RubyIOC 0.0.1 → 0.0.2

data/test/test_port_item.ioc

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="us-ascii"?>
+<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="9cbcf8e7-eded-4804-8bfe-51b8af0a4657" last-modified="2013-08-04T03:43:14" xmlns="http://schemas.mandiant.com/2010/ioc">
+  <short_description>*PortItem Entry Test IOC*</short_description>
+  <authored_by>IOCAware</authored_by>
+  <authored_date>2013-08-02T04:10:39</authored_date>
+  <links />
+  <definition>
+    <Indicator operator="OR" id="6d0f71b6-bff6-4870-8762-5f355df147e9">
+      <IndicatorItem id="f9a767af-82ee-440c-a7f5-c28665d0a1c6" condition="is">
+        <Context document="PortItem" search="PortItem/CreationTime" type="mir" />
+        <Content type="date" />
+      </IndicatorItem>
+      <IndicatorItem id="90d19f3b-c144-4772-ac2d-9467e1176d85" condition="contains">
+        <Context document="PortItem" search="PortItem/localIP" type="mir" />
+        <Content type="string">0.0.0.0</Content>
+      </IndicatorItem>
+      <IndicatorItem id="7d7257a7-357e-4093-9310-995b7850525a" condition="is">
+        <Context document="PortItem" search="PortItem/localPort" type="mir" />
+        <Content type="int">2968</Content>
+      </IndicatorItem>
+      <IndicatorItem id="6e0d0aa9-3181-4d03-901f-b777b0c96ed3" condition="contains">
+        <Context document="PortItem" search="PortItem/path" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="16aec65b-30f5-4504-8b4a-d7edd6d04725" condition="is">
+        <Context document="PortItem" search="PortItem/pid" type="mir" />
+        <Content type="int">584460</Content>
+      </IndicatorItem>
+      <IndicatorItem id="5cb46c09-10f5-4456-826a-1edb1fc78173" condition="contains">
+        <Context document="PortItem" search="PortItem/process" type="mir" />
+        <Content type="string">EEventManager.exe</Content>
+      </IndicatorItem>
+      <IndicatorItem id="d4f3b040-ea8d-460a-9c95-fc2a0966e060" condition="contains">
+        <Context document="PortItem" search="PortItem/protocol" type="mir" />
+        <Content type="string">TCP</Content>
+      </IndicatorItem>
+      <IndicatorItem id="6331786b-a690-41df-aea4-61071945b10d" condition="contains">
+        <Context document="PortItem" search="PortItem/remoteIP" type="mir" />
+        <Content type="IP">0.0.0.0</Content>
+      </IndicatorItem>
+      <IndicatorItem id="de2df8fd-ed8d-4c04-8f83-b3a907866d1d" condition="is">
+        <Context document="PortItem" search="PortItem/remotePort" type="mir" />
+        <Content type="int">0</Content>
+      </IndicatorItem>
+      <IndicatorItem id="de709789-31bd-4ff1-899e-11e16ae8cb55" condition="contains">
+        <Context document="PortItem" search="PortItem/state" type="mir" />
+        <Content type="string">LISTENING</Content>
+      </IndicatorItem>
+    </Indicator>
+  </definition>
+</ioc>

data/test/test_scan.rb

@@ -3,14 +3,39 @@ require "RubyIOC"
 
 class TestScan < Test::Unit::TestCase
 	def test_scan
-	#	find_windows_ioc = File.expand_path(File.dirname(__FILE__)) + "/find_windows.ioc"
-	#	test_user_item = File.expand_path(File.dirname(__FILE__)) + "/test_user_item.ioc"
-		#RubyIOC::Scanner.new(File.read(test_user_item)).scan
-	#	puts RubyIOC::Scanner.new(File.read(test_user_item)).scan
+		find_windows_ioc = File.expand_path(File.dirname(__FILE__)) + "/find_windows.ioc"
+		test_user_item = File.expand_path(File.dirname(__FILE__)) + "/test_user_item.ioc"
+		RubyIOC::Scanner.new(File.read(test_user_item)).scan
+		#puts RubyIOC::Scanner.new(File.read(test_user_item)).scan
 	end
 
