RubyIOC 0.0.1

data/lib/RubyIOC/scanner.rb

@@ -0,0 +1,110 @@
+# Copyright (c) 2013 Matt Jezorek
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
+# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+require "rubygems"
+require "active_support"
+require "yaml"
+require "pp"
+module RubyIOC
+	class Scanner
+		def initialize(iocXML)
+			@ioc = RubyIOC::IOC.from_xml(iocXML)
+		end
+
+		def scan
+			results = []
+			indicators = []
+			@ioc.indicators.each { |i| 
+				results << process_indicators(i, results)
+			}
+			puts results.to_yaml
+		end
+
+		def get_all_results(items, results)
+			items.each { | a | 
+				a.each_pair { |k,v| 
+					results << v['result']
+				}
+			}
+			return results
+		end
+
+		def get_result(operator, results) 
+			result = false
+			# setup what indicators we want
+			indicators = results['indicators']
+			if indicators.empty? 
+				indicators = get_all_results(results['items'], [])
+			end
+			case operator
+			when "OR"
+				result = false
+				indicators.each { |ind |
+					if ind == true
+						result = true
+					end
+				}
+			when "AND"
+				result = true
+				indicators.each { |ind|
+					if ind == false
+						result = false
+					end
+				}
+			else 
+				puts "You have me an invalid operator"
+			end
+			return result
+		end
+
+		def process_indicators(i, results)
+			res = {}
+			search_item = []
+			res[i.id] = {}
+			res[i.id]['items'] = []
+			res[i.id]['operator'] = i.operator
+			res[i.id]['indicators'] = []
+			if i.operator === "AND"
+				i.indicator_item.each { | inditem |
+					tmp = {}
+					tmp[:document] = inditem.document
+					tmp[:search] = inditem.search
+					tmp[:condition] = inditem.condition
+					tmp[:content_type] = inditem.content_type
+					tmp[:content] = inditem.content
+					tmp[:context_type] = inditem.context_type
+					search_item << tmp
+				}
+				res[i.id]['indicators'] << RubyIOC::IOCItem::IOCItemFactory.item_for(search_item[0][:document]).scan(search_item)
+				puts res[i.id]['indicators'].inspect
+			else 
+				i.indicator_item.each { | inditem |
+					tmp = {}
+					tmp[:document] = inditem.document
+					tmp[:search] = inditem.search
+					tmp[:condition] = inditem.condition
+					tmp[:content_type] = inditem.content_type
+					tmp[:content] = inditem.content
+					tmp[:context_type] = inditem.context_type
+					search_item << tmp
+					res[i.id]['indicators'] << RubyIOC::IOCItem::IOCItemFactory.item_for(inditem.document).scan(search_item)
+				}
+			end
+			i.indicators.each { |ii |
+				process_indicators(ii, res[i.id]['items'])
+			}
+			res[i.id]['result'] = get_result(i.operator, res[i.id])
+			results << res
+		end
+
+	end
+end

data/lib/RubyIOC/version.rb

@@ -0,0 +1,15 @@
+# Copyright (c) 2013 Matt Jezorek
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
+# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+module RubyIOC
+  VERSION = "0.0.1"
+end

