def __init__(self, ioc_xml): self.working_xml = copy.deepcopy(ioc_xml) self.orig_xml = copy.deepcopy(ioc_xml) self.attributes = self.working_xml.attrib metadata_root = "TEST" if self.working_xml.nsmap[None] == "http://schemas.mandiant.com/2010/ioc": self.version = "1.0" metadata_root = self.working_xml self.criteria = self.working_xml.find('definition') if self.criteria == None: self.working_xml.append(ioc_et.make_definition_node(ioc_et.make_Indicator_node("OR"))) self.criteria = self.working_xml.find('definition') self.parameters = None elif self.working_xml.nsmap[None] == "http://openioc.org/schemas/OpenIOC_1.1": self.version = "1.1" metadata_root = self.working_xml.find('metadata') if metadata_root == None: self.working_xml.append(ioc_et.make_metadata_node(name = "*Missing*", author = "*Missing*", description = "*Missing*", links=ioc_et.make_links_node())) metadata_root = self.working_xml.find('metadata') self.criteria = self.working_xml.find('criteria') if self.criteria == None: self.working_xml.append(ioc_et.make_criteria_node(ioc_et.make_Indicator_node("OR"))) self.criteria = self.working_xml.find('criteria') self.parameters = self.working_xml.find('parameters') if self.parameters == None: self.working_xml.append(ioc_et.make_parameters_node()) self.parameters = self.working_xml.find('parameters') self.name = metadata_root.find('short_description') if self.name == None: metadata_root.append(ioc_et.make_short_description_node("*Missing*")) self.name = metadata_root.find('short_description') self.desc = metadata_root.find('description') if self.desc == None: metadata_root.append(ioc_et.make_description_node("*Missing*")) self.desc = metadata_root.find('description') self.author = metadata_root.find('authored_by') if self.author == None: metadata_root.append(ioc_et.make_authored_by_node("*Missing*")) self.author = metadata_root.find('authored_by') self.created = metadata_root.find('authored_date') if self.created == None: metadata_root.append(ioc_et.make_authored_date_node()) self.created = metadata_root.find('authored_date') self.links = metadata_root.find('links') if self.links == None: metadata_root.append(ioc_et.make_links_node()) self.links = metadata_root.find('links')
def make_ioc(self, name=None, description='Automatically generated IOC', author='IOC_api', links=None, keywords=None, id=None): ''' This generates all parts of an IOC, but without any definition. It allows the caller to then add IndicatorItems/Indicator nodes to the top level OR statement. This does not need to be called if using the IOC class to create an IOC input name: string, Name of the ioc description: string, description of the iocs author: string, author name/email address links: list of tuples. Each tuple should be in the form (rel, href, value). keywords: string. This is normally a space delimited string of values that may be used as keywords id: GUID for the IOC. This should not be specified under normal circumstances. returns a tuple containing three elementTree Element objects The first element, the root, contains the entire IOC itself. The second element, the top level OR indicator, allows the user to add additional IndicatorItem or Indicator nodes to the IOC easily. The third element, the parameters node, allows the user to quickly parse the parameters. ''' root = ioc_et.make_IOC_root(id) root.append(ioc_et.make_metadata_node(name, description, author, links)) metadata_node = root.find('metadata') top_level_indicator = make_Indicator_node('OR') parameters_node = (ioc_et.make_parameters_node()) root.append(ioc_et.make_criteria_node(top_level_indicator)) root.append(parameters_node) ioc_et.set_root_lastmodified(root) return (root, metadata_node, top_level_indicator, parameters_node)
def make_ioc(self, name = None, description = 'Automatically generated IOC', author = 'IOC_api', links = None, keywords = None, id = None): ''' This generates all parts of an IOC, but without any definition. It allows the caller to then add IndicatorItems/Indicator nodes to the top level OR statement. This does not need to be called if using the IOC class to create an IOC input name: string, Name of the ioc description: string, description of the iocs author: string, author name/email address links: list of tuples. Each tuple should be in the form (rel, href, value). keywords: string. This is normally a space delimited string of values that may be used as keywords id: GUID for the IOC. This should not be specified under normal circumstances. returns a tuple containing three elementTree Element objects The first element, the root, contains the entire IOC itself. The second element, the top level OR indicator, allows the user to add additional IndicatorItem or Indicator nodes to the IOC easily. The third element, the parameters node, allows the user to quickly parse the parameters. ''' root = ioc_et.make_IOC_root(id) root.append(ioc_et.make_metadata_node(name, description, author, links)) metadata_node = root.find('metadata') top_level_indicator = make_Indicator_node('OR') parameters_node = (ioc_et.make_parameters_node()) root.append(ioc_et.make_criteria_node(top_level_indicator)) root.append(parameters_node) ioc_et.set_root_lastmodified(root) return (root, metadata_node, top_level_indicator, parameters_node)
def add_ioc(self, author, version): new_ioc_xml = ioc_et.make_IOC_root(version=version) ioc_file = new_ioc_xml.attrib['id'] + ".ioc" full_path = os.path.join(self.working_dir, ioc_file) if version == "1.0": new_ioc_xml.append(ioc_et.make_short_description_node(name = "*New IOC*")) new_ioc_xml.append(ioc_et.make_description_node(text="PyIOCe Generated IOC")) new_ioc_xml.append(ioc_et.make_authored_by_node(author = author)) new_ioc_xml.append(ioc_et.make_authored_date_node()) new_ioc_xml.append(ioc_et.make_links_node()) new_ioc_xml.append(ioc_et.make_definition_node(ioc_et.make_Indicator_node("OR"))) elif version == "1.1": new_ioc_xml.append(ioc_et.make_metadata_node( name = "*New IOC*", author = "PyIOCe", description = "PyIOCe Generated IOC")) new_ioc_xml.append(ioc_et.make_criteria_node(ioc_et.make_Indicator_node("OR"))) new_ioc_xml.append(ioc_et.make_parameters_node()) self.iocs[full_path] = IOC(new_ioc_xml) self.iocs[full_path].orig_xml = et.Element('New') return full_path