 	def test_dns_scan
 		dns_test_ioc =  File.expand_path(File.dirname(__FILE__)) + "/test_dns_entry_item.ioc"
 		RubyIOC::Scanner.new(File.read(dns_test_ioc)).scan
 	end
+	
+	def test_arp_scan
+		arp_test_ioc =  File.expand_path(File.dirname(__FILE__)) + "/test_arp_entry_item.ioc"
+		RubyIOC::Scanner.new(File.read(arp_test_ioc)).scan
+	end
+	
+	def test_event_log
+		event_log_test_ioc =  File.expand_path(File.dirname(__FILE__)) + "/test_event_log_item.ioc"
+		RubyIOC::Scanner.new(File.read(event_log_test_ioc)).scan
+	end
+	
+	def test_port_item
+		port_item_test_ioc =  File.expand_path(File.dirname(__FILE__)) + "/test_port_item.ioc"
+		RubyIOC::Scanner.new(File.read(port_item_test_ioc)).scan
+	end
+	
+	def test_volume_item
+		volume_item_test_ioc =  File.expand_path(File.dirname(__FILE__)) + "/test_volume_item.ioc"
+		RubyIOC::Scanner.new(File.read(volume_item_test_ioc)).scan
+	end
+	
+	def test_service_item
+		service_item_test_ioc =  File.expand_path(File.dirname(__FILE__)) + "/test_service_item.ioc"
+		RubyIOC::Scanner.new(File.read(service_item_test_ioc)).scan
+	end
 end

