RubyIOC 0.0.1

data/.gitignore

@@ -0,0 +1,20 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*
+*.rbc
+.config
+coverage
+InstalledFiles
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+# YARD artifacts
+.yardoc
+_yardoc
+doc/

data/Gemfile

@@ -0,0 +1,3 @@
+source "http://rubygems.org"
+# Specify your gem's dependencies in RubyIOC.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,7 @@
+Copyright (c) 2013 Matt Jezorek
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,7 @@
+RubyIOC is a ruby gem for use with indicators of compromise
+
+==Features==
+* Read indiicators of compromise
+* Validate indicators of compromise
+* Write indicators of compromise
+==TODO==

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new do |t|
+	t.libs << "test"
+	t.test_files = FileList['test/test*.rb']
+	t.verbose = false
+end

data/RubyIOC.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "RubyIOC/version"
+
+Gem::Specification.new do |s|
+  s.name        = "RubyIOC"
+  s.version     = RubyIOC::VERSION
+  s.authors     = ["Matt Jezorek"]
+  s.email       = ["mjezorek@gmail.com"]
+  s.homepage    = ""
+  s.summary     = %q{RubyIOC is a ruby library used for indicators of compromise}
+  s.description = %q{RubyIOC is a ruby library used for indicators of compromise}
+
+  s.rubyforge_project = "RubyIOC"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  # specify any dependencies here; for example:
+  # s.add_development_dependency "rspec"
+  s.add_runtime_dependency "roxml"
+end

data/lib/RubyIOC.rb

@@ -0,0 +1,39 @@
+# Copyright (c) 2013 Matt Jezorek
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
+# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+require "rexml/document"
+
+require "RubyIOC/version"
+require "RubyIOC/platform"
+require "RubyIOC/iocterm"
+require "RubyIOC/iocitem"
+require "RubyIOC/ioc"
+require "RubyIOC/scanner"
+
+=begin rdoc
+	RubyIOC is a simple gem that will allow the scanning of a system with indicators of compromise. RubyIOC will not tell you if the machine
+	is compromised or not but it will give you a score and what indicators have been found. Ideally you will want to see 0% and 0 found indicators.
+	However you may come back with 1% ond 2 indicators out of 200. It will also provide you a reference to the found indicators. From here you
+	can investigate whatever machine you wish to investigate. 
+
+	Please note that when you use this software you are running on possibly compromised machiens, any credentials you use to facilitate the scan 
+	should be considered compromised
+=end
+
+
+class String
+  def to_bool
+    return true   if self == true   || self =~ (/(true|t|yes|y|1)$/i)
+    return false  if self == false  || self.blank? || self =~ (/(false|f|no|n|0)$/i)
+    raise ArgumentError.new("invalid value for Boolean: \"#{self}\"")
+  end
+end

data/lib/RubyIOC/ioc.rb

@@ -0,0 +1,58 @@
+# Copyright (c) 2013 Matt Jezorek
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
+# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+=begin rdoc
+=end
+require "roxml"
+
+module RubyIOC
+
+	class IndicatorItem
+		include ROXML
+		xml_name 'IndicatorItem'
+		xml_reader :id, :from => "@id"
+		xml_reader :condition, :from => "@condition"
+		xml_reader :context, :from => "Context"
+		xml_reader :content, :from => "Content"
+		xml_reader :document, :from => "@document", :in => "Context"
+		xml_reader :search, :from => "@search", :in => "Context"
+		xml_reader :context_type, :from => "@type", :in => "Context"
+		xml_reader :content_type, :from => "@type", :in => "Content"
+
+	end
+
+	class Indicator
+		include ROXML
+		xml_name 'Indicator'
+		xml_reader :id, :from => "@id"
+		xml_reader :operator, :from => "@operator"
+		xml_reader :indicator_item, :as => [RubyIOC::IndicatorItem]
+		xml_reader :indicators, :as => [RubyIOC::Indicator]
+	end
+
+	class IOC
+		include ROXML
+=begin rdoc
+		This class is to create the IOC XML file so that we can read it in and process it easily
+=end
+		xml_reader :id, :from => "@id"
+		xml_reader :last_modified, :from => "@last-modified"
+		xml_reader :short_description
+		xml_reader :description
+		xml_reader :keywords
+		xml_reader :authored_by
+		xml_reader :authored_date
+		xml_reader :links
+		xml_reader :indicators, :as => [RubyIOC::Indicator], :in => "definition"
+	end
+end

data/lib/RubyIOC/iocitem.rb

@@ -0,0 +1,59 @@
+# Copyright (c) 2013 Matt Jezorek
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
+# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+module RubyIOC
+	module IOCItem
+		class IOCItemFactory
+
+			def initialize
+				IOCItemFactory.load
+			end
+			
+			def get_type
+				""
+			end
+
+			def create
+				nil
+			end
+
+			@@factories = []
+
+			def IOCItemFactory.add_factory(factory)
+				@@factories.push(factory)
+			end
+
+			def IOCItemFactory.factories
+				@@factories
+			end
+
+			def IOCItemFactory.item_for(type)
+				@@factories.each { |itemfactory|
+					itf = itemfactory.new
+					if itf.get_type == type
+						return itf.create
+					end
+				}
+				nil
+			end
+
+			def IOCItemFactory.load
+				directory = File.expand_path(File.dirname(__FILE__)) + "/iocitem"
+				Dir.open(directory).each { |fn|
+					next unless (fn =~ /[.]rb$/)
+					require "#{directory}/#{fn}"
+				}
+			end
+		end
+	end
+end
+RubyIOC::IOCItem::IOCItemFactory.load

