RubyIOC 0.0.1 → 0.0.2

data/lib/RubyIOC/iocitem/service_item.rb

@@ -16,7 +16,107 @@ module RubyIOC
 			def get_type
 				"ServiceItem"
 			end
+			
+			def scan(indicator)
+				if RubyIOC::Platform.windows?
+					return search_windows_services(indicator)
+				else
+					puts "Not implemented on this platform yet"
+				end
+			end
+			
+			def search_windows_services(indicator)
+				wmi = WIN32OLE.connect("winmgmts:\\")
+				query = "Select * from Win32_Service where "
+				getLogicalDisk = false
+				
+				servicemodetypes = Hash[
+					"SERVICE_AUTO_START" => "Auto", 
+					"SERVICE_BOOT_START" => "Boot", 
+					"SERVICE_DEMAND_START" => "Manual", 
+					"SERVICE_DISABLED" => "Disabled", 
+					"SERVICE_SYSTEM_START" => "System", 
+				]
+				
+				servicestatustypes = Hash[
+					"SERVICE_CONTINUE_PENDING" => "Continue Pending", 
+					"SERVICE_PAUSE_PENDING" => "Pause Pending", 
+					"SERVICE_PAUSED" => "Paused", 
+					"SERVICE_RUNNING" => "Running", 
+					"SERVICE_START_PENDING" => "Start Pending", 
+					"SERVICE_STOP_PENDING" => "Stop Pending", 
+					"SERVICE_STOPPED" => "Stopped", 
+					#***#
+					"SERVICE_UNKNOWN" => "Unknown"
+				]
+				
+				servicetypetypes = Hash[
+					"SERVICE_KERNEL_DRIVER" => "Kernel Driver", 
+					"SERVICE_FILE_SYSTEM_DRIVER" => "File System Driver", 
+					"SERVICE_WIN32_OWN_PROCESS" => "Own Process", 
+					"SERVICE_WIN32_SHARE_PROCESS" => "Share Process", 
+					#***#
+					"SERVICE_ADAPTER" => "Adapter", 
+					"SERVICE_RECOGNIZER_DRIVER" => "Recognizer Driver", 
+					"SERVICE_WIN32_INTERACTIVE_PROCESS" => "Interactive Process"
+				]
+				
+				indicator.each { |i| 
+					case i[:search]
+					when "ServiceItem/arguments"
+					when "ServiceItem/description"
+						query += "Description like '%#{i[:content]}%' "
+					when "ServiceItem/descriptiveName"
+						query += "DisplayName = '#{i[:content]}' "
+					when "ServiceItem/serviceDLL"
+					when "ServiceItem/serviceDLLCertificateIssuer"
+					when "ServiceItem/serviceDLLCertificateSubject"
+					when "ServiceItem/serviceDLLmd5sum"
+					when "ServiceItem/serviceDLLsha1sum"
+					when "ServiceItem/serviceDLLsha256sum"
+					when "ServiceItem/serviceDLLSignatureDescription"
+					when "ServiceItem/serviceDLLSignatureVerified"
+					when "ServiceItem/serviceDLLSignatureExists"
+					when "ServiceItem/mode"
+						query += "StartMode = '#{servicemodetypes[i[:content]]}' "
+					when "ServiceItem/name"
+						query += "Name = '#{i[:content]}' "
+					when "ServiceItem/path"
+						content = i[:content].gsub("\\", "\\\\\\\\")
+						query += "PathName like '%#{[content]}%' "
+					when "ServiceItem/pathCertificateIssuer"
+					when "ServiceItem/pathCertificateSubject"
+					when "ServiceItem/pathmd5sum"
+					when "ServiceItem/pathsha1sum"
+					when "ServiceItem/pathsha256sum"
+					when "ServiceItem/pathSignatureDescription"
+					when "ServiceItem/pathSignatureExists"
+					when "ServiceItem/pathSignatureVerified"
+					when "ServiceItem/pid"
+						query += "ProcessID = #{i[:content]} "
+					when "ServiceItem/startedAs"
+						query += "StartName = '#{i[:content]}' "
+					when "ServiceItem/status"
+						query += "State = '#{servicestatustypes[i[:content]]}' "
+					when "ServiceItem/type"
+						query += "ServiceType = '#{servicetypetypes[i[:content]]}' "
+					when "ServiceItem/serviceDLLMd54Ksum"
+					when "ServiceItem/serviceDLLSha512Sum"
+					when "ServiceItem/serviceDLLSsdeep"
+					when "ServiceItem/pathMd54ksum"
+					when "ServiceItem/pathSha512sum"
+					when "ServiceItem/pathSsdeep"
+					end
+				}
+				
+				services = wmi.ExecQuery(query)
+				services.each { |s|
+					return true
+				}
+				return false
+			end
 		end
+		
 
