RubyIOC 0.0.1 → 0.0.2

data/.gitignore

@@ -1,20 +1,20 @@
-*.gem
-.bundle
-Gemfile.lock
-pkg/*
-*.rbc
-.config
-coverage
-InstalledFiles
-lib/bundler/man
-pkg
-rdoc
-spec/reports
-test/tmp
-test/version_tmp
-tmp
-
-# YARD artifacts
-.yardoc
-_yardoc
+*.gem
+.bundle
+Gemfile.lock
+pkg/*
+*.rbc
+.config
+coverage
+InstalledFiles
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+# YARD artifacts
+.yardoc
+_yardoc
 doc/

data/Gemfile

@@ -1,3 +1,3 @@
-source "http://rubygems.org"
-# Specify your gem's dependencies in RubyIOC.gemspec
-gemspec
+source "http://rubygems.org"
+# Specify your gem's dependencies in RubyIOC.gemspec
+gemspec

data/Rakefile

@@ -1,8 +1,8 @@
-require "bundler/gem_tasks"
-require "rake/testtask"
-
-Rake::TestTask.new do |t|
-	t.libs << "test"
-	t.test_files = FileList['test/test*.rb']
-	t.verbose = false
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new do |t|
+	t.libs << "test"
+	t.test_files = FileList['test/test*.rb']
+	t.verbose = false
 end

data/RubyIOC.gemspec

@@ -1,24 +1,24 @@
-# -*- encoding: utf-8 -*-
-$:.push File.expand_path("../lib", __FILE__)
-require "RubyIOC/version"
-
-Gem::Specification.new do |s|
-  s.name        = "RubyIOC"
-  s.version     = RubyIOC::VERSION
-  s.authors     = ["Matt Jezorek"]
-  s.email       = ["mjezorek@gmail.com"]
-  s.homepage    = ""
-  s.summary     = %q{RubyIOC is a ruby library used for indicators of compromise}
-  s.description = %q{RubyIOC is a ruby library used for indicators of compromise}
-
-  s.rubyforge_project = "RubyIOC"
-
-  s.files         = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  s.require_paths = ["lib"]
-
-  # specify any dependencies here; for example:
-  # s.add_development_dependency "rspec"
-  s.add_runtime_dependency "roxml"
-end
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "RubyIOC/version"
+
+Gem::Specification.new do |s|
+  s.name        = "RubyIOC"
+  s.version     = RubyIOC::VERSION
+  s.authors     = ["Matt Jezorek"]
+  s.email       = ["mjezorek@gmail.com"]
+  s.homepage    = ""
+  s.summary     = %q{RubyIOC is a ruby library used for indicators of compromise}
+  s.description = %q{RubyIOC is a ruby library used for indicators of compromise}
+
+  s.rubyforge_project = "RubyIOC"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  # specify any dependencies here; for example:
+  # s.add_development_dependency "rspec"
+  s.add_runtime_dependency "roxml"
+end

data/iocaware.iocterms

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="us-ascii"?>
+<ioctermlist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" last-modified="2013-07-15T21:26:28" description="New IOC Terms File" xmlns="http://schemas.mandiant.com/2010/ioc">
+  <iocterm text="FileItem/Md54ksum" title="File MD54K" data-type="MD5Sum" display-type="md5" term-source="application/iocaware" />
+  <iocterm text="FileItem/Ssdeep" title="File SSDeep" data-type="xs:string" display-type="string" term-source="application/iocaware" />
+  <iocterm text="FileItem/Sha512sum" title="File Sha512sum" data-type="HashSum" display-type="string" term-source="application/iocaware" />
+  <iocterm text="ServiceItem/pathMd54ksum" title="Service Path MD54K" data-type="MD5Sum" display-type="md5" term-source="application/iocaware" />
+  <iocterm text="ServiceItem/pathSsdeep" title="Service Path SSDeep" data-type="xs:string" display-type="string" term-source="application/iocaware" />
+  <iocterm text="ServiceItem/pathSha512sum" title="Service Path Sha512Sum" data-type="HashSum" display-type="string" term-source="application/iocaware" />
+  <iocterm text="ServiceItem/serviceDLLMd54Ksum" title="Service DLL MD54K" data-type="MD5Sum" display-type="md5" term-source="application/iocaware" />
+  <iocterm text="ServiceItem/serviceDLLSsdeep" title="Service DLL SSDeep" data-type="xs:string" display-type="string" term-source="application/iocaware" />
+  <iocterm text="ServiceItem/serviceDLLSha512Sum" title="Service DLL Sha512Sum" data-type="HashSum" display-type="string" term-source="application/iocaware" />
+</ioctermlist>