data/test/find_windows.ioc

@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="us-ascii"?>
+<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="c32ab7b5-49c8-40cc-8a12-ef5c3ba91311" last-modified="2011-10-28T19:28:20" xmlns="http://schemas.mandiant.com/2010/ioc">
+  <short_description>FIND WINDOWS</short_description>
+  <description>This is a sample IOC that will hit on a number different artifacts present on a Windows computer. This IOC is used to test or illustrate the use of an IOC.</description>
+  <keywords />
+  <authored_by>Mandiant</authored_by>
+  <authored_date>0001-01-01T00:00:00</authored_date>
+  <links />
+  <definition>
+    <Indicator operator="OR" id="2e693207-ae90-4f9b-8a31-67f31f1d263c">
+      <IndicatorItem id="5ebfad1c-6f1a-472b-ae58-6fdfede0f4e7" condition="contains">
+        <Context document="FileItem" search="FileItem/FullPath" type="mir" />
+        <Content type="string">\kernel32.dll</Content>
+      </IndicatorItem>
+      <IndicatorItem id="5b79c908-9d4d-4536-8699-9538af1576e8" condition="is">
+        <Context document="FileItem" search="FileItem/FileName" type="mir" />
+        <Content type="string">win.ini</Content>
+      </IndicatorItem>
+      <IndicatorItem id="d1e188e1-fae6-488d-ba2f-a900abb21f14" condition="contains">
+        <Context document="FileItem" search="FileItem/FileExtension" type="mir" />
+        <Content type="string">evt</Content>
+      </IndicatorItem>
+      <IndicatorItem id="78af913e-a007-4f8a-864f-b543dd7a6d09" condition="is">
+        <Context document="ProcessItem" search="ProcessItem/name" type="mir" />
+        <Content type="string">explorer.exe</Content>
+      </IndicatorItem>
+      <IndicatorItem id="9aaa6f73-5bd5-4dbe-b36f-73ee2e74655d" condition="is">
+        <Context document="EventLogItem" search="EventLogItem/EID" type="mir" />
+        <Content type="int">6009</Content>
+      </IndicatorItem>
+      <IndicatorItem id="16db1a80-af40-45fc-9db6-484bf372213b" condition="is">
+        <Context document="UserItem" search="UserItem/Username" type="mir" />
+        <Content type="string">Administrator</Content>
+      </IndicatorItem>
+      <IndicatorItem id="9a87eb7e-2b26-40a1-a8f6-7afa7d546aeb" condition="is">
+        <Context document="ServiceItem" search="ServiceItem/name" type="mir" />
+        <Content type="string">TrkWks</Content>
+      </IndicatorItem>
+      <IndicatorItem id="0f605238-d7e1-4c5b-970c-071e50b82c22" condition="contains">
+        <Context document="RegistryItem" search="RegistryItem/Path" type="mir" />
+        <Content type="string">\DosDevices\C:</Content>
+      </IndicatorItem>
+      <IndicatorItem id="e0b70fd0-38ac-4da2-a0eb-a9a9bb90e78f" condition="is">
+        <Context document="PortItem" search="PortItem/localPort" type="mir" />
+        <Content type="string">445</Content>
+      </IndicatorItem>
+      <IndicatorItem id="faed6244-b531-46e1-9be9-baf19fc977b7" condition="is">
+        <Context document="VolumeItem" search="VolumeItem/DriveLetter" type="mir" />
+        <Content type="string">C</Content>
+      </IndicatorItem>
+      <IndicatorItem id="2e463fa6-fe0e-403c-9fa9-894bd42f8a82" condition="is">
+        <Context document="DiskItem" search="DiskItem/DiskName" type="mir" />
+        <Content type="string">\\.\PhysicalDrive0</Content>
+      </IndicatorItem>
+      <IndicatorItem id="a7fdaf04-51dc-4c7e-a1e1-d4baf40e863d" condition="is">
+        <Context document="HookItem" search="HookItem/HookedModule" type="mir" />
+        <Content type="string">disk.sys</Content>
+      </IndicatorItem>
+      <IndicatorItem id="f23f9121-9618-43c0-860b-d0f7122e23de" condition="is">
+        <Context document="DriverItem" search="DriverItem/DriverName" type="mir" />
+        <Content type="string">disk.sys</Content>
+      </IndicatorItem>
+      <Indicator operator="AND" id="990fbe29-6af6-45cb-b07e-6d13c5a30617">
+        <IndicatorItem id="de7c6347-34d8-4a16-b559-38d9f4e6aabb" condition="is">
+          <Context document="FileItem" search="FileItem/FileName" type="mir" />
+          <Content type="string">sens.dll</Content>
+        </IndicatorItem>
+        <IndicatorItem id="96b8856c-f865-4805-93ed-aa8780b87617" condition="is">
+          <Context document="FileItem" search="FileItem/PEInfo/DigitalSignature/SignatureExists" type="mir" />
+          <Content type="string">true</Content>
+        </IndicatorItem>
+      </Indicator>
+    </Indicator>
+  </definition>
+</ioc>

