def open_ioc(self, fn):
'''
Opens an IOC file, or XML string. Returns the root element, top level
indicator element, and parameters element. If the IOC or string fails
to parse, an IOCParseError is raised.
This does not need to be called if using the IOC class to open an IOC
file.
input
fn: This is a path to a file to open, or a string containing XML
representing an IOC.
returns
a tuple containing three elementTree Element objects
The first element, the root, contains the entire IOC itself.
The second element, the top level OR indicator, allows the user to add
additional IndicatorItem or Indicator nodes to the IOC easily.
The third element, the parameters node, allows the user to quickly
parse the parameters.
'''
parsed_xml = xmlutils.read_xml_no_ns(fn)
if not parsed_xml:
raise IOCParseError('Error occured parsing XML')
root = parsed_xml.getroot()
metadata_node = root.find('metadata')
top_level_indicator = get_top_level_indicator_node(root)
parameters_node = root.find('parameters')
if parameters_node is None:
# parameters node is not required by schema; but we add it if it is not present
parameters_node = ioc_et.make_parameters_node()
root.append(parameters_node)
return (root, metadata_node, top_level_indicator, parameters_node)
def open_ioc(self, fn):
'''
Opens an IOC file, or XML string. Returns the root element, top level
indicator element, and parameters element. If the IOC or string fails
to parse, an IOCParseError is raised.
This does not need to be called if using the IOC class to open an IOC
file.
input
fn: This is a path to a file to open, or a string containing XML
representing an IOC.
returns
a tuple containing three elementTree Element objects
The first element, the root, contains the entire IOC itself.
The second element, the top level OR indicator, allows the user to add
additional IndicatorItem or Indicator nodes to the IOC easily.
The third element, the parameters node, allows the user to quickly
parse the parameters.
'''
parsed_xml = xmlutils.read_xml_no_ns(fn)
if not parsed_xml:
raise IOCParseError('Error occured parsing XML')
root = parsed_xml.getroot()
metadata_node = root.find('metadata')
top_level_indicator = get_top_level_indicator_node(root)
parameters_node = root.find('parameters')
if parameters_node is None:
# parameters node is not required by schema; but we add it if it is not present
parameters_node = ioc_et.make_parameters_node()
root.append(parameters_node)
return (root, metadata_node, top_level_indicator, parameters_node)
def __init__(self, ioc_xml):
self.working_xml = copy.deepcopy(ioc_xml)
self.orig_xml = copy.deepcopy(ioc_xml)
self.attributes = self.working_xml.attrib
metadata_root = "TEST"
if self.working_xml.nsmap[None] == "http://schemas.mandiant.com/2010/ioc":
self.version = "1.0"
metadata_root = self.working_xml
self.criteria = self.working_xml.find('definition')
if self.criteria == None:
self.working_xml.append(ioc_et.make_definition_node(ioc_et.make_Indicator_node("OR")))
self.criteria = self.working_xml.find('definition')
self.parameters = None
elif self.working_xml.nsmap[None] == "http://openioc.org/schemas/OpenIOC_1.1":
self.version = "1.1"
metadata_root = self.working_xml.find('metadata')
if metadata_root == None:
self.working_xml.append(ioc_et.make_metadata_node(name = "*Missing*", author = "*Missing*", description = "*Missing*", links=ioc_et.make_links_node()))
metadata_root = self.working_xml.find('metadata')
self.criteria = self.working_xml.find('criteria')
if self.criteria == None:
self.working_xml.append(ioc_et.make_criteria_node(ioc_et.make_Indicator_node("OR")))
self.criteria = self.working_xml.find('criteria')
self.parameters = self.working_xml.find('parameters')
if self.parameters == None:
self.working_xml.append(ioc_et.make_parameters_node())
self.parameters = self.working_xml.find('parameters')
self.name = metadata_root.find('short_description')
if self.name == None:
metadata_root.append(ioc_et.make_short_description_node("*Missing*"))
self.name = metadata_root.find('short_description')
self.desc = metadata_root.find('description')
if self.desc == None:
metadata_root.append(ioc_et.make_description_node("*Missing*"))
self.desc = metadata_root.find('description')
self.author = metadata_root.find('authored_by')
if self.author == None:
metadata_root.append(ioc_et.make_authored_by_node("*Missing*"))
self.author = metadata_root.find('authored_by')
self.created = metadata_root.find('authored_date')
if self.created == None:
metadata_root.append(ioc_et.make_authored_date_node())
self.created = metadata_root.find('authored_date')
self.links = metadata_root.find('links')
if self.links == None:
metadata_root.append(ioc_et.make_links_node())
self.links = metadata_root.find('links')
def make_ioc(self,
name=None,
description='Automatically generated IOC',
author='IOC_api',
links=None,
keywords=None,
id=None):
'''
This generates all parts of an IOC, but without any definition.