data/lib/RubyIOC.rb

@@ -1,39 +1,39 @@
-# Copyright (c) 2013 Matt Jezorek
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
-# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
-# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-# IN THE SOFTWARE.
-require "rexml/document"
-
-require "RubyIOC/version"
-require "RubyIOC/platform"
-require "RubyIOC/iocterm"
-require "RubyIOC/iocitem"
-require "RubyIOC/ioc"
-require "RubyIOC/scanner"
-
-=begin rdoc
-	RubyIOC is a simple gem that will allow the scanning of a system with indicators of compromise. RubyIOC will not tell you if the machine
-	is compromised or not but it will give you a score and what indicators have been found. Ideally you will want to see 0% and 0 found indicators.
-	However you may come back with 1% ond 2 indicators out of 200. It will also provide you a reference to the found indicators. From here you
-	can investigate whatever machine you wish to investigate. 
-
-	Please note that when you use this software you are running on possibly compromised machiens, any credentials you use to facilitate the scan 
-	should be considered compromised
-=end
-
-
-class String
-  def to_bool
-    return true   if self == true   || self =~ (/(true|t|yes|y|1)$/i)
-    return false  if self == false  || self.blank? || self =~ (/(false|f|no|n|0)$/i)
-    raise ArgumentError.new("invalid value for Boolean: \"#{self}\"")
-  end
+# Copyright (c) 2013 Matt Jezorek
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), 
+# to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+require "rexml/document"
+
+require "RubyIOC/version"
+require "RubyIOC/platform"
+require "RubyIOC/iocterm"
+require "RubyIOC/iocitem"
+require "RubyIOC/ioc"
+require "RubyIOC/scanner"
+
+=begin rdoc
+	RubyIOC is a simple gem that will allow the scanning of a system with indicators of compromise. RubyIOC will not tell you if the machine
+	is compromised or not but it will give you a score and what indicators have been found. Ideally you will want to see 0% and 0 found indicators.
+	However you may come back with 1% ond 2 indicators out of 200. It will also provide you a reference to the found indicators. From here you
+	can investigate whatever machine you wish to investigate. 
+
+	Please note that when you use this software you are running on possibly compromised machiens, any credentials you use to facilitate the scan 
+	should be considered compromised
+=end
+
+
+class String
+  def to_bool
+    return true   if self == true   || self =~ (/(true|t|yes|y|1)$/i)
+    return false  if self == false  || self.blank? || self =~ (/(false|f|no|n|0)$/i)
+    raise ArgumentError.new("invalid value for Boolean: \"#{self}\"")
+  end
 end

data/lib/RubyIOC/iocitem/arp_entry_item.rb

@@ -16,6 +16,89 @@ module RubyIOC
 			def get_type
 				"ArpEntryItem"
 			end
+
+			def scan(indicator)
+				if RubyIOC::Platform.windows?
+					return search_windows_arp(indicator)
+				elseif Ruby::Platform::mac?
+					return search_mac_arp(indicator)
+				else
+					puts "Not implemented on this platform yet"
+				end
+			end
+
+			def search_windows_arp(indicator)
+				arp = get_arp_cache
+
+				arp.each_line do |line|
+					indicator.each { |i|
+						content = i[:content]
+
+						case i[:search]
+						when "ArpEntryItem/PhysicalAddress", "ArpEntryItem/CacheType", "ArpEntryItem/IPv4Address"
+							if !(line.downcase.include? "interface") && (line.downcase.gsub("-", ":").include? content.downcase)
+								return true
+							end
+						when "ArpEntryItem/Interface"
+							if (line.downcase.include? "interface") && (line.downcase.include? content.downcase)
+								return true
+							end
+						end
+					}
+				end
+				#puts arp
+				#puts arp.to_yaml
+				return false
+			end
+			
+			def search_mac_arp(indicator)
+				arp = get_arp_cache
+				arp.each_line do |line|
+					fields = line.split(' ')
+					ip = fields[1].gsub('(', '').gsub(')', '')
+					physical = fields[3].downcase
+					iface = fields[5].downcase
+
+					indicator.each { |i|
+						content = i[:content].downcase
+
+						case i[:search]
+						when "ArpEntryItem/PhysicalAddress"
+							octets = physical.split(':')
+							i = 0
+							while i < octets.length do
+								if octets[i].length == 1 then
+									octets[i] = '0' + octets[i]
+								end
+								i += 1
+							end
+							physical = octets.join(':')
+
+							if physical == content then
+								return true
+							end
+						when "ArpEntryItem/CacheType"
+						when "ArpEntryItem/IPv4Address"
+							if ip == content then
+								return true
+							end
+						when "ArpEntryItem/Interface"
+							if iface == content then
+								return true
+							end
+						end
+					}
+				end
+				#puts arp
+				#puts arp.to_yaml
+				return false
+			end
+
+			def get_arp_cache
+				arp_cache =`arp -a`
+
+				return arp_cache
+			end
 		end
 
