published_policy = _PublishedPolicy(
domain=aggregate_report["policy_published"]["domain"],
adkim=aggregate_report["policy_published"]["adkim"],
@@ -461,8 +409,8 @@ def save_aggregate_report_to_elasticsearch(
for record in aggregate_report["records"]:
begin_date = human_timestamp_to_datetime(record["interval_begin"], to_utc=True)
end_date = human_timestamp_to_datetime(record["interval_end"], to_utc=True)
normalized_timespan = record["normalized_timespan"]
begin_date_human = begin_date.strftime("%Y-%m-%d %H:%M:%SZ")
end_date_human = end_date.strftime("%Y-%m-%d %H:%M:%SZ")
if monthly_indexes:
index_date = begin_date.strftime("%Y-%m")
else:
@@ -470,6 +418,41 @@ def save_aggregate_report_to_elasticsearch(
aggregate_report["begin_date"] = begin_date
aggregate_report["end_date"] = end_date
date_range = [aggregate_report["begin_date"], aggregate_report["end_date"]]
org_name_query = Q(dict(match_phrase=dict(org_name=org_name)))
report_id_query = Q(dict(match_phrase=dict(report_id=report_id)))
domain_query = Q(dict(match_phrase={"published_policy.domain": domain}))
begin_date_query = Q(dict(match=dict(date_begin=begin_date)))
end_date_query = Q(dict(match=dict(date_end=end_date)))
if index_suffix is not None:
search_index = "dmarc_aggregate_{0}*".format(index_suffix)
else:
search_index = "dmarc_aggregate*"
if index_prefix is not None:
search_index = "{0}{1}".format(index_prefix, search_index)
search = Search(index=search_index)
query = org_name_query & report_id_query & domain_query
query = query & begin_date_query & end_date_query
search.query = query
try:
existing = search.execute()
except Exception as error_:
raise ElasticsearchError(
"Elasticsearch's search for existing report \
error: {}".format(error_.__str__())
)
if len(existing) > 0:
raise AlreadySaved(
"An aggregate report ID {0} from {1} about {2} "
"with a date range of {3} UTC to {4} UTC already "
"exists in "
"Elasticsearch".format(
report_id, org_name, domain, begin_date_human, end_date_human
)
)
agg_doc = _AggregateReportDoc(
xml_schema=aggregate_report["xml_schema"],
org_name=metadata["org_name"],
@@ -477,9 +460,9 @@ def save_aggregate_report_to_elasticsearch(
org_extra_contact_info=metadata["org_extra_contact_info"],
report_id=metadata["report_id"],
date_range=date_range,
date_begin=begin_date,
date_end=end_date,
normalized_timespan=normalized_timespan,
date_begin=aggregate_report["begin_date"],
date_end=aggregate_report["end_date"],
normalized_timespan=record["normalized_timespan"],
errors=metadata["errors"],
published_policy=published_policy,
source_ip_address=record["source"]["ip_address"],
@@ -538,18 +521,18 @@ def save_aggregate_report_to_elasticsearch(
def save_forensic_report_to_elasticsearch(
forensic_report: dict[str, Any],
index_suffix: Optional[Any] = None,
index_prefix: Optional[str] = None,
monthly_indexes: Optional[bool] = False,
number_of_shards: int = 1,
number_of_replicas: int = 0,
forensic_report,
index_suffix=None,
index_prefix=None,
monthly_indexes=False,
number_of_shards=1,
number_of_replicas=0,
):
"""
Saves a parsed DMARC forensic report to Elasticsearch
Args:
forensic_report (dict): A parsed forensic report
forensic_report (OrderedDict): A parsed forensic report
index_suffix (str): The suffix of the name of the index to save to
index_prefix (str): The prefix of the name of the index to save to
monthly_indexes (bool): Use monthly indexes instead of daily
@@ -569,7 +552,7 @@ def save_forensic_report_to_elasticsearch(
sample_date = forensic_report["parsed_sample"]["date"]
sample_date = human_timestamp_to_datetime(sample_date)
original_headers = forensic_report["parsed_sample"]["headers"]
headers = dict()
headers = OrderedDict()
for original_header in original_headers:
headers[original_header.lower()] = original_headers[original_header]
@@ -705,18 +688,18 @@ def save_forensic_report_to_elasticsearch(
def save_smtp_tls_report_to_elasticsearch(
report: dict[str, Any],
index_suffix: Optional[str] = None,
index_prefix: Optional[str] = None,
monthly_indexes: Optional[bool] = False,
number_of_shards: Optional[int] = 1,
number_of_replicas: Optional[int] = 0,
report,
index_suffix=None,
index_prefix=None,
monthly_indexes=False,
number_of_shards=1,
number_of_replicas=0,
):
"""
Saves a parsed SMTP TLS report to Elasticsearch
Args:
report (dict): A parsed SMTP TLS report
report (OrderedDict): A parsed SMTP TLS report
index_suffix (str): The suffix of the name of the index to save to
index_prefix (str): The prefix of the name of the index to save to
monthly_indexes (bool): Use monthly indexes instead of daily indexes
@@ -802,7 +785,7 @@ def save_smtp_tls_report_to_elasticsearch(
policy_doc = _SMTPTLSPolicyDoc(
policy_domain=policy["policy_domain"],
policy_type=policy["policy_type"],
successful_session_count=policy["successful_session_count"],
succesful_session_count=policy["successful_session_count"],
failed_session_count=policy["failed_session_count"],
policy_string=policy_strings,
mx_host_patterns=mx_host_patterns,

14
parsedmarc/gelf.py
View File

@@ -1,9 +1,5 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from typing import Any
import logging
import logging.handlers
import json
@@ -52,9 +48,7 @@ class GelfClient(object):
)
self.logger.addHandler(self.handler)
def save_aggregate_report_to_gelf(
self, aggregate_reports: list[dict[str, Any]]
):
def save_aggregate_report_to_gelf(self, aggregate_reports):
rows = parsed_aggregate_reports_to_csv_rows(aggregate_reports)
for row in rows:
log_context_data.parsedmarc = row
@@ -62,14 +56,12 @@ class GelfClient(object):
log_context_data.parsedmarc = None
def save_forensic_report_to_gelf(
self, forensic_reports: list[dict[str, Any]]
):
def save_forensic_report_to_gelf(self, forensic_reports):
rows = parsed_forensic_reports_to_csv_rows(forensic_reports)
for row in rows:
self.logger.info(json.dumps(row))
def save_smtp_tls_report_to_gelf(self, smtp_tls_reports: dict[str, Any]):
def save_smtp_tls_report_to_gelf(self, smtp_tls_reports):
rows = parsed_smtp_tls_reports_to_csv_rows(smtp_tls_reports)
for row in rows:
self.logger.info(json.dumps(row))