 		class ServiceItemFactory < RubyIOC::IOCItem::IOCItemFactory
 			def get_type

data/lib/RubyIOC/iocitem/user_item.rb

@@ -78,4 +78,4 @@ module RubyIOC
 
 		UserItemFactory.add_factory(UserItemFactory)
 	end
-end
+end

data/lib/RubyIOC/iocitem/volume_item.rb

@@ -16,6 +16,71 @@ module RubyIOC
 			def get_type
 				"VolumeItem"
 			end
+			
+			def scan(indicator)
+				if RubyIOC::Platform.windows?
+					return search_windows_volumes(indicator)
+				else
+					puts "Not implemented on this platform yet"
+				end
+			end
+			
+			def search_windows_volumes(indicator)
+				wmi = WIN32OLE.connect("winmgmts:\\")
+				query = ""
+				getLogicalDisk = false
+				
+				voltypes = Hash[
+					"DRIVE_UNKNOWN" => "0", 
+					"DRIVE_NO_ROOT_DIR" => "1", 
+					"DRIVE_REMOVABLE" => "2", 
+					"DRIVE_FIXED" => "3", 
+					"DRIVE_REMOTE" => "4", 
+					"DRIVE_CDROM" => "5", 
+					"DRIVE_RAMDISK" => "6"
+				]
+				
+				indicator.each { |i| 
+					case i[:search]
+					when "VolumeItem/ActualAvailableAllocationUnits"
+						query += "FreeSpace = #{i[:content]} "
+					when "VolumeItem/BytesPerSector"
+						query += "BlockSize = #{i[:content]} "
+					when "VolumeItem/CreationTime"
+						query += "InstallDate = '#{i[:content]}' "
+					when "VolumeItem/DevicePath"
+					when "VolumeItem/DriveLetter"
+						query += "DriveLetter = '#{i[:content]}' "
+					when "VolumeItem/FileSystemFlags"
+					when "VolumeItem/FileSystemName"
+						query += "FileSystem = '#{i[:content]}' "
+						getLogicalDisk = true
+					when "VolumeItem/IsMounted"
+					when "VolumeItem/Name"
+						query += "VolumeName = '#{i[:content]}' "
+						getLogicalDisk = true
+					when "VolumeItem/SectorsPerAllocationUnit"
+					when "VolumeItem/SerialNumber"
+						query += "SerialNumber = '#{i[:content]}' "
+					when "VolumeItem/TotalAllocationUnits"
+						query += "Capacity = #{i[:content]} "
+					when "VolumeItem/Type"
+						query += "DriveType = #{voltypes[i[:content]]} "
+					end
+				}
+				
+				if getLogicalDisk then
+					query = "Select * from Win32_LogicalDisk where " + query
+				else
+					query = "Select * from Win32_Volume where " + query
+				end
+
+				volumes = wmi.ExecQuery(query)
+				volumes.each { |v|
+					return true
+				}
+				return false
+			end
 		end
 
 		class VolumeItemFactory < RubyIOC::IOCItem::IOCItemFactory

data/lib/RubyIOC/platform.rb

@@ -33,7 +33,7 @@ module RubyIOC
 		end
 
 		def mac?
-			RubyIOC::Platform.is? /mac|darwin/
+			RubyIOC::Platform.is? /darwin|mac/
 		end
 
 		def bsd?
@@ -41,7 +41,7 @@ module RubyIOC
 		end
 
 		def windows?
-			RubyIOC::Platform.is? /mswin|win|mingw/			
+			RubyIOC::Platform.is? /mswin|mingw/			
 		end
 
 		def solaris?

