updates to scot4-inbox

Author: toddbruner

Dockerfile

@@ -0,0 +1,21 @@
+# Start with debian:bookworm image with scot4 perl installed
+FROM ghcr.io/sandialabs/scot4-perl-builder@sha256:6a92390d96baf3c1ad73fcdf9af5047a36e880c5ce026c91cff98d0064e2e67f
+
+# Create necessary directories 
+RUN mkdir -p /opt/scot4-inbox && mkdir -p /var/log/scot
+
+# Copy over required files
+COPY . /opt/scot4-inbox
+
+# create user/group for scotinbox
+RUN groupadd scotinbox && \
+    useradd -c "Scot Inbox User" -g "scotinbox" -d /opt/scot4-inbox -M -s /bin/bash scotinbox && \
+    chown -R scotinbox:scotinbox /opt/scot4-inbox && \
+    chown -R scotinbox:scotinbox /var/log/scot
+    
+# start container as scotinbox user
+USER scotinbox
+
+# airflow will handle start, but if not
+ENTRYPOINT ["/opt/scot4-inbox/bin/inbox.pl"]
+CMD ["-?"]

LICENSE

@@ -1,2 +1,10 @@
 # scot4-inbox
-SCOT4 Inbox Processor
+
+
+# Inbox (IMAP/MSGRAPH) processor for SCOT4
+
+Creates a container to run the SCOT4 inbox processor.  The processor will read IMAP inboxes and Microsoft Graph API inboxes and insert the contents of those messages into SCOT alerts, events, or dispatches.
+
+This is a convenient way to input data from detection systems, threat intel feeds, and analysts directly into SCOT.
+
+For more information and instructions, consult the main SCOT4 documentaton Repository.

README.md

@@ -0,0 +1,74 @@
+#!/opt/perl/bin/perl
+
+use lib '/opt/scot4-inbox/lib';
+use lib '../lib';
+use Mojo::Base -strict, -signatures;
+use Scot::Inbox::Processor;
+use Getopt::Long qw(GetOptions);
+
+my $pidfile = "/tmp/scot.inboxdelete.pid";
+
+if ( -s $pidfile ) {
+    die "$pidfile exists. Kill running $0 and delete $pidfile to continue";
+}
+
+open(my $fh, ">", $pidfile) or die "Unable to write to $pidfile!";
+print $fh "$$";
+close($fh);
+
+END {
+    system("rm -f $pidfile");
+}
+
+# option defaults
+my $configfile  = "../etc/inbox.conf";
+my $test        = 0;
+my $secrets     = "../etc/secrets.conf";
+my $msv         = 1;
+my $nomsv       = 0;
+my $msvlog      = "/opt/scot4-inbox/var/log/msv.log";
+
+my $default_note    = <<EOF;
+        note: default config  is $configfile
+              default secrets is $secrets
+              default msvlog  is $msvlog
+
+EOF
+
+GetOptions(
+    'config=s'  => \$configfile,
+    'test'      => \$test,
+    'secrets=s' => \$secrets,
+    'msv'       => \$nomsv,
+    'msvlog'    => \$msvlog,
+) or die <<EOF;
+
+Invalid Option!
+    
+    usage: $0
+        [--test]                          overwrites peeking to true
+        [--config=/path/to/inbox.conf]    use this file as the configuration file
+        [--secrets=/path/to/secrets.conf] use this file for secret storage
+        [--msv]                           do not filter msv data
+        [--msvlog=/path/to/log]           where to log msv hits
+
+        $default_note
+EOF
+
+if ($nomsv) {
+    $msv = 0;
+}
+
+my $opts    = {
+    configfile  => $configfile,
+    test        => $test,
+    secrets     => $secrets,
+    msv         => $msv,
+    msvlog      => $msvlog,
+    delete_before   => time() - (2 * 365 * 24 * 3600)
+};
+
+Scot::Inbox::Processor->new($opts)->delete();
+
+
+

bin/delete.pl

@@ -0,0 +1,73 @@
+#!/opt/perl/bin/perl
+
+use lib '/opt/scot4-inbox/lib';
+use lib '../lib';
+use Mojo::Base -strict, -signatures;
+use Scot::Inbox::Processor;
+use Getopt::Long qw(GetOptions);
+
+my $pidfile = "/tmp/scot.inbox.pid";
+
+if ( -s $pidfile ) {
+    die "$pidfile exists. Kill running $0 and delete $pidfile to continue";
+}
+
+open(my $fh, ">", $pidfile) or die "Unable to write to $pidfile!";
+print $fh "$$";
+close($fh);
+
+END {
+    system("rm -f $pidfile");
+}
+
+# option defaults
+my $configfile  = "../etc/inbox.conf";
+my $test        = 0;
+my $secrets     = "../etc/secrets.conf";
+my $msv         = 1;
+my $nomsv       = 0;
+my $msvlog      = "/opt/scot4-inbox/var/log/msv.log";
+
+my $default_note    = <<EOF;
+        note: default config  is $configfile
+              default secrets is $secrets
+              default msvlog  is $msvlog
+
+EOF
+
+GetOptions(
+    'config=s'  => \$configfile,
+    'test'      => \$test,
+    'secrets=s' => \$secrets,
+    'msv'       => \$nomsv,
+    'msvlog'    => \$msvlog,
+) or die <<EOF;
+
+Invalid Option!
+    
+    usage: $0
+        [--test]                          overwrites peeking to true
+        [--config=/path/to/inbox.conf]    use this file as the configuration file
+        [--secrets=/path/to/secrets.conf] use this file for secret storage
+        [--msv]                           do not filter msv data
+        [--msvlog=/path/to/log]           where to log msv hits
+
+        $default_note
+EOF
+
+if ($nomsv) {
+    $msv = 0;
+}
+
+my $opts    = {
+    configfile  => $configfile,
+    test        => $test,
+    secrets     => $secrets,
+    msv         => $msv,
+    msvlog      => $msvlog,
+};
+
+Scot::Inbox::Processor->new($opts)->run();
+
+
+