data/test/test_service_item.ioc

@@ -0,0 +1,143 @@
+<?xml version="1.0" encoding="us-ascii"?>
+<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="44cd6057-0313-4d10-9d4e-ea457de93964" last-modified="2013-08-09T19:04:15" xmlns="http://schemas.mandiant.com/2010/ioc">
+  <short_description>*Service Entry Test IOC*</short_description>
+  <authored_by>IOCAware</authored_by>
+  <authored_date>2013-08-07T18:05:53</authored_date>
+  <links />
+  <definition>
+    <Indicator operator="OR" id="e3aa1508-a120-46bb-a015-966d2f7f53a7">
+      <IndicatorItem id="046c285e-f929-49f9-9a5e-cc0ee7d3deb0" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/arguments" type="mir" />
+        <Content type="string">/Embedding</Content>
+      </IndicatorItem>
+      <IndicatorItem id="7d8e279e-bac1-4bcd-951b-52deadc42af4" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/description" type="mir" />
+        <Content type="string">Provides content indexing</Content>
+      </IndicatorItem>
+      <IndicatorItem id="5abb6bf1-4fe1-4ae5-b94c-bb7309100d29" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/descriptiveName" type="mir" />
+        <Content type="string">Windows Search</Content>
+      </IndicatorItem>
+      <IndicatorItem id="3a351f3d-71a7-4b98-8741-8dfe7bcabec6" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/serviceDLL" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="ae6dd1b2-c84c-49bd-bd36-aead64262d68" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/serviceDLLCertificateIssuer" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="57758373-6472-4f9e-b1b6-43fbb04694a9" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/serviceDLLCertificateSubject" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="96238371-c135-4876-a87e-3385c69c48a6" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/serviceDLLmd5sum" type="mir" />
+        <Content type="md5" />
+      </IndicatorItem>
+      <IndicatorItem id="0e672a9f-165b-4b23-b29e-8913d366fa26" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/serviceDLLsha1sum" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="0cb68a9c-2cd9-4af5-83f7-acae52291970" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/serviceDLLsha256sum" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="6f8cfb60-a6e2-4cc6-8612-2143b3ac4017" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/serviceDLLSignatureDescription" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="bc465ae2-44a2-4e15-98b2-35757575840d" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/serviceDLLSignatureVerified" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="be4e9539-1384-472a-a824-3a2af54ef59a" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/serviceDLLSignatureExists" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="1c992a6c-07ba-4115-8331-c35a132b697b" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/mode" type="mir" />
+        <Content type="string">SERVICE_AUTO_START</Content>
+      </IndicatorItem>
+      <IndicatorItem id="4d0478bd-71a2-484e-83df-cacda3a3ffc6" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/name" type="mir" />
+        <Content type="string">WSearch</Content>
+      </IndicatorItem>
+      <IndicatorItem id="95bc9446-cc36-4600-ae30-94d951173cd4" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/path" type="mir" />
+        <Content type="string">C:\Windows\system32\SearchIndexer.exe</Content>
+      </IndicatorItem>
+      <IndicatorItem id="19af4a09-08da-45a0-93db-1533e3c6401f" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/pathCertificateIssuer" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="4fa46f05-4f61-40cd-b934-c78964089a1d" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/pathCertificateSubject" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="fe82a84e-527c-4ed4-a28a-503ed354a10a" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/pathmd5sum" type="mir" />
+        <Content type="md5" />
+      </IndicatorItem>
+      <IndicatorItem id="4e7af7d7-85e7-4fce-afe4-e9643a0fcafd" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/pathsha1sum" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="392d1680-61af-428b-99b6-ca457d25eb92" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/pathsha256sum" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="91496c5a-2d5d-46a7-ba29-252ed6d593f2" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/pathSignatureDescription" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="fe3d3a16-8ac5-4a80-9ecc-5a0f922e60a4" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/pathSignatureExists" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="9e46d045-6336-4950-b742-8904ec37e44b" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/pathSignatureVerified" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="1b5e0645-dc77-4c00-8f2a-6bafb44eab73" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/pid" type="mir" />
+        <Content type="int">3656</Content>
+      </IndicatorItem>
+      <IndicatorItem id="44766230-8c7c-47c0-89f8-aca65b74983c" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/startedAs" type="mir" />
+        <Content type="string">LocalSystem</Content>
+      </IndicatorItem>
+      <IndicatorItem id="09b027f9-5d61-4ea0-b7ba-bf0a63b5ac26" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/status" type="mir" />
+        <Content type="string">SERVICE_RUNNING</Content>
+      </IndicatorItem>
+      <IndicatorItem id="d8ac4411-a8c9-4808-965e-1436ec9ebc28" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/type" type="mir" />
+        <Content type="string">SERVICE_WIN32_OWN_PROCESS</Content>
+      </IndicatorItem>
+      <IndicatorItem id="f46a073c-2e04-4772-8dab-6cdd21bc5511" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/serviceDLLMd54Ksum" type="network" />
+        <Content type="md5" />
+      </IndicatorItem>
+      <IndicatorItem id="cba63714-3fd0-486f-b914-ddbe9a8af57d" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/serviceDLLSha512Sum" type="network" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="2bb62d3e-09b9-4676-afa5-a5ef7b81c045" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/serviceDLLSsdeep" type="network" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="e5f2e937-347f-4ae7-83a3-3481c92ea90e" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/pathMd54ksum" type="network" />
+        <Content type="md5" />
+      </IndicatorItem>
+      <IndicatorItem id="cdece8ce-2857-4a5a-858b-bca46513ef7d" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/pathSha512sum" type="network" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="d5ff3870-c0ea-441e-98e5-d4581c5924fd" condition="contains">
+        <Context document="ServiceItem" search="ServiceItem/pathSsdeep" type="network" />
+        <Content type="string" />
+      </IndicatorItem>
+    </Indicator>
+  </definition>
+</ioc>