 		class ArpEntryItemFactory < RubyIOC::IOCItem::IOCItemFactory
@@ -30,4 +113,6 @@ module RubyIOC
 
 		ArpEntryItemFactory.add_factory(ArpEntryItemFactory)
 	end
-end
+end
+
+

data/lib/RubyIOC/iocitem/dns_entry_item.rb

@@ -26,18 +26,16 @@ module RubyIOC
 			end
 
 			def search_windows_dns(indicator)
-				dns = get_windows_dns_cache
-				puts dns.to_yaml
-				return false
-			end
-
-			def get_windows_dns_cache
-				dns = []
-				dns_cache =`ipconfig /displaydns`
+				dns_cache = get_windows_dns_cache
+				
 				blocks = dns_cache.split(/\n\n/)
+				
 				blocks.each do | block |
-					#puts block
+					noblanklines = block.gsub(/^$\n/, '').downcase
+					host = noblanklines.lines.first
+					
 					temp = {}
+					temp[:host] = host
 					temp[:record_name] = block.match(/\s*Record Name.*:\s(?<record>.*)/).to_a[1]
 					temp[:record_type] = block.match(/\s*Record Type.*:\s(?<record>.*)/).to_a[1]
 					temp[:time_to_live] = block.match(/\s*Time To Live.*:\s(?<record>.*)/).to_a[1]
@@ -45,9 +43,47 @@ module RubyIOC
 					temp[:section] = block.match(/\s*Section.*:\s(?<record>.*)/).to_a[1]
 					temp[:a_record] = block.match(/\s*A \(Host\) Record.*:\s(?<record>.*)/).to_a[1]
 					temp[:cname] = block.match(/\s*CNAME Record.*:\s(?<record>.*)/).to_a[1]
-					dns << temp
+					#puts temp
+					indicator.each { |i|
+						content = i[:content].downcase
+						
+						case i[:search]
+						when "DnsEntryItem/Host"
+							if !temp[:host].nil? and temp[:host].downcase.strip == content then
+								return true
+							end
+						when "DnsEntryItem/RecordName"
+							if !temp[:record_name].nil? and temp[:record_name].downcase.strip == content then
+								return true
+							end
+						when "DnsEntryItem/RecordType"
+							if !temp[:record_type].nil? and temp[:record_type].downcase.strip == content then
+								return true
+							end
+						when "DnsEntryItem/TimeToLive"
+							if !temp[:time_to_live].nil? and temp[:time_to_live].downcase.strip == content then
+								return true
+							end
+						when "DnsEntryItem/Flags"
+						when "DnsEntryItem/DataLength"
+							if !temp[:data_length].nil? and temp[:data_length].downcase.strip == content then
+								return true
+							end
+						when "DnsEntryItem/RecordData/Host"
+						when "DnsEntryItem/RecordData/IPv4Address"
+							if !temp[:a_record].nil? and temp[:a_record].downcase.strip == content then
+								return true
+							end
+						end
+					}
 				end
-				return dns
+				
+				return false
+			end
+
+			def get_windows_dns_cache
+				dns_cache =`ipconfig /displaydns`
+				return dns_cache
 			end
 		end
 