It allows the caller to then add IndicatorItems/Indicator nodes to the
top level OR statement.
This does not need to be called if using the IOC class to create an IOC
input
name: string, Name of the ioc
description: string, description of the iocs
author: string, author name/email address
links: list of tuples. Each tuple should be in the form
(rel, href, value).
keywords: string. This is normally a space delimited string of
values that may be used as keywords
id: GUID for the IOC. This should not be specified under normal
circumstances.
returns
a tuple containing three elementTree Element objects
The first element, the root, contains the entire IOC itself.
The second element, the top level OR indicator, allows the user to add
additional IndicatorItem or Indicator nodes to the IOC easily.
The third element, the parameters node, allows the user to quickly
parse the parameters.
'''
root = ioc_et.make_IOC_root(id)
root.append(ioc_et.make_metadata_node(name, description, author,
links))
metadata_node = root.find('metadata')
top_level_indicator = make_Indicator_node('OR')
parameters_node = (ioc_et.make_parameters_node())
root.append(ioc_et.make_criteria_node(top_level_indicator))
root.append(parameters_node)
ioc_et.set_root_lastmodified(root)
return (root, metadata_node, top_level_indicator, parameters_node)
def make_ioc(self,
name = None,
description = 'Automatically generated IOC',
author = 'IOC_api',
links = None,
keywords = None,
id = None):
'''
This generates all parts of an IOC, but without any definition.
It allows the caller to then add IndicatorItems/Indicator nodes to the
top level OR statement.
This does not need to be called if using the IOC class to create an IOC
input
name: string, Name of the ioc
description: string, description of the iocs
author: string, author name/email address
links: list of tuples. Each tuple should be in the form
(rel, href, value).
keywords: string. This is normally a space delimited string of
values that may be used as keywords
id: GUID for the IOC. This should not be specified under normal
circumstances.
returns
a tuple containing three elementTree Element objects
The first element, the root, contains the entire IOC itself.
The second element, the top level OR indicator, allows the user to add
additional IndicatorItem or Indicator nodes to the IOC easily.
The third element, the parameters node, allows the user to quickly
parse the parameters.
'''
root = ioc_et.make_IOC_root(id)
root.append(ioc_et.make_metadata_node(name, description, author, links))
metadata_node = root.find('metadata')
top_level_indicator = make_Indicator_node('OR')
parameters_node = (ioc_et.make_parameters_node())
root.append(ioc_et.make_criteria_node(top_level_indicator))
root.append(parameters_node)
ioc_et.set_root_lastmodified(root)
return (root, metadata_node, top_level_indicator, parameters_node)
def add_ioc(self, author, version):
new_ioc_xml = ioc_et.make_IOC_root(version=version)
ioc_file = new_ioc_xml.attrib['id'] + ".ioc"
full_path = os.path.join(self.working_dir, ioc_file)
if version == "1.0":
new_ioc_xml.append(ioc_et.make_short_description_node(name = "*New IOC*"))
new_ioc_xml.append(ioc_et.make_description_node(text="PyIOCe Generated IOC"))
new_ioc_xml.append(ioc_et.make_authored_by_node(author = author))
new_ioc_xml.append(ioc_et.make_authored_date_node())
new_ioc_xml.append(ioc_et.make_links_node())
new_ioc_xml.append(ioc_et.make_definition_node(ioc_et.make_Indicator_node("OR")))
elif version == "1.1":
new_ioc_xml.append(ioc_et.make_metadata_node( name = "*New IOC*", author = "PyIOCe", description = "PyIOCe Generated IOC"))
new_ioc_xml.append(ioc_et.make_criteria_node(ioc_et.make_Indicator_node("OR")))
new_ioc_xml.append(ioc_et.make_parameters_node())
self.iocs[full_path] = IOC(new_ioc_xml)
self.iocs[full_path].orig_xml = et.Element('New')
return full_path