Пример #1
0
 def open_ioc(self, fn):
     '''
     Opens an IOC file, or XML string.  Returns the root element, top level
     indicator element, and parameters element.  If the IOC or string fails
     to parse, an IOCParseError is raised.
     
     This does not need to be called if using the IOC class to open an IOC 
     file.
     
     input
         fn: This is a path to a file to open, or a string containing XML 
             representing an IOC.
     
     returns
         a tuple containing three elementTree Element objects
         The first element, the root, contains the entire IOC itself.
         The second element, the top level OR indicator, allows the user to add
             additional IndicatorItem or Indicator nodes to the IOC easily.
         The third element, the parameters node, allows the user to quickly
             parse the parameters.    
     '''
     parsed_xml = xmlutils.read_xml_no_ns(fn)
     if not parsed_xml:
         raise IOCParseError('Error occured parsing XML')
     root = parsed_xml.getroot()
     metadata_node = root.find('metadata')
     top_level_indicator = get_top_level_indicator_node(root)
     parameters_node = root.find('parameters')
     if parameters_node is None:
         # parameters node is not required by schema; but we add it if it is not present
         parameters_node = ioc_et.make_parameters_node()
         root.append(parameters_node)
     return (root, metadata_node, top_level_indicator, parameters_node)
Пример #2
0
 def open_ioc(self, fn):
     '''
     Opens an IOC file, or XML string.  Returns the root element, top level
     indicator element, and parameters element.  If the IOC or string fails
     to parse, an IOCParseError is raised.
     
     This does not need to be called if using the IOC class to open an IOC 
     file.
     
     input
         fn: This is a path to a file to open, or a string containing XML 
             representing an IOC.
     
     returns
         a tuple containing three elementTree Element objects
         The first element, the root, contains the entire IOC itself.
         The second element, the top level OR indicator, allows the user to add
             additional IndicatorItem or Indicator nodes to the IOC easily.
         The third element, the parameters node, allows the user to quickly
             parse the parameters.    
     '''
     parsed_xml = xmlutils.read_xml_no_ns(fn)
     if not parsed_xml:
         raise IOCParseError('Error occured parsing XML')
     root = parsed_xml.getroot()
     metadata_node = root.find('metadata')
     top_level_indicator = get_top_level_indicator_node(root)
     parameters_node = root.find('parameters')
     if parameters_node is None:
         # parameters node is not required by schema; but we add it if it is not present
         parameters_node = ioc_et.make_parameters_node()
         root.append(parameters_node)
     return (root, metadata_node, top_level_indicator, parameters_node)
Пример #3
0
    def __init__(self, ioc_xml):
        self.working_xml = copy.deepcopy(ioc_xml)
        self.orig_xml = copy.deepcopy(ioc_xml)

        self.attributes = self.working_xml.attrib
        metadata_root = "TEST"

        if self.working_xml.nsmap[None] == "http://schemas.mandiant.com/2010/ioc":
            self.version = "1.0"
            metadata_root = self.working_xml

            self.criteria = self.working_xml.find('definition')
            if self.criteria == None:
                self.working_xml.append(ioc_et.make_definition_node(ioc_et.make_Indicator_node("OR")))
                self.criteria = self.working_xml.find('definition')

            self.parameters = None

        elif self.working_xml.nsmap[None] == "http://openioc.org/schemas/OpenIOC_1.1":
            self.version = "1.1"
            metadata_root = self.working_xml.find('metadata')
            if metadata_root == None:
                self.working_xml.append(ioc_et.make_metadata_node(name = "*Missing*", author = "*Missing*", description = "*Missing*", links=ioc_et.make_links_node()))
                metadata_root = self.working_xml.find('metadata')
            
            self.criteria = self.working_xml.find('criteria')
            if self.criteria == None:
                self.working_xml.append(ioc_et.make_criteria_node(ioc_et.make_Indicator_node("OR")))
                self.criteria = self.working_xml.find('criteria')

            self.parameters = self.working_xml.find('parameters')
            if self.parameters == None:
                self.working_xml.append(ioc_et.make_parameters_node())
                self.parameters = self.working_xml.find('parameters')

        self.name = metadata_root.find('short_description')
        if self.name == None:
            metadata_root.append(ioc_et.make_short_description_node("*Missing*"))
            self.name = metadata_root.find('short_description')

        self.desc = metadata_root.find('description')
        if self.desc == None:
            metadata_root.append(ioc_et.make_description_node("*Missing*"))
            self.desc = metadata_root.find('description')

        self.author = metadata_root.find('authored_by')
        if self.author == None:
            metadata_root.append(ioc_et.make_authored_by_node("*Missing*"))
            self.author = metadata_root.find('authored_by')

        self.created = metadata_root.find('authored_date')
        if self.created == None:
            metadata_root.append(ioc_et.make_authored_date_node())
            self.created = metadata_root.find('authored_date')

        self.links = metadata_root.find('links')
        if self.links == None:
            metadata_root.append(ioc_et.make_links_node())
            self.links = metadata_root.find('links')
Пример #4
0
 def make_ioc(self,
              name=None,
              description='Automatically generated IOC',
              author='IOC_api',
              links=None,
              keywords=None,
              id=None):
     '''
     This generates all parts of an IOC, but without any definition.
     