data/test/test_dns_entry_item.ioc

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="us-ascii"?>
+<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="efce87c7-f78f-4e32-8f3f-b470d1ec693f" last-modified="2013-01-07T01:29:04" xmlns="http://schemas.mandiant.com/2010/ioc">
+  <short_description>*New Unsaved Indicator*</short_description>
+  <authored_date>2013-01-07T01:25:50</authored_date>
+  <links />
+  <definition>
+    <Indicator operator="OR" id="336a594b-3302-4ac8-9512-4f329d660515">
+      <IndicatorItem id="1d1ca6f3-6bf9-4c8a-812e-3e9879f5ad29" condition="contains">
+          <Context document="DnsEntryItem" search="DnsEntryItem/Host" type="mir" />
+          <Content type="string">www.google.com</Content>
+        </IndicatorItem>
+    </Indicator>
+  </definition>
+</ioc>

data/test/test_iocitem_factory.rb

@@ -0,0 +1,17 @@
+require "test/unit"
+require "RubyIOC"
+
+class TestIocItemFactory < Test::Unit::TestCase
+	def test_factories_exist
+		assert_not_nil RubyIOC::IOCItem::IOCItemFactory.factories
+		assert_not_equal RubyIOC::IOCItem::IOCItemFactory.factories.size, 0
+	end
+
+	#def test_factories_can_be_retrieved
+	#	RubyIOC::IOCItem::IOCItemFactory.factories.each { |f|
+	#	 type = f.new.get_type
+	#	 assert_not_nil RubyIOC::IOCItem::IOCItemFactory.item_for(type)
+	#	 assert_equal RubyIOC::IOCItem::IOCItemFactory.item_for(type).get_type, type
+	#	}
+	#end
+end

data/test/test_scan.rb

@@ -0,0 +1,16 @@
+require "test/unit"
+require "RubyIOC"
+
+class TestScan < Test::Unit::TestCase
+	def test_scan
+	#	find_windows_ioc = File.expand_path(File.dirname(__FILE__)) + "/find_windows.ioc"
+	#	test_user_item = File.expand_path(File.dirname(__FILE__)) + "/test_user_item.ioc"
+		#RubyIOC::Scanner.new(File.read(test_user_item)).scan
+	#	puts RubyIOC::Scanner.new(File.read(test_user_item)).scan
+	end
+
+	def test_dns_scan
+		dns_test_ioc =  File.expand_path(File.dirname(__FILE__)) + "/test_dns_entry_item.ioc"
+		RubyIOC::Scanner.new(File.read(dns_test_ioc)).scan
+	end
+end