44
parsedmarc/kafkaclient.py
View File

@@ -1,15 +1,11 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from typing import Any, Optional, Union
from ssl import SSLContext
import json
from ssl import create_default_context
from kafka import KafkaProducer
from kafka.errors import NoBrokersAvailable, UnknownTopicOrPartitionError
from collections import OrderedDict
from parsedmarc.utils import human_timestamp_to_datetime
from parsedmarc import __version__
@@ -22,13 +18,7 @@ class KafkaError(RuntimeError):
class KafkaClient(object):
def __init__(
self,
kafka_hosts: list[str],
*,
ssl: Optional[bool] = False,
username: Optional[str] = None,
password: Optional[str] = None,
ssl_context: Optional[SSLContext] = None,
self, kafka_hosts, ssl=False, username=None, password=None, ssl_context=None
):
"""
Initializes the Kafka client
@@ -38,7 +28,7 @@ class KafkaClient(object):
ssl (bool): Use a SSL/TLS connection
username (str): An optional username
password (str): An optional password
ssl_context (SSLContext): SSL context options
ssl_context: SSL context options
Notes:
``use_ssl=True`` is implied when a username or password are
@@ -65,7 +55,7 @@ class KafkaClient(object):
raise KafkaError("No Kafka brokers available")
@staticmethod
def strip_metadata(report: dict[str, Any]):
def strip_metadata(report):
"""
Duplicates org_name, org_email and report_id into JSON root
and removes report_metadata key to bring it more inline
@@ -79,7 +69,7 @@ class KafkaClient(object):
return report
@staticmethod
def generate_date_range(report: dict[str, Any]):
def generate_daterange(report):
"""
Creates a date_range timestamp with format YYYY-MM-DD-T-HH:MM:SS
based on begin and end dates for easier parsing in Kibana.
@@ -96,11 +86,7 @@ class KafkaClient(object):
logger.debug("date_range is {}".format(date_range))
return date_range
def save_aggregate_reports_to_kafka(
self,
aggregate_reports: Union[dict[str, Any], list[dict[str, Any]]],
aggregate_topic: str,
):
def save_aggregate_reports_to_kafka(self, aggregate_reports, aggregate_topic):
"""
Saves aggregate DMARC reports to Kafka
@@ -110,14 +96,16 @@ class KafkaClient(object):
aggregate_topic (str): The name of the Kafka topic
"""
if isinstance(aggregate_reports, dict):
if isinstance(aggregate_reports, dict) or isinstance(
aggregate_reports, OrderedDict
):
aggregate_reports = [aggregate_reports]
if len(aggregate_reports) < 1:
return
for report in aggregate_reports:
report["date_range"] = self.generate_date_range(report)
report["date_range"] = self.generate_daterange(report)
report = self.strip_metadata(report)
for slice in report["records"]:
@@ -141,11 +129,7 @@ class KafkaClient(object):
except Exception as e:
raise KafkaError("Kafka error: {0}".format(e.__str__()))
def save_forensic_reports_to_kafka(
self,
forensic_reports: Union[dict[str, Any], list[dict[str, Any]]],
forensic_topic: str,
):
def save_forensic_reports_to_kafka(self, forensic_reports, forensic_topic):
"""
Saves forensic DMARC reports to Kafka, sends individual
records (slices) since Kafka requires messages to be <= 1MB
@@ -175,11 +159,7 @@ class KafkaClient(object):
except Exception as e:
raise KafkaError("Kafka error: {0}".format(e.__str__()))
def save_smtp_tls_reports_to_kafka(
self,
smtp_tls_reports: Union[list[dict[str, Any]], dict[str, Any]],
smtp_tls_topic: str,
):
def save_smtp_tls_reports_to_kafka(self, smtp_tls_reports, smtp_tls_topic):
"""
Saves SMTP TLS reports to Kafka, sends individual
records (slices) since Kafka requires messages to be <= 1MB

18
parsedmarc/loganalytics.py
View File

@@ -1,9 +1,4 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from typing import Any
from parsedmarc.log import logger
from azure.core.exceptions import HttpResponseError
from azure.identity import ClientSecretCredential
@@ -107,12 +102,7 @@ class LogAnalyticsClient(object):
"Invalid configuration. " + "One or more required settings are missing."
)
def publish_json(
self,
results,
logs_client: LogsIngestionClient,
dcr_stream: str,
):
def publish_json(self, results, logs_client: LogsIngestionClient, dcr_stream: str):
"""
Background function to publish given
DMARC report to specific Data Collection Rule.
@@ -131,11 +121,7 @@ class LogAnalyticsClient(object):
raise LogAnalyticsException("Upload failed: {error}".format(error=e))
def publish_results(
self,
results: dict[str, dict[str, Any]],
save_aggregate: bool,
save_forensic: bool,
save_smtp_tls: bool,
self, results, save_aggregate: bool, save_forensic: bool, save_smtp_tls: bool
):
"""
Function to publish DMARC and/or SMTP TLS reports to Log Analytics

5
parsedmarc/mail/gmail.py
View File

@@ -1,7 +1,3 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from base64 import urlsafe_b64decode
from functools import lru_cache
from pathlib import Path
@@ -156,4 +152,3 @@ class GmailConnection(MailboxConnection):
for label in labels:
if label_name == label["id"] or label_name == label["name"]:
return label["id"]
return ""

4
parsedmarc/mail/graph.py
View File

@@ -1,7 +1,3 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from enum import Enum
from functools import lru_cache
from pathlib import Path

29
parsedmarc/mail/imap.py
View File

@@ -1,9 +1,3 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from typing import Optional
from time import sleep
from imapclient.exceptions import IMAPClientError
@@ -17,15 +11,14 @@ from parsedmarc.mail.mailbox_connection import MailboxConnection
class IMAPConnection(MailboxConnection):
def __init__(
self,
host: Optional[str] = None,
*,
user: Optional[str] = None,
password: Optional[str] = None,
port: Optional[str] = None,
ssl: Optional[bool] = True,
verify: Optional[bool] = True,
timeout: Optional[int] = 30,
max_retries: Optional[int] = 4,
host=None,
user=None,
password=None,
port=None,
ssl=True,
verify=True,
timeout=30,
max_retries=4,
):
self._username = user
self._password = password
@@ -52,13 +45,13 @@ class IMAPConnection(MailboxConnection):
else:
return self._client.search()
def fetch_message(self, message_id: int):
def fetch_message(self, message_id):
return self._client.fetch_message(message_id, parse=False)
def delete_message(self, message_id: int):
def delete_message(self, message_id: str):
self._client.delete_messages([message_id])
def move_message(self, message_id: int, folder_name: str):
def move_message(self, message_id: str, folder_name: str):
self._client.move_messages([message_id], folder_name)
def keepalive(self):

