Sun, 13 Oct 2013

Quick dump of an .ioc file via python .:.permalink.:.

The OpenIOC initiative from Mandiant is a great way to share actionable intel about indicators of compromise. Mandiant has some tools to create and search for entries in an ioc file but poking around the inernets I've not seen much traction or tools for the format especially from the open source community.

Lets change that shall we? Here's a quick python script to get some feet wet and dump an .ioc file's Indicator Items:

#!/usr/bin/python
import sys
import lxml.objectify

ioco=lxml.objectify.parse(sys.argv[1])
root=ioco.getroot()
print("%s: %s"%(root.short_description, root.description))
for ii in root.findall("//*[local-name()='IndicatorItem']"):
       print('\t%s\t%s\t%s'%(ii.getparent().attrib.get("operator"), ii.Context.attrib.get("search"),ii.Content))

Using lxml and it's objectify function it's pretty easy to get a pythonic representation of any .ioc file and dump it to stdout. Give it a shot with these sample .ioc files from forensicartifacts and openioc.

One small step for open source ioc tools?

Posted at: Sun, 13 Oct 2013 | category: /itsec