data/lib/RubyIOC/scanner.rb

@@ -26,7 +26,7 @@ module RubyIOC
 			@ioc.indicators.each { |i| 
 				results << process_indicators(i, results)
 			}
-			puts results.to_yaml
+			return results
 		end
 
 		def get_all_results(items, results)
@@ -68,42 +68,29 @@ module RubyIOC
 
 		def process_indicators(i, results)
 			res = {}
-			search_item = []
 			res[i.id] = {}
 			res[i.id]['items'] = []
 			res[i.id]['operator'] = i.operator
 			res[i.id]['indicators'] = []
-			if i.operator === "AND"
-				i.indicator_item.each { | inditem |
-					tmp = {}
-					tmp[:document] = inditem.document
-					tmp[:search] = inditem.search
-					tmp[:condition] = inditem.condition
-					tmp[:content_type] = inditem.content_type
-					tmp[:content] = inditem.content
-					tmp[:context_type] = inditem.context_type
-					search_item << tmp
-				}
-				res[i.id]['indicators'] << RubyIOC::IOCItem::IOCItemFactory.item_for(search_item[0][:document]).scan(search_item)
-				puts res[i.id]['indicators'].inspect
-			else 
-				i.indicator_item.each { | inditem |
-					tmp = {}
-					tmp[:document] = inditem.document
-					tmp[:search] = inditem.search
-					tmp[:condition] = inditem.condition
-					tmp[:content_type] = inditem.content_type
-					tmp[:content] = inditem.content
-					tmp[:context_type] = inditem.context_type
-					search_item << tmp
-					res[i.id]['indicators'] << RubyIOC::IOCItem::IOCItemFactory.item_for(inditem.document).scan(search_item)
-				}
-			end
+			i.indicator_item.each { | inditem |
+				search_item = []
+				tmp = {}
+				tmp[:document] = inditem.document
+				tmp[:search] = inditem.search
+				tmp[:condition] = inditem.condition
+				tmp[:content_type] = inditem.content_type
+				tmp[:content] = inditem.content
+				tmp[:context_type] = inditem.context_type
+				search_item << tmp
+				res[i.id]['indicators'] << RubyIOC::IOCItem::IOCItemFactory.item_for(inditem.document).scan(search_item)
+			}
+
 			i.indicators.each { |ii |
 				process_indicators(ii, res[i.id]['items'])
 			}
 			res[i.id]['result'] = get_result(i.operator, res[i.id])
 			results << res
+			return results
 		end
 
 	end

data/lib/RubyIOC/version.rb

@@ -1,15 +1,15 @@
-# Copyright (c) 2013 Matt Jezorek
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
-# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
-# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-# IN THE SOFTWARE.
-module RubyIOC
-  VERSION = "0.0.1"
-end
+# Copyright (c) 2013 Matt Jezorek
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
+# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+module RubyIOC
+  VERSION = "0.0.2"
+end