data/test/test_user_item.ioc

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="us-ascii"?>
+<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="efce87c7-f78f-4e32-8f3f-b470d1ec693f" last-modified="2013-01-07T01:29:04" xmlns="http://schemas.mandiant.com/2010/ioc">
+  <short_description>*New Unsaved Indicator*</short_description>
+  <authored_date>2013-01-07T01:25:50</authored_date>
+  <links />
+  <definition>
+    <Indicator operator="OR" id="336a594b-3302-4ac8-9512-4f329d660515">
+      <Indicator operator="AND" id="336a594b-3302-4ac8-9512-4f329d660515">
+        <IndicatorItem id="1d1ca6f3-6bf9-4c8a-812e-3e9879f5ad29" condition="contains">
+          <Context document="UserItem" search="UserItem/username" type="mir" />
+          <Content type="string">Guest</Content>
+        </IndicatorItem>
+        <IndicatorItem id="1d1ca6f3-6bf9-4c8a-812e-3e9879f5ad29" condition="contains">
+         <Context document="UserItem" search="UserItem/fullname" type="mir" />
+          <Content type="string"></Content>
+        </IndicatorItem>
+        <IndicatorItem id="ff27c0d0-08db-4223-afa1-cc6269fb2b25" condition="contains">
+          <Context document="UserItem" search="UserItem/disabled" type="mir" />
+          <Content type="string">true</Content>
+        </IndicatorItem>
+      </Indicator>
+      <IndicatorItem id="1d1ca6f3-6bf9-4c8a-812e-3e9879f5ad29" condition="contains">
+          <Context document="UserItem" search="UserItem/username" type="mir" />
+          <Content type="string">Guest</Content>
+        </IndicatorItem>
+    </Indicator>
+  </definition>
+</ioc>

data/test/zeus.ioc

@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="us-ascii"?>
+<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="6d2a1b03-b216-4cd8-9a9e-8827af6ebf93" last-modified="2011-10-28T19:28:20" xmlns="http://schemas.mandiant.com/2010/ioc">
+  <short_description>Zeus</short_description>
+  <description>Finds Zeus variants, twexts, sdra64, ntos</description>
+  <keywords />
+  <authored_by>Mandiant</authored_by>
+  <authored_date>0001-01-01T00:00:00</authored_date>
+  <links />
+  <definition>
+    <Indicator operator="OR" id="9c8df971-32a8-4ede-8a3a-c5cb2c1439c6">
+      <Indicator operator="AND" id="0781258f-6960-4da5-97a0-ec35fb403cac">
+        <IndicatorItem id="50455b63-35bf-4efa-9f06-aeba2980f80a" condition="contains">
+          <Context document="ProcessItem" search="ProcessItem/name" type="mir" />
+          <Content type="string">winlogon.exe</Content>
+        </IndicatorItem>
+        <IndicatorItem id="b05d9b40-0528-461f-9721-e31d5651abdc" condition="contains">
+          <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Type" type="mir" />
+          <Content type="string">File</Content>
+        </IndicatorItem>
+        <Indicator operator="OR" id="67505775-6577-43b2-bccd-74603223180a">
+          <IndicatorItem id="c5ae706f-c032-4da7-8acd-4523f1dae9f6" condition="contains">
+            <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir" />
+            <Content type="string">system32\sdra64.exe</Content>
+          </IndicatorItem>
+          <IndicatorItem id="25ff12a7-665b-4e45-8b0f-6e5ca7b95801" condition="contains">
+            <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir" />
+            <Content type="string">system32\twain_32\user.ds</Content>
+          </IndicatorItem>
+          <IndicatorItem id="fea11706-9ebe-469b-b30a-4047cfb7436b" condition="contains">
+            <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Type" type="mir" />
+            <Content type="string">\WINDOWS\system32\twext.exe</Content>
+          </IndicatorItem>
+          <IndicatorItem id="94ac992c-8d6d-441f-bfc4-5235f9b09af8" condition="contains">
+            <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir" />
+            <Content type="string">system32\twain32\local.ds</Content>
+          </IndicatorItem>
+          <IndicatorItem id="bc12f44e-7d93-47ea-9cc9-86a2beeaa04c" condition="contains">
+            <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir" />
+            <Content type="string">system32\twext.exe</Content>
+          </IndicatorItem>
+          <IndicatorItem id="1c3f8902-d4e2-443a-a407-15be3951bef9" condition="contains">
+            <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir" />
+            <Content type="string">system32\lowsec\user.ds</Content>
+          </IndicatorItem>
+          <IndicatorItem id="7fab12d1-67ed-4149-b46a-ec50fc622bee" condition="contains">
+            <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir" />
+            <Content type="string">system32\lowsec\local.ds</Content>
+          </IndicatorItem>
+        </Indicator>
+      </Indicator>
+      <Indicator operator="AND" id="9f7a5703-8a26-45cf-b801-1c13f0f15d40">
+        <IndicatorItem id="cf77d82f-0ac9-4c81-af0b-d634f71525b5" condition="contains">
+          <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Type" type="mir" />
+          <Content type="string">Mutant</Content>
+        </IndicatorItem>
+        <Indicator operator="OR" id="83f72cf7-6399-4620-b735-d08ce23ba517">
+          <IndicatorItem id="a1250d55-cd63-46cd-9436-e1741f5f42c7" condition="contains">
+            <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir" />
+            <Content type="string">__SYSTEM__</Content>
+          </IndicatorItem>
+          <IndicatorItem id="e033b865-95ba-44ab-baa5-3b1e8e5f348c" condition="contains">
+            <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir" />
+            <Content type="string">_AVIRA_</Content>
+          </IndicatorItem>
+        </Indicator>
+      </Indicator>
+    </Indicator>
+  </definition>
+</ioc>