7
parsedmarc/mail/mailbox_connection.py
View File

@@ -1,8 +1,5 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from abc import ABC
from typing import List
class MailboxConnection(ABC):
@@ -13,7 +10,7 @@ class MailboxConnection(ABC):
def create_folder(self, folder_name: str):
raise NotImplementedError
def fetch_messages(self, reports_folder: str, **kwargs) -> list[str]:
def fetch_messages(self, reports_folder: str, **kwargs) -> List[str]:
raise NotImplementedError
def fetch_message(self, message_id) -> str:

12
parsedmarc/mail/maildir.py
View File

@@ -1,9 +1,3 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from typing import Optional
from time import sleep
from parsedmarc.log import logger
@@ -15,8 +9,8 @@ import os
class MaildirConnection(MailboxConnection):
def __init__(
self,
maildir_path: Optional[bool] = None,
maildir_create: Optional[bool] = False,
maildir_path=None,
maildir_create=False,
):
self._maildir_path = maildir_path
self._maildir_create = maildir_create
@@ -42,7 +36,7 @@ class MaildirConnection(MailboxConnection):
def fetch_messages(self, reports_folder: str, **kwargs):
return self._client.keys()
def fetch_message(self, message_id: str):
def fetch_message(self, message_id):
return self._client.get(message_id).as_string()
def delete_message(self, message_id: str):