data/test/test_user_item.ioc

@@ -1,28 +1,29 @@
 <?xml version="1.0" encoding="us-ascii"?>
-<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="efce87c7-f78f-4e32-8f3f-b470d1ec693f" last-modified="2013-01-07T01:29:04" xmlns="http://schemas.mandiant.com/2010/ioc">
-  <short_description>*New Unsaved Indicator*</short_description>
+<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="efce87c7-f78f-4e32-8f3f-b470d1ec693f" last-modified="2013-08-04T03:44:46" xmlns="http://schemas.mandiant.com/2010/ioc">
+  <short_description>*User Item Test IOC*</short_description>
+  <authored_by>IOCAware</authored_by>
   <authored_date>2013-01-07T01:25:50</authored_date>
   <links />
   <definition>
     <Indicator operator="OR" id="336a594b-3302-4ac8-9512-4f329d660515">
+      <IndicatorItem id="1d1ca6f3-6bf9-4c8a-812e-3e9879f5ad29" condition="contains">
+        <Context document="UserItem" search="UserItem/username" type="mir" />
+        <Content type="string">Guest</Content>
+      </IndicatorItem>
       <Indicator operator="AND" id="336a594b-3302-4ac8-9512-4f329d660515">
         <IndicatorItem id="1d1ca6f3-6bf9-4c8a-812e-3e9879f5ad29" condition="contains">
           <Context document="UserItem" search="UserItem/username" type="mir" />
           <Content type="string">Guest</Content>
         </IndicatorItem>
         <IndicatorItem id="1d1ca6f3-6bf9-4c8a-812e-3e9879f5ad29" condition="contains">
-         <Context document="UserItem" search="UserItem/fullname" type="mir" />
-          <Content type="string"></Content>
+          <Context document="UserItem" search="UserItem/fullname" type="mir" />
+          <Content type="string" />
         </IndicatorItem>
         <IndicatorItem id="ff27c0d0-08db-4223-afa1-cc6269fb2b25" condition="contains">
           <Context document="UserItem" search="UserItem/disabled" type="mir" />
           <Content type="string">true</Content>
         </IndicatorItem>
       </Indicator>
-      <IndicatorItem id="1d1ca6f3-6bf9-4c8a-812e-3e9879f5ad29" condition="contains">
-          <Context document="UserItem" search="UserItem/username" type="mir" />
-          <Content type="string">Guest</Content>
-        </IndicatorItem>
     </Indicator>
   </definition>
 </ioc>