     It allows the caller to then add IndicatorItems/Indicator nodes to the 
     top level OR statement.
     
     This does not need to be called if using the IOC class to create an IOC
     
     input
         name:   string, Name of the ioc
         description:    string, description of the iocs
         author: string, author name/email address
         links:  list of tuples.  Each tuple should be in the form 
             (rel, href, value).
         keywords:   string.  This is normally a space delimited string of
             values that may be used as keywords
         id: GUID for the IOC.  This should not be specified under normal
             circumstances.
     
     returns
         a tuple containing three elementTree Element objects
         The first element, the root, contains the entire IOC itself.
         The second element, the top level OR indicator, allows the user to add
             additional IndicatorItem or Indicator nodes to the IOC easily.
         The third element, the parameters node, allows the user to quickly
             parse the parameters.
         
     '''
     root = ioc_et.make_IOC_root(id)
     root.append(ioc_et.make_metadata_node(name, description, author,
                                           links))
     metadata_node = root.find('metadata')
     top_level_indicator = make_Indicator_node('OR')
     parameters_node = (ioc_et.make_parameters_node())
     root.append(ioc_et.make_criteria_node(top_level_indicator))
     root.append(parameters_node)
     ioc_et.set_root_lastmodified(root)
     return (root, metadata_node, top_level_indicator, parameters_node)
Пример #5
0
 def make_ioc(self,
             name = None, 
             description = 'Automatically generated IOC', 
             author = 'IOC_api', 
             links = None,
             keywords = None,
             id = None):
     '''
     This generates all parts of an IOC, but without any definition.
     
     It allows the caller to then add IndicatorItems/Indicator nodes to the 
     top level OR statement.
     
     This does not need to be called if using the IOC class to create an IOC
     
     input
         name:   string, Name of the ioc
         description:    string, description of the iocs
         author: string, author name/email address
         links:  list of tuples.  Each tuple should be in the form 
             (rel, href, value).
         keywords:   string.  This is normally a space delimited string of
             values that may be used as keywords
         id: GUID for the IOC.  This should not be specified under normal
             circumstances.
     
     returns
         a tuple containing three elementTree Element objects
         The first element, the root, contains the entire IOC itself.
         The second element, the top level OR indicator, allows the user to add
             additional IndicatorItem or Indicator nodes to the IOC easily.
         The third element, the parameters node, allows the user to quickly
             parse the parameters.
         
     '''
     root = ioc_et.make_IOC_root(id)
     root.append(ioc_et.make_metadata_node(name, description, author, links))
     metadata_node = root.find('metadata')
     top_level_indicator = make_Indicator_node('OR')
     parameters_node = (ioc_et.make_parameters_node())
     root.append(ioc_et.make_criteria_node(top_level_indicator))
     root.append(parameters_node)
     ioc_et.set_root_lastmodified(root)
     return (root, metadata_node, top_level_indicator, parameters_node)
Пример #6
0
    def add_ioc(self, author, version):
        new_ioc_xml = ioc_et.make_IOC_root(version=version)

        ioc_file = new_ioc_xml.attrib['id'] + ".ioc"
        full_path = os.path.join(self.working_dir, ioc_file)

        if version == "1.0":
            new_ioc_xml.append(ioc_et.make_short_description_node(name = "*New IOC*"))
            new_ioc_xml.append(ioc_et.make_description_node(text="PyIOCe Generated IOC"))
            new_ioc_xml.append(ioc_et.make_authored_by_node(author = author))
            new_ioc_xml.append(ioc_et.make_authored_date_node())
            new_ioc_xml.append(ioc_et.make_links_node())
            new_ioc_xml.append(ioc_et.make_definition_node(ioc_et.make_Indicator_node("OR")))
        elif version == "1.1":
            new_ioc_xml.append(ioc_et.make_metadata_node( name = "*New IOC*", author = "PyIOCe", description = "PyIOCe Generated IOC"))
            new_ioc_xml.append(ioc_et.make_criteria_node(ioc_et.make_Indicator_node("OR")))
            new_ioc_xml.append(ioc_et.make_parameters_node())

        self.iocs[full_path] = IOC(new_ioc_xml)
        self.iocs[full_path].orig_xml = et.Element('New')

        return full_path