224
parsedmarc/opensearch.py
View File

@@ -1,9 +1,6 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from typing import Optional, Union, Any
from collections import OrderedDict
from opensearchpy import (
Q,
@@ -92,15 +89,15 @@ class _AggregateReportDoc(Document):
dkim_results = Nested(_DKIMResult)
spf_results = Nested(_SPFResult)
def add_policy_override(self, type_: str, comment: str):
def add_policy_override(self, type_, comment):
self.policy_overrides.append(_PolicyOverride(type=type_, comment=comment))
def add_dkim_result(self, domain: str, selector: str, result: _DKIMResult):
def add_dkim_result(self, domain, selector, result):
self.dkim_results.append(
_DKIMResult(domain=domain, selector=selector, result=result)
)
def add_spf_result(self, domain: str, scope: str, result: _SPFResult):
def add_spf_result(self, domain, scope, result):
self.spf_results.append(_SPFResult(domain=domain, scope=scope, result=result))
def save(self, **kwargs):
@@ -136,21 +133,21 @@ class _ForensicSampleDoc(InnerDoc):
body = Text()
attachments = Nested(_EmailAttachmentDoc)
def add_to(self, display_name: str, address: str):
def add_to(self, display_name, address):
self.to.append(_EmailAddressDoc(display_name=display_name, address=address))
def add_reply_to(self, display_name: str, address: str):
def add_reply_to(self, display_name, address):
self.reply_to.append(
_EmailAddressDoc(display_name=display_name, address=address)
)
def add_cc(self, display_name: str, address: str):
def add_cc(self, display_name, address):
self.cc.append(_EmailAddressDoc(display_name=display_name, address=address))
def add_bcc(self, display_name: str, address: str):
def add_bcc(self, display_name, address):
self.bcc.append(_EmailAddressDoc(display_name=display_name, address=address))
def add_attachment(self, filename: str, content_type: str, sha256: str):
def add_attachment(self, filename, content_type, sha256):
self.attachments.append(
_EmailAttachmentDoc(
filename=filename, content_type=content_type, sha256=sha256
@@ -202,15 +199,15 @@ class _SMTPTLSPolicyDoc(InnerDoc):
def add_failure_details(
self,
result_type: Optional[str] = None,
ip_address: Optional[str] = None,
receiving_ip: Optional[str] = None,
receiving_mx_helo: Optional[str] = None,
failed_session_count: Optional[int] = None,
sending_mta_ip: Optional[str] = None,
receiving_mx_hostname: Optional[str] = None,
additional_information_uri: Optional[str] = None,
failure_reason_code: Union[str, int, None] = None,
result_type,
ip_address,
receiving_ip,
receiving_mx_helo,
failed_session_count,
sending_mta_ip=None,
receiving_mx_hostname=None,
additional_information_uri=None,
failure_reason_code=None,
):
_details = _SMTPTLSFailureDetailsDoc(
result_type=result_type,
@@ -240,14 +237,13 @@ class _SMTPTLSReportDoc(Document):
def add_policy(
self,
policy_type: str,
policy_domain: str,
successful_session_count: int,
failed_session_count: int,
*,
policy_string: Optional[str] = None,
mx_host_patterns: Optional[list[str]] = None,
failure_details: Optional[str] = None,
policy_type,
policy_domain,
successful_session_count,
failed_session_count,
policy_string=None,
mx_host_patterns=None,
failure_details=None,
):
self.policies.append(
policy_type=policy_type,
@@ -265,25 +261,24 @@ class AlreadySaved(ValueError):
def set_hosts(
hosts: Union[str, list[str]],
*,
use_ssl: Optional[bool] = False,
ssl_cert_path: Optional[str] = None,
username: Optional[str] = None,
password: Optional[str] = None,
api_key: Optional[str] = None,
timeout: Optional[float] = 60.0,
hosts,
use_ssl=False,
ssl_cert_path=None,
username=None,
password=None,
apiKey=None,
timeout=60.0,
):
"""
Sets the OpenSearch hosts to use
Args:
hosts (str|list[str]): A single hostname or URL, or list of hostnames or URLs
hosts (str|list): A hostname or URL, or list of hostnames or URLs
use_ssl (bool): Use an HTTPS connection to the server
ssl_cert_path (str): Path to the certificate chain
username (str): The username to use for authentication
password (str): The password to use for authentication
api_key (str): The Base64 encoded API key to use for authentication
apiKey (str): The Base64 encoded API key to use for authentication
timeout (float): Timeout in seconds
"""
if not isinstance(hosts, list):
@@ -296,14 +291,14 @@ def set_hosts(
conn_params["ca_certs"] = ssl_cert_path
else:
conn_params["verify_certs"] = False
if username and password:
if username:
conn_params["http_auth"] = username + ":" + password
if api_key:
conn_params["api_key"] = api_key
if apiKey:
conn_params["api_key"] = apiKey
connections.create_connection(**conn_params)
def create_indexes(names: list[str], settings: Optional[dict[str, Any]] = None):
def create_indexes(names, settings=None):
"""
Create OpenSearch indexes
@@ -326,10 +321,7 @@ def create_indexes(names: list[str], settings: Optional[dict[str, Any]] = None):
raise OpenSearchError("OpenSearch error: {0}".format(e.__str__()))
def migrate_indexes(
aggregate_indexes: Optional[list[str]] = None,
forensic_indexes: Optional[list[str]] = None,
):
def migrate_indexes(aggregate_indexes=None, forensic_indexes=None):
"""
Updates index mappings
@@ -376,18 +368,18 @@ def migrate_indexes(
def save_aggregate_report_to_opensearch(
aggregate_report: dict[str, Any],
index_suffix: Optional[str] = None,
index_prefix: Optional[str] = None,
monthly_indexes: Optional[bool] = False,
number_of_shards: Optional[int] = 1,
number_of_replicas: Optional[int] = 0,
aggregate_report,
index_suffix=None,
index_prefix=None,
monthly_indexes=False,
number_of_shards=1,
number_of_replicas=0,
):
"""
Saves a parsed DMARC aggregate report to OpenSearch
Args:
aggregate_report (dict): A parsed forensic report
aggregate_report (OrderedDict): A parsed forensic report
index_suffix (str): The suffix of the name of the index to save to
index_prefix (str): The prefix of the name of the index to save to
monthly_indexes (bool): Use monthly indexes instead of daily indexes
@@ -403,51 +395,7 @@ def save_aggregate_report_to_opensearch(
org_name = metadata["org_name"]
report_id = metadata["report_id"]
domain = aggregate_report["policy_published"]["domain"]
begin_date = human_timestamp_to_datetime(metadata["begin_date"], to_utc=True)
end_date = human_timestamp_to_datetime(metadata["end_date"], to_utc=True)
if monthly_indexes:
index_date = begin_date.strftime("%Y-%m")
else:
index_date = begin_date.strftime("%Y-%m-%d")
org_name_query = Q(dict(match_phrase=dict(org_name=org_name)))
report_id_query = Q(dict(match_phrase=dict(report_id=report_id)))
domain_query = Q(dict(match_phrase={"published_policy.domain": domain}))
begin_date_query = Q(dict(match=dict(date_begin=begin_date)))
end_date_query = Q(dict(match=dict(date_end=end_date)))
if index_suffix is not None:
search_index = "dmarc_aggregate_{0}*".format(index_suffix)
else:
search_index = "dmarc_aggregate*"
if index_prefix is not None:
search_index = "{0}{1}".format(index_prefix, search_index)
search = Search(index=search_index)
query = org_name_query & report_id_query & domain_query
query = query & begin_date_query & end_date_query
search.query = query
try:
existing = search.execute()
except Exception as error_:
begin_date_human = begin_date.strftime("%Y-%m-%d %H:%M:%SZ")
end_date_human = end_date.strftime("%Y-%m-%d %H:%M:%SZ")
raise OpenSearchError(
"OpenSearch's search for existing report \
error: {}".format(error_.__str__())
)
if len(existing) > 0:
raise AlreadySaved(
"An aggregate report ID {0} from {1} about {2} "
"with a date range of {3} UTC to {4} UTC already "
"exists in "
"OpenSearch".format(
report_id, org_name, domain, begin_date_human, end_date_human
)
)
published_policy = _PublishedPolicy(
domain=aggregate_report["policy_published"]["domain"],
adkim=aggregate_report["policy_published"]["adkim"],
@@ -461,8 +409,8 @@ def save_aggregate_report_to_opensearch(
for record in aggregate_report["records"]:
begin_date = human_timestamp_to_datetime(record["interval_begin"], to_utc=True)
end_date = human_timestamp_to_datetime(record["interval_end"], to_utc=True)
normalized_timespan = record["normalized_timespan"]
begin_date_human = begin_date.strftime("%Y-%m-%d %H:%M:%SZ")
end_date_human = end_date.strftime("%Y-%m-%d %H:%M:%SZ")
if monthly_indexes:
index_date = begin_date.strftime("%Y-%m")
else:
@@ -470,6 +418,41 @@ def save_aggregate_report_to_opensearch(
aggregate_report["begin_date"] = begin_date
aggregate_report["end_date"] = end_date
date_range = [aggregate_report["begin_date"], aggregate_report["end_date"]]
org_name_query = Q(dict(match_phrase=dict(org_name=org_name)))
report_id_query = Q(dict(match_phrase=dict(report_id=report_id)))
domain_query = Q(dict(match_phrase={"published_policy.domain": domain}))
begin_date_query = Q(dict(match=dict(date_begin=begin_date)))
end_date_query = Q(dict(match=dict(date_end=end_date)))
if index_suffix is not None:
search_index = "dmarc_aggregate_{0}*".format(index_suffix)
else:
search_index = "dmarc_aggregate*"
if index_prefix is not None:
search_index = "{0}{1}".format(index_prefix, search_index)
search = Search(index=search_index)
query = org_name_query & report_id_query & domain_query
query = query & begin_date_query & end_date_query
search.query = query
try:
existing = search.execute()
except Exception as error_:
raise OpenSearchError(
"OpenSearch's search for existing report \
error: {}".format(error_.__str__())
)
if len(existing) > 0:
raise AlreadySaved(
"An aggregate report ID {0} from {1} about {2} "
"with a date range of {3} UTC to {4} UTC already "
"exists in "
"OpenSearch".format(
report_id, org_name, domain, begin_date_human, end_date_human
)
)
agg_doc = _AggregateReportDoc(
xml_schema=aggregate_report["xml_schema"],
org_name=metadata["org_name"],
@@ -477,9 +460,8 @@ def save_aggregate_report_to_opensearch(
org_extra_contact_info=metadata["org_extra_contact_info"],
report_id=metadata["report_id"],
date_range=date_range,
date_begin=begin_date,
date_end=end_date,
normalized_timespan=normalized_timespan,
date_begin=aggregate_report["begin_date"],
date_end=aggregate_report["end_date"],
errors=metadata["errors"],
published_policy=published_policy,
source_ip_address=record["source"]["ip_address"],
@@ -538,18 +520,18 @@ def save_aggregate_report_to_opensearch(
def save_forensic_report_to_opensearch(
forensic_report: dict[str, Any],
index_suffix: Optional[str] = None,
index_prefix: Optional[str] = None,
monthly_indexes: Optional[bool] = False,
number_of_shards: int = 1,
number_of_replicas: int = 0,
forensic_report,
index_suffix=None,
index_prefix=None,
monthly_indexes=False,
number_of_shards=1,
number_of_replicas=0,
):
"""
Saves a parsed DMARC forensic report to OpenSearch
Args:
forensic_report (dict): A parsed forensic report
forensic_report (OrderedDict): A parsed forensic report
index_suffix (str): The suffix of the name of the index to save to
index_prefix (str): The prefix of the name of the index to save to
monthly_indexes (bool): Use monthly indexes instead of daily
@@ -569,7 +551,7 @@ def save_forensic_report_to_opensearch(
sample_date = forensic_report["parsed_sample"]["date"]
sample_date = human_timestamp_to_datetime(sample_date)
original_headers = forensic_report["parsed_sample"]["headers"]
headers = dict()
headers = OrderedDict()
for original_header in original_headers:
headers[original_header.lower()] = original_headers[original_header]
@@ -705,18 +687,18 @@ def save_forensic_report_to_opensearch(
def save_smtp_tls_report_to_opensearch(
report: dict[str, Any],
index_suffix: Optional[str] = None,
index_prefix: Optional[str] = None,
monthly_indexes: Optional[bool] = False,
number_of_shards: Optional[int] = 1,
number_of_replicas: Optional[int] = 0,
report,
index_suffix=None,
index_prefix=None,
monthly_indexes=False,
number_of_shards=1,
number_of_replicas=0,
):
"""
Saves a parsed SMTP TLS report to OpenSearch
Args:
report (dict): A parsed SMTP TLS report
report (OrderedDict): A parsed SMTP TLS report
index_suffix (str): The suffix of the name of the index to save to
index_prefix (str): The prefix of the name of the index to save to
monthly_indexes (bool): Use monthly indexes instead of daily indexes
@@ -726,7 +708,7 @@ def save_smtp_tls_report_to_opensearch(
Raises:
AlreadySaved
"""
logger.info("Saving SMTP TLS report to OpenSearch")
logger.info("Saving aggregate report to OpenSearch")
org_name = report["organization_name"]
report_id = report["report_id"]
begin_date = human_timestamp_to_datetime(report["begin_date"], to_utc=True)
@@ -802,7 +784,7 @@ def save_smtp_tls_report_to_opensearch(
policy_doc = _SMTPTLSPolicyDoc(
policy_domain=policy["policy_domain"],
policy_type=policy["policy_type"],
successful_session_count=policy["successful_session_count"],
succesful_session_count=policy["successful_session_count"],
failed_session_count=policy["failed_session_count"],
policy_string=policy_strings,
mx_host_patterns=mx_host_patterns,