data/test/test_arp_entry_item.ioc

@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="us-ascii"?>
+<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="868b1eaa-7d68-4634-9572-a0d442e71814" last-modified="2013-08-04T03:44:46" xmlns="http://schemas.mandiant.com/2010/ioc">
+  <short_description>*ARP Entry Test IOC*</short_description>
+  <authored_by>IOCAware</authored_by>
+  <authored_date>2013-06-17T18:00:55</authored_date>
+  <links />
+  <definition>
+    <Indicator operator="OR" id="063979a1-df60-48c8-b514-5d226f192322">
+      <Indicator operator="AND" id="ea7f3691-a790-4295-93ce-58ef7ccdcebb">
+        <IndicatorItem id="7cc9932d-64e5-478e-ae28-b676ce033fa1" condition="contains">
+          <Context document="ArpEntryItem" search="ArpEntryItem/IPv4Address" type="mir" />
+          <Content type="IP">192.168.1.1</Content>
+        </IndicatorItem>
+        <IndicatorItem id="8f2280f7-ad34-4718-8f7c-32ba28c71f5c" condition="contains">
+          <Context document="ArpEntryItem" search="ArpEntryItem/PhysicalAddress" type="mir" />
+          <Content type="string">f0:d1:a9:08:6a:60</Content>
+        </IndicatorItem>
+        <IndicatorItem id="17c2ad4f-3f8f-43fa-8aee-e19df4afbae9" condition="contains">
+          <Context document="ArpEntryItem" search="ArpEntryItem/Interface" type="mir" />
+          <Content type="IP">en1</Content>
+        </IndicatorItem>
+      </Indicator>
+      <Indicator operator="AND" id="8757b126-6b67-47f6-b77a-8158c0a71116">
+        <IndicatorItem id="ba09a245-63b0-4657-9402-f8ecb13693a6" condition="contains">
+          <Context document="ArpEntryItem" search="ArpEntryItem/Interface" type="mir" />
+          <Content type="IP">eth0</Content>
+        </IndicatorItem>
+        <IndicatorItem id="4269d1ab-0b04-4a67-8946-9ca23d6257e0" condition="contains">
+          <Context document="ArpEntryItem" search="ArpEntryItem/IPv4Address" type="mir" />
+          <Content type="IP">192.168.1.1</Content>
+        </IndicatorItem>
+        <IndicatorItem id="7c19b193-86be-455f-8be0-13075cb08b04" condition="contains">
+          <Context document="ArpEntryItem" search="ArpEntryItem/PhysicalAddress" type="mir" />
+          <Content type="string">f0:d1:a9:08:6a:60</Content>
+        </IndicatorItem>
+      </Indicator>
+      <Indicator operator="AND" id="c2a54d35-2c29-4526-8177-db9829985bb6">
+        <IndicatorItem id="6776d766-9ef9-445c-8e94-f1da9364a8f9" condition="contains">
+          <Context document="ArpEntryItem" search="ArpEntryItem/Interface" type="mir" />
+          <Content type="IP">0xc</Content>
+        </IndicatorItem>
+        <IndicatorItem id="656d1f71-8bde-4ed0-8a6f-7667d523aedb" condition="contains">
+          <Context document="ArpEntryItem" search="ArpEntryItem/CacheType" type="mir" />
+          <Content type="string">Dynamic</Content>
+        </IndicatorItem>
+        <IndicatorItem id="d4533bab-5a5d-4869-9a31-3da0b4a82e45" condition="contains">
+          <Context document="ArpEntryItem" search="ArpEntryItem/IPv4Address" type="mir" />
+          <Content type="IP">192.168.237.2</Content>
+        </IndicatorItem>
+        <IndicatorItem id="ab9d4e19-d472-4ec3-a63e-f1e9606daed3" condition="contains">
+          <Context document="ArpEntryItem" search="ArpEntryItem/PhysicalAddress" type="mir" />
+          <Content type="string">00:50:56:ff:ad:9a</Content>
+        </IndicatorItem>
+      </Indicator>
+    </Indicator>
+  </definition>
+</ioc>

data/test/test_dns_entry_item.ioc

@@ -1,14 +1,35 @@
 <?xml version="1.0" encoding="us-ascii"?>
-<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="efce87c7-f78f-4e32-8f3f-b470d1ec693f" last-modified="2013-01-07T01:29:04" xmlns="http://schemas.mandiant.com/2010/ioc">
-  <short_description>*New Unsaved Indicator*</short_description>
+<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="efce87c7-f78f-4e32-8f3f-b470d1ec693f" last-modified="2013-08-04T03:43:19" xmlns="http://schemas.mandiant.com/2010/ioc">
+  <short_description>*DNS Entry Test IOC*</short_description>
+  <authored_by>IOCAware</authored_by>
   <authored_date>2013-01-07T01:25:50</authored_date>
   <links />
   <definition>
     <Indicator operator="OR" id="336a594b-3302-4ac8-9512-4f329d660515">
       <IndicatorItem id="1d1ca6f3-6bf9-4c8a-812e-3e9879f5ad29" condition="contains">
-          <Context document="DnsEntryItem" search="DnsEntryItem/Host" type="mir" />
-          <Content type="string">www.google.com</Content>
-        </IndicatorItem>
+        <Context document="DnsEntryItem" search="DnsEntryItem/Host" type="mir" />
+        <Content type="string">www.yahoo.com</Content>
+      </IndicatorItem>
+      <IndicatorItem id="03ff5739-b4e8-47ba-9731-cc05399e3bb1" condition="is">
+        <Context document="DnsEntryItem" search="DnsEntryItem/DataLength" type="mir" />
+        <Content type="int">8</Content>
+      </IndicatorItem>
+      <IndicatorItem id="82b571d3-9432-4cf2-af87-f9d1926cebf5" condition="contains">
+        <Context document="DnsEntryItem" search="DnsEntryItem/RecordName" type="mir" />
+        <Content type="string">www.yahoo.com</Content>
+      </IndicatorItem>
+      <IndicatorItem id="5263a013-3877-4038-a441-e7fae573820f" condition="contains">
+        <Context document="DnsEntryItem" search="DnsEntryItem/RecordType" type="mir" />
+        <Content type="string">5</Content>
+      </IndicatorItem>
+      <IndicatorItem id="1d8e01c5-9840-4244-97d9-72c3ea50e61a" condition="contains">
+        <Context document="DnsEntryItem" search="DnsEntryItem/TimeToLive" type="mir" />
+        <Content type="string">2</Content>
+      </IndicatorItem>
+      <IndicatorItem id="cf3a83a1-aac3-4730-9efb-302e919f841f" condition="contains">
+        <Context document="DnsEntryItem" search="DnsEntryItem/RecordData/IPv4Address" type="mir" />
+        <Content type="IP">192.168.237.128</Content>
+      </IndicatorItem>
     </Indicator>
   </definition>
 </ioc>

