-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathREADME
130 lines (83 loc) · 5.74 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
****************************************************
MAEC XML -> OVAL XML Converter Script
Copyright (c) 2012 - 2014 The MITRE Corporation
****************************************************
BY USING THE MAEC TO OVAL SCRIPT, YOU SIGNIFY YOUR ACCEPTANCE OF THE TERMS AND
CONDITIONS OF USE. IF YOU DO NOT AGREE TO THESE TERMS, DO NOT USE THE MAEC TO OVAL
SCRIPT.
For more information, please refer to the LICENSE.txt file.
#################################################################
Malware Attribute Enumeration and Characterization (MAEC™) XML -->
Open Vulnerability and Assessment Language (OVAL®) XML Generation Script
Generates OVAL 5.7 definitions/tests/objects from MAEC XML
Compatible with content produced using MAEC v4.1/Cyber Observable eXpression (CybOX™) 2.1
v0.94 BETA - extracts files and registry keys
2/24/2014
#################################################################
MAEC - https://maecproject.github.io/
CybOX - https://cyboxproject.github.io/
OVAL - https://oval.cisecurity.org/
#################################################################
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Installation Notes
This software depends on the python-cybox and python-maec libraries:
python-cybox >= 2.1.x.x and <= 2.2.x.x: https://pypi.python.org/pypi/cybox
python-maec >= 4.1.x.x and <= 4.2.x.x: https://pypi.python.org/pypi/maec
This script was created using Python 2.7.x, and so may not be compatible with 3.0.x.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Methodology
This script is still a POC, and supports the extraction of registry keys and files
from the Actions in a MAEC Package or Bundle XML document that are defined as
creating or modifying said object. E.g., the Object from the following Action
would be converted:
<maec:Action action_status="Success" id="maec-anubis_to_maec-act-1">
<cybox:Name>create file</cybox:Name>
<cybox:Associated_Objects>
<cybox:Associated_Object type="File" id="maec-anubis_to_maec-obj-2">
<cybox:Defined_Object xsi:type="FileObj:FileObjectType">
<FileObj:File_Name datatype="String">ntos.exe</FileObj:File_Name>
<FileObj:File_Path datatype="String">C:\WINDOWS\system32\</FileObj:File_Path>
</cybox:Defined_Object>
</cybox:Associated_Object>
</cybox:Associated_Objects>
</maec:Action>
This is all done in the Windows context and thus uses the corresponding OVAL
constructs.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Included Files
README: this file.
maec_to_oval.py: the MAEC XML to OVAL XML Python driver.
cybox_to_oval_processor.py: the main MAEC XML to OVAL XML converter class.
maec_oval_mappings.py: the CybOX to OVAL mappings class.
oval57.py: the OVAL 5.7 Python bindings used by the script.
LICENSE.txt: the terms of usage for this script.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Usage Notes
There are two main command line parameters for this script:
-i: the path to the input MAEC XML file
-o: the path to the output OVAL XML file
To use the script, run the following command:
python maec_to_oval.py -i <maec_xml_file> -o <oval_xml_file>
The following optional parameters are supported:
-s: Print converted and skipped MAEC Actions
-v: Verbose error printing (traceback)
For example:
python maec_to_oval.py -v -i <maec_xml_file> -o <oval_xml_file>
For the latest version of the script, please check the MAEC GitHub Repository
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
About MAEC
Malware Attribute Enumeration and Characterization (MAEC™) is a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifacts, and attack patterns.
The goal of the MAEC (pronounced "mike") effort is to provide a basis for transforming malware research and response. MAEC aims to eliminate the ambiguity and inaccuracy that currently exists in malware descriptions and to reduce reliance on signatures. In this way, MAEC seeks to improve human-to-human, human-to-tool, tool-to-tool, and tool-to-human communication about malware; reduce potential duplication of malware analysis efforts by researchers; and allow for the faster development of countermeasures by enabling the ability to leverage responses to previously observed malware instances. The MAEC Language enables correlation, integration, and automation.
Please visit the MAEC website at https://maecproject.github.io/ for more information about the MAEC Language.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Getting Help
Join the public MAEC Community Email Discussion List at https://maec.mitre.org/community/discussionlist.html.
Email the MAEC Developers at [email protected].
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------