8
parsedmarc/resources/maps/base_reverse_dns_map.csv
View File

@@ -132,7 +132,6 @@ asu-vei.ru,ASU-VEI,Industrial
atextelecom.com.br,ATEX Telecom,ISP
atmailcloud.com,atmail,Email Provider
ats.ca,ATS Healthcare,Healthcare
att.net,AT&T,ISP
atw.ne.jp,ATW,Web Host
au-net.ne.jp,KDDI,ISP
au.com,au,ISP
@@ -243,7 +242,6 @@ carandainet.com.br,CN Internet,ISP
cardhealth.com,Cardinal Health,Healthcare
cardinal.com,Cardinal Health,Healthcare
cardinalhealth.com,Cardinal Health,Healthcare
cardinalscriptnet.com,Cardinal Health,Healthcare
carecentrix.com,CareCentrix,Healthcare
carleton.edu,Carlton College,Education
carrierzone.com,carrierzone,Email Security
@@ -699,7 +697,6 @@ hdsupply-email.com,HD Supply,Retail
healthall.com,UC Health,Healthcare
healthcaresupplypros.com,Healthcare Supply Pros,Healthcare
healthproductsforyou.com,Health Products For You,Healthcare
healthtouch.com,Cardinal Health,Healthcare
helloserver6.com,1st Source Web,Marketing
helpforcb.com,InterServer,Web Host
helpscout.net,Help Scout,SaaS
@@ -756,8 +753,6 @@ hostwindsdns.com,Hostwinds,Web Host
hotnet.net.il,Hot Net Internet Services,ISP
hp.com,HP,Technology
hringdu.is,Hringdu,ISP
hslda.net,Home School Legal Defense Association (HSLDA),Education
hslda.org,Home School Legal Defense Association (HSLDA),Education
hspherefilter.com,"DynamicNet, Inc. (DNI)",Web Host
htc.net,HTC,ISP
htmlservices.it,HTMLServices.it,MSP
@@ -768,7 +763,6 @@ hughston.com,Hughston Clinic,Healthcare
hvvc.us,Hivelocity,Web Host
i2ts.ne.jp,i2ts,Web Host
i4i.com,i4i,Technology
ibindley.com,Cardinal Health,Healthcare
ice.co.cr,Grupo ICE,Industrial
icehosting.nl,IceHosting,Web Host
icewarpcloud.in,IceWrap,Email Provider
@@ -838,7 +832,6 @@ ip-5-196-151.eu,OVH,Web Host
ip-51-161-36.net,OVH,Web Host
ip-51-195-53.eu,OVH,Web Host
ip-51-254-53.eu,OVH,Web Host
ip-51-38-67.eu,OVH,Web Host
ip-51-77-42.eu,OVH,Web Host
ip-51-83-140.eu,OVH,Web Host
ip-51-89-240.eu,OVH,Web Host
@@ -1224,7 +1217,6 @@ nettoday.co.th,Net Today,Web Host
netventure.pl,Netventure,MSP
netvigator.com,HKT,ISP
netvision.net.il,013 Netvision,ISP
network-tech.com,Network Technologies International (NTI),SaaS
network.kz,network.kz,ISP
network80.com,Network80,Web Host
neubox.net,Neubox,Web Host
1 base_reverse_dns name type
132 atextelecom.com.br ATEX Telecom ISP
133 atmailcloud.com atmail Email Provider
134 ats.ca ATS Healthcare Healthcare
att.net AT&T ISP
135 atw.ne.jp ATW Web Host
136 au-net.ne.jp KDDI ISP
137 au.com au ISP
242 cardhealth.com Cardinal Health Healthcare
243 cardinal.com Cardinal Health Healthcare
244 cardinalhealth.com Cardinal Health Healthcare
cardinalscriptnet.com Cardinal Health Healthcare
245 carecentrix.com CareCentrix Healthcare
246 carleton.edu Carlton College Education
247 carrierzone.com carrierzone Email Security
697 healthall.com UC Health Healthcare
698 healthcaresupplypros.com Healthcare Supply Pros Healthcare
699 healthproductsforyou.com Health Products For You Healthcare
healthtouch.com Cardinal Health Healthcare
700 helloserver6.com 1st Source Web Marketing
701 helpforcb.com InterServer Web Host
702 helpscout.net Help Scout SaaS
753 hotnet.net.il Hot Net Internet Services ISP
754 hp.com HP Technology
755 hringdu.is Hringdu ISP
hslda.net Home School Legal Defense Association (HSLDA) Education
hslda.org Home School Legal Defense Association (HSLDA) Education
756 hspherefilter.com DynamicNet, Inc. (DNI) Web Host
757 htc.net HTC ISP
758 htmlservices.it HTMLServices.it MSP
763 hvvc.us Hivelocity Web Host
764 i2ts.ne.jp i2ts Web Host
765 i4i.com i4i Technology
ibindley.com Cardinal Health Healthcare
766 ice.co.cr Grupo ICE Industrial
767 icehosting.nl IceHosting Web Host
768 icewarpcloud.in IceWrap Email Provider
832 ip-51-161-36.net OVH Web Host
833 ip-51-195-53.eu OVH Web Host
834 ip-51-254-53.eu OVH Web Host
ip-51-38-67.eu OVH Web Host
835 ip-51-77-42.eu OVH Web Host
836 ip-51-83-140.eu OVH Web Host
837 ip-51-89-240.eu OVH Web Host
1217 netventure.pl Netventure MSP
1218 netvigator.com HKT ISP
1219 netvision.net.il 013 Netvision ISP
network-tech.com Network Technologies International (NTI) SaaS
1220 network.kz network.kz ISP
1221 network80.com Network80 Web Host
1222 neubox.net Neubox Web Host

