maecproject / gfi-sandbox-to-maec Goto Github PK
View Code? Open in Web Editor NEWGenerate MAEC XML from GFI Sandbox XML output
License: BSD 3-Clause "New" or "Revised" License
gfi-sandbox-to-maec's Introduction
****************************************************
GFI Sandbox XML -> MAEC XML Converter Script
Copyright (c) 2015 - The MITRE Corporation
****************************************************
BY USING THE GFI SANDBOX TO MAEC SCRIPT, YOU SIGNIFY YOUR ACCEPTANCE OF THE TERMS AND
CONDITIONS OF USE. IF YOU DO NOT AGREE TO THESE TERMS, DO NOT USE THE SCRIPT.
For more information, please refer to the LICENSE.txt file.
#########################################################################################################
Generates MAEC Output from a GFI Sandbox v4 XML file
Compatible with Malware Attribute Enumeration and Characterization (MAEC™) Schema v4.1 and
Cyber Observable eXpression (CybOX™) 2.1
v0.24 - BETA
Updated 10/13/2014
##########################################################################################################
MAEC - https://maecproject.github.io/
ThreatTrack (GFI) Sandbox - http://www.threattracksecurity.com/enterprise-security/sandbox-software.aspx
CybOX - https://cyboxproject.github.io/
##########################################################################################################
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Included Files
README: this file.
gfisandbox_to_maec.py: the GFI Sandbox XML to MAEC XML Python converter script.
gfi_sandbox.py: the GFI Sandbox Python bindings which the script imports.
gfi_parser.py: the GFI parser class.
\gfi: the GFI parser classes which the script imports.
LICENSE.txt: the terms of use for this script.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Dependencies
This code has been developed and tested under Python 2.7.x and so may not
be compatible with Python 3.x.
There are three dependencies for this script:
1) The Python lxml library >= v3.2.x, http://lxml.de/
1) The python-maec library >= v4.1.0.0, https://pypi.python.org/pypi/maec
2) The python-cybox library >= v2.1.0.0, https://pypi.python.org/pypi/cybox
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Usage Notes
The command-line syntax for the script is:
python gfisandbox_to_maec.py <special argument> <gfisandbox file OR directory>
<maec output file OR directory>
Special arguments are as follows (all are optional):
-v or --verbose : verbose error mode (prints tracebacks of any errors during execution).
-dd or --deduplicate : deduplicate the MAEC output (Objects only).
-n or --normalize : normalize the MAEC output (Objects only).
-dr or --dereference : dereference the MAEC output (Objects only).
Thus, a sample command-line would look like:
python gfisandbox_to_maec.py -dd -n gfi_out.xml gfi_maec_out.xml
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
About MAEC
Malware Attribute Enumeration and Characterization (MAEC™) is a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifacts, and attack patterns.
The goal of the MAEC (pronounced "mike") effort is to provide a basis for transforming malware research and response. MAEC aims to eliminate the ambiguity and inaccuracy that currently exists in malware descriptions and to reduce reliance on signatures. In this way, MAEC seeks to improve human-to-human, human-to-tool, tool-to-tool, and tool-to-human communication about malware; reduce potential duplication of malware analysis efforts by researchers; and allow for the faster development of countermeasures by enabling the ability to leverage responses to previously observed malware instances. The MAEC Language enables correlation, integration, and automation.
Please visit the MAEC website at https://maecproject.github.io/ for more information about the MAEC Language.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Getting Help
Join the public MAEC Community Email Discussion List at https://maec.mitre.org/community/discussionlist.html.
Email the MAEC Developers at [email protected].
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
gfi-sandbox-to-maec's People
Contributors
Stargazers
Watchers
gfi-sandbox-to-maec's Issues
Update ID generation based on latest python-maec updates
Based on the latest python-maec updates, we'll need to update the following places to use "id_" instead of "id":
https://github.com/MAECProject/gfi-sandbox-to-maec/blob/master/gfi_parser.py#L202
https://github.com/MAECProject/gfi-sandbox-to-maec/blob/master/gfi_parser.py#L254
Not compatible with python 3.3.5
Greetings,
The syntax of these scripts as well as the implementation of StringIO is not compatible with Python 3.3.5. print must use print() - except Exception, err: is no longer valid and StringIO is no longer a module, you should import io and use io.StringIO
Sample error lines
File "/usr/lib/python3.3/site-packages/maec-4.1.0.5-py3.3.egg/maec/init.py", line 7, in
ImportError: No module named 'StringIO'
File "gfisandbox_to_maec.py", line 54
except Exception, err:
^
SyntaxError: invalid syntax
File "gfisandbox_to_maec.py", line 52
print "Wrote to " + outpath
^
SyntaxError: invalid syntax
Best,
Greg
Add Used Options as XML Comment
We should add the options used in the execution of the script (e.g. deduplication, dereferencing, etc.) as an XML comment at the top of the MAEC output document.
Add Deduplicator Support
We should the option to natively deduplicate the output MAEC Package, probably disabled by default?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.