def __init__(self, ioc_xml):
self.working_xml = copy.deepcopy(ioc_xml)
self.orig_xml = copy.deepcopy(ioc_xml)
self.attributes = self.working_xml.attrib
metadata_root = "TEST"
if self.working_xml.nsmap[None] == "http://schemas.mandiant.com/2010/ioc":
self.version = "1.0"
metadata_root = self.working_xml
self.criteria = self.working_xml.find('definition')
if self.criteria == None:
self.working_xml.append(ioc_et.make_definition_node(ioc_et.make_Indicator_node("OR")))
self.criteria = self.working_xml.find('definition')
self.parameters = None
elif self.working_xml.nsmap[None] == "http://openioc.org/schemas/OpenIOC_1.1":
self.version = "1.1"
metadata_root = self.working_xml.find('metadata')
if metadata_root == None:
self.working_xml.append(ioc_et.make_metadata_node(name = "*Missing*", author = "*Missing*", description = "*Missing*", links=ioc_et.make_links_node()))
metadata_root = self.working_xml.find('metadata')
self.criteria = self.working_xml.find('criteria')
if self.criteria == None:
self.working_xml.append(ioc_et.make_criteria_node(ioc_et.make_Indicator_node("OR")))
self.criteria = self.working_xml.find('criteria')
self.parameters = self.working_xml.find('parameters')
if self.parameters == None:
self.working_xml.append(ioc_et.make_parameters_node())
self.parameters = self.working_xml.find('parameters')
self.name = metadata_root.find('short_description')
if self.name == None:
metadata_root.append(ioc_et.make_short_description_node("*Missing*"))
self.name = metadata_root.find('short_description')
self.desc = metadata_root.find('description')
if self.desc == None:
metadata_root.append(ioc_et.make_description_node("*Missing*"))
self.desc = metadata_root.find('description')
self.author = metadata_root.find('authored_by')
if self.author == None:
metadata_root.append(ioc_et.make_authored_by_node("*Missing*"))
self.author = metadata_root.find('authored_by')
self.created = metadata_root.find('authored_date')
if self.created == None:
metadata_root.append(ioc_et.make_authored_date_node())
self.created = metadata_root.find('authored_date')
self.links = metadata_root.find('links')
if self.links == None:
metadata_root.append(ioc_et.make_links_node())
self.links = metadata_root.find('links')
def add_link(self, rel, value, href=None):
'''
Add a Link metadata element to the IOC, with the
input
rel: The type of link
value: The content of the link
href: An href value for the link. This defaults to None
rel: The link/@rel value
value: The link/text() value
href: A uri or url value
returns True
'''
links_node = self.metadata.find('links')
if links_node is None:
links_node = ioc_et.make_links_node()
self.metadata.append(links_node)
link_node = ioc_et.make_link_node(rel,value,href)
links_node.append(link_node)
return True
def add_link(self, rel, value, href=None):
'''
Add a Link metadata element to the IOC, with the
input
rel: The type of link
value: The content of the link
href: An href value for the link. This defaults to None
rel: The link/@rel value
value: The link/text() value
href: A uri or url value
returns True
'''
links_node = self.metadata.find('links')
if links_node is None:
links_node = ioc_et.make_links_node()
self.metadata.append(links_node)
link_node = ioc_et.make_link_node(rel, value, href)
links_node.append(link_node)
return True
def add_ioc(self, author, version):
new_ioc_xml = ioc_et.make_IOC_root(version=version)
ioc_file = new_ioc_xml.attrib['id'] + ".ioc"
full_path = os.path.join(self.working_dir, ioc_file)
if version == "1.0":
new_ioc_xml.append(ioc_et.make_short_description_node(name = "*New IOC*"))
new_ioc_xml.append(ioc_et.make_description_node(text="PyIOCe Generated IOC"))
new_ioc_xml.append(ioc_et.make_authored_by_node(author = author))
new_ioc_xml.append(ioc_et.make_authored_date_node())
new_ioc_xml.append(ioc_et.make_links_node())
new_ioc_xml.append(ioc_et.make_definition_node(ioc_et.make_Indicator_node("OR")))
elif version == "1.1":
new_ioc_xml.append(ioc_et.make_metadata_node( name = "*New IOC*", author = "PyIOCe", description = "PyIOCe Generated IOC"))
new_ioc_xml.append(ioc_et.make_criteria_node(ioc_et.make_Indicator_node("OR")))
new_ioc_xml.append(ioc_et.make_parameters_node())
self.iocs[full_path] = IOC(new_ioc_xml)
self.iocs[full_path].orig_xml = et.Element('New')
return full_path