2
parsedmarc/resources/maps/find_unknown_base_reverse_dns.py
View File

@@ -13,6 +13,8 @@ def _main():
csv_headers = ["source_name", "message_count"]
output_rows = []
known_unknown_domains = []
psl_overrides = []
known_domains = []

28
parsedmarc/s3.py
View File

@@ -1,9 +1,5 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from typing import Any
import json
import boto3
@@ -12,16 +8,16 @@ from parsedmarc.utils import human_timestamp_to_datetime
class S3Client(object):
"""A client for interacting with Amazon S3"""
"""A client for a Amazon S3"""
def __init__(
self,
bucket_name: str,
bucket_path: str,
region_name: str,
endpoint_url: str,
access_key_id: str,
secret_access_key: str,
bucket_name,
bucket_path,
region_name,
endpoint_url,
access_key_id,
secret_access_key,
):
"""
Initializes the S3Client
@@ -51,18 +47,18 @@ class S3Client(object):
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
)
self.bucket: Any = self.s3.Bucket(self.bucket_name)
self.bucket = self.s3.Bucket(self.bucket_name)
def save_aggregate_report_to_s3(self, report: dict[str, Any]):
def save_aggregate_report_to_s3(self, report):
self.save_report_to_s3(report, "aggregate")
def save_forensic_report_to_s3(self, report: dict[str, Any]):
def save_forensic_report_to_s3(self, report):
self.save_report_to_s3(report, "forensic")
def save_smtp_tls_report_to_s3(self, report: dict[str, Any]):
def save_smtp_tls_report_to_s3(self, report):
self.save_report_to_s3(report, "smtp_tls")
def save_report_to_s3(self, report: dict[str, Any], report_type: str):
def save_report_to_s3(self, report, report_type):
if report_type == "smtp_tls":
report_date = report["begin_date"]
report_id = report["report_id"]

39
parsedmarc/splunk.py
View File

@@ -1,10 +1,3 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from typing import Any, Union
from urllib.parse import urlparse
import socket
import json
@@ -30,13 +23,7 @@ class HECClient(object):
# http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTinput#services.2Fcollector
def __init__(
self,
url: str,
access_token: str,
index: str,
source: str = "parsedmarc",
verify=True,
timeout=60,
self, url, access_token, index, source="parsedmarc", verify=True, timeout=60
):
"""
Initializes the HECClient
@@ -50,9 +37,9 @@ class HECClient(object):
timeout (float): Number of seconds to wait for the server to send
data before giving up
"""
parsed_url = urlparse(url)
url = urlparse(url)
self.url = "{0}://{1}/services/collector/event/1.0".format(
parsed_url.scheme, parsed_url.netloc
url.scheme, url.netloc
)
self.access_token = access_token.lstrip("Splunk ")
self.index = index
@@ -61,19 +48,14 @@ class HECClient(object):
self.session = requests.Session()
self.timeout = timeout
self.session.verify = verify
self._common_data: dict[str, Union[str, int, float, dict]] = dict(
host=self.host, source=self.source, index=self.index
)
self._common_data = dict(host=self.host, source=self.source, index=self.index)
self.session.headers = {
"User-Agent": USER_AGENT,
"Authorization": "Splunk {0}".format(self.access_token),
}
def save_aggregate_reports_to_splunk(
self,
aggregate_reports: Union[list[dict[str, Any]], dict[str, Any]],
):
def save_aggregate_reports_to_splunk(self, aggregate_reports):
"""
Saves aggregate DMARC reports to Splunk
@@ -93,7 +75,7 @@ class HECClient(object):
json_str = ""
for report in aggregate_reports:
for record in report["records"]:
new_report: dict[str, Union[str, int, float, dict]] = dict()
new_report = dict()
for metadata in report["report_metadata"]:
new_report[metadata] = report["report_metadata"][metadata]
new_report["interval_begin"] = record["interval_begin"]
@@ -136,10 +118,7 @@ class HECClient(object):
if response["code"] != 0:
raise SplunkError(response["text"])
def save_forensic_reports_to_splunk(
self,
forensic_reports: Union[list[dict[str, Any]], dict[str, Any]],
):
def save_forensic_reports_to_splunk(self, forensic_reports):
"""
Saves forensic DMARC reports to Splunk
@@ -173,9 +152,7 @@ class HECClient(object):
if response["code"] != 0:
raise SplunkError(response["text"])
def save_smtp_tls_reports_to_splunk(
self, reports: Union[list[dict[str, Any]], dict[str, Any]]
):
def save_smtp_tls_reports_to_splunk(self, reports):
"""
Saves aggregate DMARC reports to Splunk

21
parsedmarc/syslog.py
View File

@@ -1,14 +1,7 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
import logging
import logging.handlers
from typing import Any
import json
from parsedmarc import (
@@ -21,7 +14,7 @@ from parsedmarc import (
class SyslogClient(object):
"""A client for Syslog"""
def __init__(self, server_name: str, server_port: int):
def __init__(self, server_name, server_port):
"""
Initializes the SyslogClient
Args:
@@ -35,23 +28,17 @@ class SyslogClient(object):
log_handler = logging.handlers.SysLogHandler(address=(server_name, server_port))
self.logger.addHandler(log_handler)
def save_aggregate_report_to_syslog(
self, aggregate_reports: list[dict[str, Any]]
):
def save_aggregate_report_to_syslog(self, aggregate_reports):
rows = parsed_aggregate_reports_to_csv_rows(aggregate_reports)
for row in rows:
self.logger.info(json.dumps(row))
def save_forensic_report_to_syslog(
self, forensic_reports: list[dict[str, Any]]
):
def save_forensic_report_to_syslog(self, forensic_reports):
rows = parsed_forensic_reports_to_csv_rows(forensic_reports)
for row in rows:
self.logger.info(json.dumps(row))
def save_smtp_tls_report_to_syslog(
self, smtp_tls_reports: list[dict[str, Any]]
):
def save_smtp_tls_report_to_syslog(self, smtp_tls_reports):
rows = parsed_smtp_tls_reports_to_csv_rows(smtp_tls_reports)
for row in rows:
self.logger.info(json.dumps(row))