metadata

@@ -0,0 +1,103 @@
+--- !ruby/object:Gem::Specification
+name: RubyIOC
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Matt Jezorek
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-02-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: roxml
+  requirement: &14073948 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *14073948
+description: RubyIOC is a ruby library used for indicators of compromise
+email:
+- mjezorek@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- RubyIOC.gemspec
+- lib/RubyIOC.rb
+- lib/RubyIOC/ioc.rb
+- lib/RubyIOC/iocitem.rb
+- lib/RubyIOC/iocitem/arp_entry_item.rb
+- lib/RubyIOC/iocitem/cookie_history_item.rb
+- lib/RubyIOC/iocitem/disk_item.rb
+- lib/RubyIOC/iocitem/dns_entry_item.rb
+- lib/RubyIOC/iocitem/driver_item.rb
+- lib/RubyIOC/iocitem/event_log_item.rb
+- lib/RubyIOC/iocitem/file_download_history_item.rb
+- lib/RubyIOC/iocitem/file_item.rb
+- lib/RubyIOC/iocitem/form_history_item.rb
+- lib/RubyIOC/iocitem/hash_item.rb
+- lib/RubyIOC/iocitem/hook_item.rb
+- lib/RubyIOC/iocitem/module_item.rb
+- lib/RubyIOC/iocitem/persistence_item.rb
+- lib/RubyIOC/iocitem/port_item.rb
+- lib/RubyIOC/iocitem/prefetch_item.rb
+- lib/RubyIOC/iocitem/process_item.rb
+- lib/RubyIOC/iocitem/registry_hive_item.rb
+- lib/RubyIOC/iocitem/registry_item.rb
+- lib/RubyIOC/iocitem/route_entry_item.rb
+- lib/RubyIOC/iocitem/service_item.rb
+- lib/RubyIOC/iocitem/string_match_item.rb
+- lib/RubyIOC/iocitem/system_info_item.rb
+- lib/RubyIOC/iocitem/system_restore_item.rb
+- lib/RubyIOC/iocitem/task_item.rb
+- lib/RubyIOC/iocitem/timeline_item.rb
+- lib/RubyIOC/iocitem/url_history_item.rb
+- lib/RubyIOC/iocitem/user_item.rb
+- lib/RubyIOC/iocitem/volume_item.rb
+- lib/RubyIOC/iocterm.rb
+- lib/RubyIOC/platform.rb
+- lib/RubyIOC/scanner.rb
+- lib/RubyIOC/version.rb
+- test/find_windows.ioc
+- test/test_dns_entry_item.ioc
+- test/test_iocitem_factory.rb
+- test/test_scan.rb
+- test/test_user_item.ioc
+- test/zeus.ioc
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: RubyIOC
+rubygems_version: 1.8.16
+signing_key: 
+specification_version: 3
+summary: RubyIOC is a ruby library used for indicators of compromise
+test_files: []