data/test/test_event_log_item.ioc

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="us-ascii"?>
+<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="5a36460c-a57c-4cfd-9731-f3494af1fd19" last-modified="2013-08-04T03:43:19" xmlns="http://schemas.mandiant.com/2010/ioc">
+  <short_description>*EventLog Entry Test IOC*</short_description>
+  <authored_by>IOCAware</authored_by>
+  <authored_date>2013-08-01T15:25:30</authored_date>
+  <links />
+  <definition>
+    <Indicator operator="OR" id="8909fba8-d368-4dfb-80e9-3c5bc1414d18">
+      <IndicatorItem id="2011b44a-3ae5-4913-b3e5-9de81449cdcb" condition="contains">
+        <Context document="EventLogItem" search="EventLogItem/category" type="mir" />
+        <Content type="string">Startup of the UMDF reflector</Content>
+      </IndicatorItem>
+      <IndicatorItem id="a60acc9e-677f-4e3f-853c-fa4d3a55d800" condition="contains">
+        <Context document="EventLogItem" search="EventLogItem/categoryNum" type="mir" />
+        <Content type="string">101</Content>
+      </IndicatorItem>
+      <IndicatorItem id="23a5f59d-8aa0-4301-a4e0-f2dbcad956ab" condition="is">
+        <Context document="EventLogItem" search="EventLogItem/genTime" type="mir" />
+        <Content type="date">20121120204608.735041-000</Content>
+      </IndicatorItem>
+      <IndicatorItem id="38c618d6-8699-46d6-b9dc-c772911b21c8" condition="is">
+        <Context document="EventLogItem" search="EventLogItem/EID" type="mir" />
+        <Content type="int">5615</Content>
+      </IndicatorItem>
+      <IndicatorItem id="eb983742-4953-4c76-94fb-5b2c699acd94" condition="contains">
+        <Context document="EventLogItem" search="EventLogItem/log" type="mir" />
+        <Content type="string">System</Content>
+      </IndicatorItem>
+      <IndicatorItem id="a567613d-f99f-4030-b232-47dd49fd0c16" condition="contains">
+        <Context document="EventLogItem" search="EventLogItem/machine" type="mir" />
+        <Content type="string">Win8</Content>
+      </IndicatorItem>
+      <IndicatorItem id="3b5758ac-d356-4912-921f-99744e9a8716" condition="contains">
+        <Context document="EventLogItem" search="EventLogItem/message" type="mir" />
+        <Content type="string">P1: 7.8.9200.16465</Content>
+      </IndicatorItem>
+      <IndicatorItem id="89ba60af-ab43-47dd-aa22-46dbbe9c8c19" condition="contains">
+        <Context document="EventLogItem" search="EventLogItem/source" type="mir" />
+        <Content type="string">MsiInstaller</Content>
+      </IndicatorItem>
+      <IndicatorItem id="f4618c66-92f1-468e-bee9-288404469100" condition="contains">
+        <Context document="EventLogItem" search="EventLogItem/type" type="mir" />
+        <Content type="string">Error</Content>
+      </IndicatorItem>
+      <IndicatorItem id="77ae9c7e-c1cf-4ebd-8abc-c9156351249f" condition="contains">
+        <Context document="EventLogItem" search="EventLogItem/user" type="mir" />
+        <Content type="string">SYSTEM</Content>
+      </IndicatorItem>
+      <IndicatorItem id="55b298ba-7fa2-4faf-9853-c9ae4c2964fb" condition="is">
+        <Context document="EventLogItem" search="EventLogItem/writeTime" type="mir" />
+        <Content type="date">20121228232521.930418-000</Content>
+      </IndicatorItem>
+    </Indicator>
+  </definition>
+</ioc>