131
parsedmarc/utils.py
View File

@@ -1,17 +1,11 @@
# -*- coding: utf-8 -*-
"""Utility functions that might be useful for other projects"""
from __future__ import annotations
from typing import Optional, Union, TypedDict, Any
import logging
import os
from datetime import datetime
from datetime import timezone
from datetime import timedelta
from expiringdict import ExpiringDict
from collections import OrderedDict
import tempfile
import subprocess
import shutil
@@ -66,20 +60,12 @@ class DownloadError(RuntimeError):
"""Raised when an error occurs when downloading a file"""
class EmailAddress(TypedDict):
"""Parsed email address information"""
display_name: Optional[str]
address: str
local: Optional[str]
domain: Optional[str]
def decode_base64(data: str) -> bytes:
def decode_base64(data):
"""
Decodes a base64 string, with padding being optional
Args:
data (str): A base64 encoded string
data: A base64 encoded string
Returns:
bytes: The decoded bytes
@@ -92,7 +78,7 @@ def decode_base64(data: str) -> bytes:
return base64.b64decode(data)
def get_base_domain(domain: str) -> str:
def get_base_domain(domain):
"""
Gets the base domain name for the given domain
@@ -116,14 +102,7 @@ def get_base_domain(domain: str) -> str:
return publicsuffix
def query_dns(
domain: str,
record_type: str,
*,
cache: Optional[ExpiringDict] = None,
nameservers: list[str] = None,
timeout: int = 2.0,
) -> list[str]:
def query_dns(domain, record_type, cache=None, nameservers=None, timeout=2.0):
"""
Queries DNS
@@ -184,13 +163,7 @@ def query_dns(
return records
def get_reverse_dns(
ip_address,
*,
cache: Optional[ExpiringDict] = None,
nameservers: list[str] = None,
timeout: int = 2.0,
) -> str:
def get_reverse_dns(ip_address, cache=None, nameservers=None, timeout=2.0):
"""
Resolves an IP address to a hostname using a reverse DNS query
@@ -218,7 +191,7 @@ def get_reverse_dns(
return hostname
def timestamp_to_datetime(timestamp: int) -> datetime:
def timestamp_to_datetime(timestamp):
"""
Converts a UNIX/DMARC timestamp to a Python ``datetime`` object
@@ -231,7 +204,7 @@ def timestamp_to_datetime(timestamp: int) -> datetime:
return datetime.fromtimestamp(int(timestamp))
def timestamp_to_human(timestamp: int) -> str:
def timestamp_to_human(timestamp):
"""
Converts a UNIX/DMARC timestamp to a human-readable string
@@ -244,9 +217,7 @@ def timestamp_to_human(timestamp: int) -> str:
return timestamp_to_datetime(timestamp).strftime("%Y-%m-%d %H:%M:%S")
def human_timestamp_to_datetime(
human_timestamp: str, *, to_utc: Optional[bool] = False
) -> datetime:
def human_timestamp_to_datetime(human_timestamp, to_utc=False):
"""
Converts a human-readable timestamp into a Python ``datetime`` object
@@ -265,7 +236,7 @@ def human_timestamp_to_datetime(
return dt.astimezone(timezone.utc) if to_utc else dt
def human_timestamp_to_unix_timestamp(human_timestamp: str) -> int:
def human_timestamp_to_unix_timestamp(human_timestamp):
"""
Converts a human-readable timestamp into a UNIX timestamp
@@ -279,7 +250,7 @@ def human_timestamp_to_unix_timestamp(human_timestamp: str) -> int:
return human_timestamp_to_datetime(human_timestamp).timestamp()
def get_ip_address_country(ip_address: str, *, db_path: Optional[str] = None) -> str:
def get_ip_address_country(ip_address, db_path=None):
"""
Returns the ISO code for the country associated
with the given IPv4 or IPv6 address
@@ -306,7 +277,7 @@ def get_ip_address_country(ip_address: str, *, db_path: Optional[str] = None) ->
]
if db_path is not None:
if not os.path.isfile(db_path):
if os.path.isfile(db_path) is False:
db_path = None
logger.warning(
f"No file exists at {db_path}. Falling back to an "
@@ -342,14 +313,13 @@ def get_ip_address_country(ip_address: str, *, db_path: Optional[str] = None) ->
def get_service_from_reverse_dns_base_domain(
base_domain: str,
*,
always_use_local_file: Optional[bool] = False,
local_file_path: Optional[str] = None,
url: Optional[str] = None,
offline: Optional[bool] = False,
reverse_dns_map: Optional[dict[str, Any]] = None,
) -> dict[str, Any]:
base_domain,
always_use_local_file=False,
local_file_path=None,
url=None,
offline=False,
reverse_dns_map=None,
):
"""
Returns the service name of a given base domain name from reverse DNS.
@@ -418,18 +388,17 @@ def get_service_from_reverse_dns_base_domain(
def get_ip_address_info(
ip_address: str,
*,
ip_db_path: Optional[str] = None,
reverse_dns_map_path: Optional[str] = None,
always_use_local_files: Optional[bool] = False,
reverse_dns_map_url: Optional[str] = None,
cache: Optional[ExpiringDict] = None,
reverse_dns_map: Optional[dict[str, Any]] = None,
offline: Optional[bool] = False,
nameservers: Optional[list[str]] = None,
timeout: Optional[float] = 2.0,
) -> dict[str, Any]:
ip_address,
ip_db_path=None,
reverse_dns_map_path=None,
always_use_local_files=False,
reverse_dns_map_url=None,
cache=None,
reverse_dns_map=None,
offline=False,
nameservers=None,
timeout=2.0,
):
"""
Returns reverse DNS and country information for the given IP address
@@ -447,7 +416,7 @@ def get_ip_address_info(
timeout (float): Sets the DNS timeout in seconds
Returns:
dict: ``ip_address``, ``reverse_dns``, ``country``
OrderedDict: ``ip_address``, ``reverse_dns``
"""
ip_address = ip_address.lower()
@@ -456,7 +425,7 @@ def get_ip_address_info(
if info:
logger.debug(f"IP address {ip_address} was found in cache")
return info
info = dict()
info = OrderedDict()
info["ip_address"] = ip_address
if offline:
reverse_dns = None
@@ -494,7 +463,7 @@ def get_ip_address_info(
return info
def parse_email_address(original_address: str) -> EmailAddress:
def parse_email_address(original_address):
if original_address[0] == "":
display_name = None
else:
@@ -507,15 +476,17 @@ def parse_email_address(original_address: str) -> EmailAddress:
local = address_parts[0].lower()
domain = address_parts[-1].lower()
return {
"display_name": display_name,
"address": address,
"local": local,
"domain": domain,
}
return OrderedDict(
[
("display_name", display_name),
("address", address),
("local", local),
("domain", domain),
]
)
def get_filename_safe_string(string: str) -> str:
def get_filename_safe_string(string):
"""
Converts a string to a string that is safe for a filename
@@ -537,7 +508,7 @@ def get_filename_safe_string(string: str) -> str:
return string
def is_mbox(path: str) -> bool:
def is_mbox(path):
"""
Checks if the given content is an MBOX mailbox file
@@ -558,7 +529,7 @@ def is_mbox(path: str) -> bool:
return _is_mbox
def is_outlook_msg(content: Union[bytes, Any]) -> bool:
def is_outlook_msg(content):
"""
Checks if the given content is an Outlook msg OLE/MSG file
@@ -573,7 +544,7 @@ def is_outlook_msg(content: Union[bytes, Any]) -> bool:
)
def convert_outlook_msg(msg_bytes: bytes) -> str:
def convert_outlook_msg(msg_bytes):
"""
Uses the ``msgconvert`` Perl utility to convert an Outlook MS file to
standard RFC 822 format
@@ -591,14 +562,13 @@ def convert_outlook_msg(msg_bytes: bytes) -> str:
os.chdir(tmp_dir)
with open("sample.msg", "wb") as msg_file:
msg_file.write(msg_bytes)
rfc822_bytes: bytes
try:
subprocess.check_call(
["msgconvert", "sample.msg"], stdout=null_file, stderr=null_file
)
eml_path = "sample.eml"
with open(eml_path, "rb") as eml_file:
rfc822_bytes = eml_file.read()
rfc822 = eml_file.read()
except FileNotFoundError:
raise EmailParserError(
"Failed to convert Outlook MSG: msgconvert utility not found"
@@ -607,12 +577,10 @@ def convert_outlook_msg(msg_bytes: bytes) -> str:
os.chdir(orig_dir)
shutil.rmtree(tmp_dir)
return rfc822_bytes.decode("utf-8", errors="replace")
return rfc822
def parse_email(
data: Union[bytes, str], *, strip_attachment_payloads: Optional[bool] = False
) -> dict[str, Any]:
def parse_email(data, strip_attachment_payloads=False):
"""
A simplified email parser
@@ -627,8 +595,7 @@ def parse_email(
if isinstance(data, bytes):
if is_outlook_msg(data):
data = convert_outlook_msg(data)
else:
data = data.decode("utf-8", errors="replace")
data = data.decode("utf-8", errors="replace")
parsed_email = mailparser.parse_from_string(data)
headers = json.loads(parsed_email.headers_json).copy()
parsed_email = json.loads(parsed_email.mail_json).copy()

