-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathOpenIOC2CIF.py
executable file
·51 lines (40 loc) · 1.46 KB
/
OpenIOC2CIF.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/usr/bin/env python
"""
OpenIOC2CIF.py
Author: Keith Gilbert - www.digital4rensics.com - @digital4rensics
Version: 1.0
Date: December, 2012
This script take a file in the OpenIOC format (.ioc) and parses indicators CIF can handle.
It returns a .tsv file that can be processed as a CIF feed.
"""
import sys
from BeautifulSoup import BeautifulStoneSoup
def populate(file):
text = open(file).read()
soup = BeautifulStoneSoup(text)
return soup
def main():
ioc = sys.argv[1]
try:
output = open(ioc + "_Feed.tsv", "w")
output.write("Indicator" + "\t" + "Type" + "\t" + "Description" + "\n")
except:
print "Could not create file"
xml = populate(ioc)
desc = xml.find('short_description').text
for element in xml.findAll('indicatoritem'):
if element.find("context", {"search" : "Network/DNS"}):
output.write(element.text + "\t" + "Domain" + "\t" + desc + "\n")
elif element.find("context", {"search" : "PortItem/remoteIP"}):
output.write(element.text + "\t" + "IPv4" + "\t" + desc + "\n")
elif element.find("context", {"search" : "UrlHistoryItem/URL"}):
output.write(element.text + "\t" + "URL" + "\t" + desc + "\n")
elif element.find("context", {"search" : "FileItem/Md5sum"}):
output.write(element.text + "\t" + "MD5" + "\t" + desc + "\n")
elif element.find("context", {"search" : "FileItem/FileName"}):
output.write(element.text + "\t" + "Filename" + "\t" + desc + "\n")
else:
pass
output.close()
if __name__ == '__main__':
main()