data/lib/RubyIOC/iocitem/arp_entry_item.rb

@@ -0,0 +1,33 @@
+# Copyright (c) 2013 Matt Jezorek
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
+# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+module RubyIOC
+	module IOCItem
+		class ArpEntryItem < RubyIOC::IOCTerm
+			def get_type
+				"ArpEntryItem"
+			end
+		end
+
+		class ArpEntryItemFactory < RubyIOC::IOCItem::IOCItemFactory
+			def get_type
+				"ArpEntryItem"
+			end
+
+			def create
+				ArpEntryItem.new
+			end
+		end
+
+		ArpEntryItemFactory.add_factory(ArpEntryItemFactory)
+	end
+end

data/lib/RubyIOC/iocitem/cookie_history_item.rb

@@ -0,0 +1,33 @@
+# Copyright (c) 2013 Matt Jezorek
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
+# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+module RubyIOC
+	module IOCItem
+		class CookieHistoryItem < RubyIOC::IOCTerm
+			def get_type
+				"CookieHistoryItem"
+			end
+		end
+
+		class CookieHistoryItemFactory < RubyIOC::IOCItem::IOCItemFactory
+			def get_type
+				"CookieHistoryItem"
+			end
+
+			def create
+				CookieHistoryItem.new
+			end
+		end
+
+		CookieHistoryItemFactory.add_factory(CookieHistoryItemFactory)
+	end
+end

data/lib/RubyIOC/iocitem/disk_item.rb

@@ -0,0 +1,33 @@
+# Copyright (c) 2013 Matt Jezorek
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
+# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+module RubyIOC
+	module IOCItem
+		class DiskItem < RubyIOC::IOCTerm
+			def get_type
+				"DiskItem"
+			end
+		end
+
+		class DiskItemFactory < RubyIOC::IOCItem::IOCItemFactory
+			def get_type
+				"DiskItem"
+			end
+
+			def create
+				DiskItem.new
+			end
+		end
+
+		DiskItemFactory.add_factory(DiskItemFactory)
+	end
+end

data/lib/RubyIOC/iocitem/dns_entry_item.rb

@@ -0,0 +1,66 @@
+# Copyright (c) 2013 Matt Jezorek
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
+# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+module RubyIOC
+	module IOCItem
+		class DnsEntryItem < RubyIOC::IOCTerm
+			def get_type
+				"DnsEntryItem"
+			end
+
+			def scan(indicator)
+				if RubyIOC::Platform.windows?
+					return search_windows_dns(indicator)
+				else
+					puts "Not implemented on this platform yet"
+				end
+			end
+
+			def search_windows_dns(indicator)
+				dns = get_windows_dns_cache
+				puts dns.to_yaml
+				return false
+			end
+
+			def get_windows_dns_cache
+				dns = []
+				dns_cache =`ipconfig /displaydns`
+				blocks = dns_cache.split(/\n\n/)
+				blocks.each do | block |
+					#puts block
+					temp = {}
+					temp[:record_name] = block.match(/\s*Record Name.*:\s(?<record>.*)/).to_a[1]
+					temp[:record_type] = block.match(/\s*Record Type.*:\s(?<record>.*)/).to_a[1]
+					temp[:time_to_live] = block.match(/\s*Time To Live.*:\s(?<record>.*)/).to_a[1]
+					temp[:data_length] = block.match(/\s*Data Length.*:\s(?<record>.*)/).to_a[1]
+					temp[:section] = block.match(/\s*Section.*:\s(?<record>.*)/).to_a[1]
+					temp[:a_record] = block.match(/\s*A \(Host\) Record.*:\s(?<record>.*)/).to_a[1]
+					temp[:cname] = block.match(/\s*CNAME Record.*:\s(?<record>.*)/).to_a[1]
+					dns << temp
+				end
+				return dns
+			end
+		end
+
+		class DnsEntryItemFactory < RubyIOC::IOCItem::IOCItemFactory
+			def get_type
+				"DnsEntryItem"
+			end
+
+			def create
+				DnsEntryItem.new
+			end
+		end
+
+		DnsEntryItemFactory.add_factory(DnsEntryItemFactory)
+	end
+end

data/lib/RubyIOC/iocitem/driver_item.rb

@@ -0,0 +1,33 @@
+# Copyright (c) 2013 Matt Jezorek
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
+# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+module RubyIOC
+	module IOCItem
+		class DriverItem < RubyIOC::IOCTerm
+			def get_type
+				"DriverItem"
+			end
+		end
+
+		class DriverItemFactory < RubyIOC::IOCItem::IOCItemFactory
+			def get_type
+				"DriverItem"
+			end
+
+			def create
+				DriverItem.new
+			end
+		end
+
+		DriverItemFactory.add_factory(DriverItemFactory)
+	end
+end