def export_openioc():
'''
Export the tagged items in OpenIOC 1.1 format.
This prompts the user to determine which directory they want the IOC saved
out too.
Email tags default to 'Email/From' address, implying that the email address
found is the source address of an email. This may not be accurate in all
cases.
'''
def make_network_uri(uri, condition='contains', negate=False, preserve_case = False):
document = 'Network'
search = 'Network/URI'
content_type = 'string'
content = uri
IndicatorItem_node = ioc_api.make_IndicatorItem_node(condition, document, search, content_type, content, negate=negate, preserve_case=preserve_case, context_type = None)
return IndicatorItem_node
def make_email_from(from_address, condition='contains', negate=False, preserve_case = False):
document = 'Email'
search = 'Email/From'
content_type = 'string'
content = from_address
IndicatorItem_node = ioc_api.make_IndicatorItem_node(condition, document, search, content_type, content, negate=negate, preserve_case=preserve_case, context_type = None)
return IndicatorItem_node
output_directory = askdirectory(title = "Save IOC To")
if output_directory:
indicator_nodes = []
for tag in tags:
temp_indicators = []
myhighlights = text.tag_ranges(tag)
mystart = 0
for h in myhighlights:
if mystart == 0:
mystart = h
else:
mystop = h
# Deobfuscate ip addresses, domain names and email addresses
value = text.get(mystart,mystop).replace('[.]','.').replace('[@]','@')
if tag == 'md5':
value = value.upper()
if value not in temp_indicators:
indicator_node = ioc_common.make_fileitem_md5sum(value)
indicator_nodes.append(indicator_node)
temp_indicators.append(value)
elif tag == 'ipv4':
if value not in temp_indicators:
indicator_node = ioc_common.make_portitem_remoteip(value)
indicator_nodes.append(indicator_node)
temp_indicators.append(value)
elif tag == 'domain':
if value not in temp_indicators:
indicator_node = ioc_common.make_dnsentryitem_recordname(value)
indicator_nodes.append(indicator_node)
temp_indicators.append(value)
elif tag == 'url':
if value not in temp_indicators:
indicator_node = make_network_uri(value)
indicator_nodes.append(indicator_node)
temp_indicators.append(value)
elif tag == 'email':
if value not in temp_indicators:
indicator_node = make_email_from(value)
indicator_nodes.append(indicator_node)
temp_indicators.append(value)
else:
print 'Unknown tag encountered [%s]' % str(tag)
mystart = 0
if len(indicator_nodes) > 0:
ioc_obj = ioc_api.IOC(name = "IOC Extractor", description = "IOC generated with IOCExtractor")
for indicator in indicator_nodes:
ioc_obj.top_level_indicator.append(indicator)
ioc_obj.write_ioc_to_file(output_directory)
return True
def export_openioc():
'''
Export the tagged items in OpenIOC 1.1 format.
This prompts the user to determine which directory they want the IOC saved
out too.
Email tags default to 'Email/From' address, implying that the email address
found is the source address of an email. This may not be accurate in all
cases.
'''
def make_network_uri(uri,
condition='contains',
negate=False,
preserve_case=False):
document = 'Network'
search = 'Network/URI'
content_type = 'string'
content = uri
IndicatorItem_node = ioc_api.make_IndicatorItem_node(
condition,
document,
search,
content_type,
content,
negate=negate,
preserve_case=preserve_case,
context_type=None)
return IndicatorItem_node
def make_email_from(from_address,
condition='contains',
negate=False,
preserve_case=False):
document = 'Email'
search = 'Email/From'
content_type = 'string'
content = from_address
IndicatorItem_node = ioc_api.make_IndicatorItem_node(
condition,
document,
search,
content_type,
content,
negate=negate,
preserve_case=preserve_case,
context_type=None)
return IndicatorItem_node
output_directory = askdirectory(title="Save IOC To")
if output_directory:
indicator_nodes = []
for tag in tags:
temp_indicators = []
myhighlights = text.tag_ranges(tag)
mystart = 0
for h in myhighlights:
if mystart == 0:
mystart = h
else:
mystop = h
# Deobfuscate ip addresses, domain names and email addresses
value = text.get(mystart,
mystop).replace('[.]',
'.').replace('[@]', '@')
if tag == 'md5':
value = value.upper()
if value not in temp_indicators:
indicator_node = ioc_common.make_fileitem_md5sum(
value)
indicator_nodes.append(indicator_node)
temp_indicators.append(value)
elif tag == 'ipv4':
if value not in temp_indicators:
indicator_node = ioc_common.make_portitem_remoteip(
value)
indicator_nodes.append(indicator_node)
temp_indicators.append(value)
elif tag == 'domain':
if value not in temp_indicators:
indicator_node = ioc_common.make_dnsentryitem_recordname(
value)
indicator_nodes.append(indicator_node)
temp_indicators.append(value)
elif tag == 'url':
if value not in temp_indicators:
indicator_node = make_network_uri(value)
indicator_nodes.append(indicator_node)
temp_indicators.append(value)
elif tag == 'email':
if value not in temp_indicators:
indicator_node = make_email_from(value)
indicator_nodes.append(indicator_node)
temp_indicators.append(value)
else:
print('Unknown tag encountered [%s]' % str(tag))
mystart = 0
if len(indicator_nodes) > 0:
ioc_obj = ioc_api.IOC(name="IOC Extractor",
description="IOC generated with IOCExtractor")
for indicator in indicator_nodes:
ioc_obj.top_level_indicator.append(indicator)
ioc_obj.write_ioc_to_file(output_directory)
return True