def make_IndicatorItem_node(condition,
document,
search,
content_type,
content,
preserve_case = False,
negate = False,
context_type = 'mir',
id = None):
'''
This makes a IndicatorItem element. This contains the actual threat
intelligence in the IOC.
input
condition: This is the condition of the item ('is', 'contains',
'matches', etc).
document: String value. Denotes the type of document to look for
the encoded artifact in.
search: String value. Specifies what attribute of the doucment type
the encoded value is.
content_type: This is the display type of the item, which is derived
from the iocterm for the search value.
content: a string value, containing the data to be identified.
preserve_case: Boolean value. Specify if the
IndicatorItem/content/text() is case sensitive.
negate: Boolean value. Specify if the IndicatorItem/@condition is
negated, ie:
@condition = 'is' & @negate = 'true' would be equal to the
@condition = 'isnot' in OpenIOC 1.0.
context_type: a string value, giving context to the document/search
information. This defaults to 'mir'.
id: a string value. This is used to provide a GUID for the IndicatorItem
The ID should NOT be specified under normal circumstances.
returns
an elementTree Element item
'''
# validate condition
if condition not in valid_indicatoritem_conditions:
raise ValueError('Invalid IndicatorItem condition [%s]' % str(condition))
IndicatorItem_node = et.Element('IndicatorItem')
if id:
IndicatorItem_node.attrib['id'] = id
else:
IndicatorItem_node.attrib['id'] = ioc_et.get_guid()
IndicatorItem_node.attrib['condition'] = condition
if preserve_case:
IndicatorItem_node.attrib['preserve-case'] = 'true'
else:
IndicatorItem_node.attrib['preserve-case'] = 'false'
if negate:
IndicatorItem_node.attrib['negate'] = 'true'
else:
IndicatorItem_node.attrib['negate'] = 'false'
context_node = ioc_et.make_context_node(document, search, context_type)
content_node = ioc_et.make_content_node(content_type, content)
IndicatorItem_node.append(context_node)
IndicatorItem_node.append(content_node)
return IndicatorItem_node
def clone_ioc(self,current_ioc):
new_ioc_xml = copy.deepcopy(current_ioc.working_xml)
new_uuid = ioc_et.get_guid()
ioc_file = new_uuid + ".ioc"
full_path = os.path.join(self.working_dir, ioc_file)
new_ioc_xml.attrib['id'] = new_uuid
self.iocs[full_path] = IOC(new_ioc_xml)
self.iocs[full_path].set_modified()
self.iocs[full_path].set_created()
self.iocs[full_path].orig_xml = et.Element('Clone')
return full_path
def make_Indicator_node(operator, id=None):
"""
This makes a Indicator node element. These allow the construction of a
logic tree within the IOC.
input
operator: 'AND' or 'OR'.
id: a string value. This is used to provide a GUID for the Indicator.
The ID should NOT be specified under normal circumstances.
return: elementTree element
"""
Indicator_node = et.Element("Indicator")
if id:
Indicator_node.attrib["id"] = id
else:
Indicator_node.attrib["id"] = ioc_et.get_guid()
if operator.upper() not in ["AND", "OR"]:
raise ValueError('Indicator operator must be "AND" or "OR".')
Indicator_node.attrib["operator"] = operator.upper()
return Indicator_node
def make_Indicator_node(operator, id=None):
'''
This makes a Indicator node element. These allow the construction of a
logic tree within the IOC.
input
operator: 'AND' or 'OR'.
id: a string value. This is used to provide a GUID for the Indicator.
The ID should NOT be specified under normal circumstances.
return: elementTree element
'''
Indicator_node = et.Element('Indicator')
if id:
Indicator_node.attrib['id'] = id
else:
Indicator_node.attrib['id'] = ioc_et.get_guid()
if operator.upper() not in ['AND', 'OR']:
raise ValueError('Indicator operator must be "AND" or "OR".')
Indicator_node.attrib['operator'] = operator.upper()
return Indicator_node
def make_IndicatorItem_node(condition,
document,
search,
content_type,
content,
preserve_case=False,
negate=False,
context_type='mir',
id=None):
'''
This makes a IndicatorItem element. This contains the actual threat
intelligence in the IOC.
input
condition: This is the condition of the item ('is', 'contains',
'matches', etc).
document: String value. Denotes the type of document to look for
the encoded artifact in.
search: String value. Specifies what attribute of the doucment type
the encoded value is.
content_type: This is the display type of the item, which is derived
from the iocterm for the search value.
content: a string value, containing the data to be identified.
preserve_case: Boolean value. Specify if the
IndicatorItem/content/text() is case sensitive.
negate: Boolean value. Specify if the IndicatorItem/@condition is
negated, ie:
@condition = 'is' & @negate = 'true' would be equal to the
@condition = 'isnot' in OpenIOC 1.0.
context_type: a string value, giving context to the document/search
information. This defaults to 'mir'.
id: a string value. This is used to provide a GUID for the IndicatorItem
The ID should NOT be specified under normal circumstances.
returns
an elementTree Element item
'''
# validate condition
if condition not in valid_indicatoritem_conditions:
raise ValueError('Invalid IndicatorItem condition [%s]' %
str(condition))
IndicatorItem_node = et.Element('IndicatorItem')
if id:
IndicatorItem_node.attrib['id'] = id
else:
IndicatorItem_node.attrib['id'] = ioc_et.get_guid()
IndicatorItem_node.attrib['condition'] = condition
if preserve_case:
IndicatorItem_node.attrib['preserve-case'] = 'true'
else:
IndicatorItem_node.attrib['preserve-case'] = 'false'
if negate:
IndicatorItem_node.attrib['negate'] = 'true'
else:
IndicatorItem_node.attrib['negate'] = 'false'
context_node = ioc_et.make_context_node(document, search, context_type)
content_node = ioc_et.make_content_node(content_type, content)
IndicatorItem_node.append(context_node)
IndicatorItem_node.append(content_node)
return IndicatorItem_node