24
parsedmarc/webhook.py
View File

@@ -1,9 +1,3 @@
# -*- coding: utf-8 -*-
from __future__ import annotations
from typing import Any, Optional, Union
import requests
from parsedmarc import logger
@@ -13,13 +7,7 @@ from parsedmarc.constants import USER_AGENT
class WebhookClient(object):
"""A client for webhooks"""
def __init__(
self,
aggregate_url: str,
forensic_url: str,
smtp_tls_url: str,
timeout: Optional[int] = 60,
):
def __init__(self, aggregate_url, forensic_url, smtp_tls_url, timeout=60):
"""
Initializes the WebhookClient
Args:
@@ -38,27 +26,25 @@ class WebhookClient(object):
"Content-Type": "application/json",
}
def save_forensic_report_to_webhook(self, report: str):
def save_forensic_report_to_webhook(self, report):
try:
self._send_to_webhook(self.forensic_url, report)
except Exception as error_:
logger.error("Webhook Error: {0}".format(error_.__str__()))
def save_smtp_tls_report_to_webhook(self, report: str):
def save_smtp_tls_report_to_webhook(self, report):
try:
self._send_to_webhook(self.smtp_tls_url, report)
except Exception as error_:
logger.error("Webhook Error: {0}".format(error_.__str__()))
def save_aggregate_report_to_webhook(self, report: str):
def save_aggregate_report_to_webhook(self, report):
try:
self._send_to_webhook(self.aggregate_url, report)
except Exception as error_:
logger.error("Webhook Error: {0}".format(error_.__str__()))
def _send_to_webhook(
self, webhook_url: str, payload: Union[bytes, str, dict[str, Any]]
):
def _send_to_webhook(self, webhook_url, payload):
try:
self.session.post(webhook_url, data=payload, timeout=self.timeout)
except Exception as error_:

16
pyproject.toml
View File

@@ -2,7 +2,6 @@
requires = [
"hatchling>=1.27.0",
]
requires_python = ">=3.9,<3.14"
build-backend = "hatchling.build"
[project]
@@ -29,7 +28,6 @@ classifiers = [
"Operating System :: OS Independent",
"Programming Language :: Python :: 3"
]
requires-python = ">=3.9, <3.14"
dependencies = [
"azure-identity>=1.8.0",
"azure-monitor-ingestion>=1.0.0",
@@ -88,11 +86,11 @@ include = [
[tool.hatch.build]
exclude = [
"base_reverse_dns.csv",
"find_bad_utf8.py",
"find_unknown_base_reverse_dns.py",
"unknown_base_reverse_dns.csv",
"sortmaps.py",
"README.md",
"*.bak"
"base_reverse_dns.csv",
"find_bad_utf8.py",
"find_unknown_base_reverse_dns.py",
"unknown_base_reverse_dns.csv",
"sortmaps.py",
"README.md",
"*.bak"
]

5
tests.py
View File

@@ -1,6 +1,3 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from __future__ import absolute_import, print_function, unicode_literals
import os
@@ -77,7 +74,7 @@ class Test(unittest.TestCase):
print()
file = "samples/extract_report/nice-input.xml"
print("Testing {0}: ".format(file), end="")
xmlout = parsedmarc.extract_report_from_file_path(file)
xmlout = parsedmarc.extract_report(file)
xmlin_file = open("samples/extract_report/nice-input.xml")
xmlin = xmlin_file.read()
xmlin_file.close()