data/lib/RubyIOC/iocitem/event_log_item.rb

@@ -10,12 +10,61 @@
 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
 # IN THE SOFTWARE.
+
+if RubyIOC::Platform.windows?
+	require "win32ole"
+end
+
 module RubyIOC
 	module IOCItem
 		class EventLogItem < RubyIOC::IOCTerm
 			def get_type
 				"EventLogItem"
 			end
+		
+			def scan(indicator)
+				if RubyIOC::Platform.windows?
+					return search_windows_events(indicator)
+				else
+					puts "Not implemented on this platform yet"
+				end
+			end
+			
+			def search_windows_events(indicator)
+				wmi = WIN32OLE.connect("winmgmts:{impersonationLevel=impersonate,(Security)}!\\")
+				query = "Select * from Win32_NTLogEvent where "
+				
+				indicator.each { |i| 
+					case i[:search]
+					when "EventLogItem/category"
+						query += "CategoryString = '#{i[:content]}' "
+					when "EventLogItem/categoryNum"
+						query += "Category = #{i[:content]} "
+					when "EventLogItem/genTime"
+					when "EventLogItem/EID"
+						query += "EventIdentifier = #{i[:content]} "
+					when "EventLogItem/log"
+						query += "LogFile = '#{i[:content]}' "
+					when "EventLogItem/machine"
+						query += "ComputerName = '#{i[:content]}' "
+					when "EventLogItem/message"
+						query += "Message like '%#{i[:content]}%' "
+					when "EventLogItem/source"
+						query += "SourceName = '#{i[:content]}' "
+					when "EventLogItem/type"
+						query += "Type = '#{i[:content]}' "
+					when "EventLogItem/user"
+						query += "User like '%#{i[:content]}%' "
+					when "EventLogItem/writeTime"
+					end
+				}
+
+				events = wmi.ExecQuery(query)
+				events.each { |e|
+					return true
+				}
+				return false
+			end
 		end
 
 		class EventLogItemFactory < RubyIOC::IOCItem::IOCItemFactory

data/lib/RubyIOC/iocitem/port_item.rb

@@ -16,6 +16,123 @@ module RubyIOC
 			def get_type
 				"PortItem"
 			end
+			
+			def scan(indicator)
+				if RubyIOC::Platform.windows?
+					return search_windows_netstat(indicator)
+				else
+					puts "Not implemented on this platform yet"
+				end
+			end
+
+			def search_windows_netstat(indicator)
+				netstat = get_windows_netstat
+				
+				blocks = netstat.split(/\n/)
+				i = 1
+				
+				entries = []
+				entry = ""
+				blocks.each do | block |
+					if i<5 then
+						i+=1
+						next
+					end
+					
+					line = block.strip.gsub(/[ ]{2,}/, " ")
+					localip = ""
+					localport = ""
+					pid = ""
+					process = ""
+					protocol = ""
+					remoteip = ""
+					remoteport = ""
+					state = ""
+					
+					if line.match(/^TCP/) or line.match(/^UDP/) then
+						nsentry = line.downcase.split(' ')
+						protocol = nsentry[0]
+						if nsentry[1].match(/\[/) then
+							localip = nsentry[1].split(']:')[0].gsub(/\[/, '')
+							localport = nsentry[1].split(']:')[1]
+						else
+							localip = nsentry[1].split(':')[0]
+							localport = nsentry[1].split(':')[1]
+						end
+						if nsentry[2].match(/\[/) then
+							remoteip = nsentry[2].split(']:')[0].gsub(/\[/, '')
+							remoteport = nsentry[2].split(']:')[1]
+						else
+							remoteip = nsentry[2].split(':')[0]
+							remoteport = nsentry[2].split(':')[1]
+						end
+						if nsentry.length < 5 then
+							pid = nsentry[3]
+						else
+							state = nsentry[3]
+							pid = nsentry[4]
+						end
+						
+						indicator.each { |i|
+							content = i[:content].downcase
+							
+							case i[:search]
+							when "PortItem/CreationTime"
+							when "PortItem/localIP"
+								if content == localip then
+									return true
+								end
+							when "PortItem/localPort"
+								if content == localport then
+									return true
+								end
+							when "PortItem/path"
+							when "PortItem/pid"
+								if content == pid then
+									return true
+								end
+							when "PortItem/protocol"
+								if content == protocol then
+									return true
+								end
+							when "PortItem/remoteIP"
+								if content == remoteip then
+									return true
+								end
+							when "PortItem/remotePort"
+								if content == remoteport then
+									return true
+								end
+							when "PortItem/state"
+								if content == state then
+									return true
+								end
+							end
+						}
+					else
+						if line.match(/^\[/)
+							process = line.downcase.gsub("[", "").gsub("]", "")
+							
+							indicator.each { |i|
+								content = i[:content].downcase
+								case i[:search]
+								when "PortItem/process"
+									if content == process then
+										return true
+									end
+								end
+							}
+						end
+					end
+				end
+				
+				return false
+			end
+
+			def get_windows_netstat
+				netstat = `netstat -anbo`
+				return netstat
+			end
 		end
 
 		class PortItemFactory < RubyIOC::IOCItem::IOCItemFactory