data/test/test_volume_item.ioc

@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="us-ascii"?>
+<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="6d598961-1ab6-49db-b230-de5ed2ba42f7" last-modified="2013-08-04T16:11:08" xmlns="http://schemas.mandiant.com/2010/ioc">
+  <short_description>*Volume Item Test IOC*</short_description>
+  <authored_by>IOCAware</authored_by>
+  <authored_date>2013-08-04T04:01:57</authored_date>
+  <links />
+  <definition>
+    <Indicator operator="OR" id="3c503fa2-26d5-4b02-b612-60cf62208fd9">
+      <IndicatorItem id="e52f0363-e22b-46df-b724-4dde0c99d2e6" condition="is">
+        <Context document="VolumeItem" search="VolumeItem/ActualAvailableAllocationUnits" type="mir" />
+        <Content type="int">27948756992</Content>
+      </IndicatorItem>
+      <IndicatorItem id="52071826-283a-420a-a89b-87d06879740f" condition="is">
+        <Context document="VolumeItem" search="VolumeItem/BytesPerSector" type="mir" />
+        <Content type="int">4096</Content>
+      </IndicatorItem>
+      <IndicatorItem id="562b90eb-0642-4c9d-8d89-25f4060c8f79" condition="is">
+        <Context document="VolumeItem" search="VolumeItem/CreationTime" type="mir" />
+        <Content type="date" />
+      </IndicatorItem>
+      <IndicatorItem id="22613831-5260-4e5d-96c6-168e416b5e64" condition="contains">
+        <Context document="VolumeItem" search="VolumeItem/DevicePath" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="5218a43b-99ac-476d-9207-612ee7afa179" condition="is">
+        <Context document="VolumeItem" search="VolumeItem/DriveLetter" type="mir" />
+        <Content type="string">E:</Content>
+      </IndicatorItem>
+      <IndicatorItem id="2b182820-076d-48a9-85be-0aaec9c42362" condition="contains">
+        <Context document="VolumeItem" search="VolumeItem/FileSystemFlags" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="f27c2ba3-5b79-4ce6-b48c-655b89ea2f17" condition="is">
+        <Context document="VolumeItem" search="VolumeItem/FileSystemName" type="mir" />
+        <Content type="string">NTFS</Content>
+      </IndicatorItem>
+      <IndicatorItem id="eb3c817c-9374-4e85-a911-001257f29f00" condition="is">
+        <Context document="VolumeItem" search="VolumeItem/IsMounted" type="mir" />
+        <Content type="string">true</Content>
+      </IndicatorItem>
+      <IndicatorItem id="b9b7606e-9c9b-49ba-8105-6f2e1748e4d6" condition="contains">
+        <Context document="VolumeItem" search="VolumeItem/Name" type="mir" />
+        <Content type="string">Installs</Content>
+      </IndicatorItem>
+      <IndicatorItem id="635cf2ce-bf20-4198-9007-da73bd899b75" condition="contains">
+        <Context document="VolumeItem" search="VolumeItem/SectorsPerAllocationUnit" type="mir" />
+        <Content type="string" />
+      </IndicatorItem>
+      <IndicatorItem id="a7617aee-9e7a-4755-bdc2-05ba4202d6fd" condition="is">
+        <Context document="VolumeItem" search="VolumeItem/SerialNumber" type="mir" />
+        <Content type="string">2119600036</Content>
+      </IndicatorItem>
+      <IndicatorItem id="c48ffe07-4570-4899-aa62-e7097256209d" condition="is">
+        <Context document="VolumeItem" search="VolumeItem/TotalAllocationUnits" type="mir" />
+        <Content type="string">212696297472</Content>
+      </IndicatorItem>
+      <IndicatorItem id="e58e0fa5-943e-4f28-a22e-20f2c23e2ed4" condition="contains">
+        <Context document="VolumeItem" search="VolumeItem/Type" type="mir" />
+        <Content type="string">DRIVE_FIXED</Content>
+      </IndicatorItem>
+    </Indicator>
+  </definition>
+</ioc>

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: RubyIOC
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-12 00:00:00.000000000 Z
+date: 2013-09-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: roxml
-  requirement: &14073948 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,7 +21,12 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *14073948
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: RubyIOC is a ruby library used for indicators of compromise
 email:
 - mjezorek@gmail.com
@@ -35,6 +40,7 @@ files:
 - README.md
 - Rakefile
 - RubyIOC.gemspec
+- iocaware.iocterms
 - lib/RubyIOC.rb
 - lib/RubyIOC/ioc.rb
 - lib/RubyIOC/iocitem.rb
@@ -71,10 +77,15 @@ files:
 - lib/RubyIOC/scanner.rb
 - lib/RubyIOC/version.rb
 - test/find_windows.ioc
+- test/test_arp_entry_item.ioc
 - test/test_dns_entry_item.ioc
+- test/test_event_log_item.ioc
 - test/test_iocitem_factory.rb
+- test/test_port_item.ioc
 - test/test_scan.rb
+- test/test_service_item.ioc
 - test/test_user_item.ioc
+- test/test_volume_item.ioc
 - test/zeus.ioc
 homepage: ''
 licenses: []
@@ -96,7 +107,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: RubyIOC
-rubygems_version: 1.8.16
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: RubyIOC is a ruby library used for indicators of compromise