|
1 | 1 | # run_comparator script |
2 | | -# v0.1 |
| 2 | +# v0.11 |
3 | 3 | # Runs the MAEC Comparator against a list or folder of MAEC files |
4 | 4 | import pprint |
5 | 5 | import sys |
6 | 6 | import os |
7 | 7 | import maec |
8 | 8 | from maec.bundle.bundle import Bundle |
9 | | -from maec.package.package import Package |
10 | 9 | USAGE_TEXT = """ |
11 | | -MAEC Run Comparator Script v0.1 BETA |
| 10 | +MAEC Run Comparator Script v0.11 BETA |
12 | 11 | *Performs Object->Object comparison of 2 or more input MAEC documents |
13 | 12 | *Prints common/unique Objects between MAEC Bundles |
14 | 13 |
|
|
17 | 16 |
|
18 | 17 | # Process a set of MAEC binding objects and extract the Bundles as appropriate |
19 | 18 | def process_maec_file(filename, bundle_list): |
20 | | - binding_objects = maec.parse_xml_instance(filename) |
21 | | - if binding_objects and binding_objects[0]: |
22 | | - package_obj = Package.from_obj(binding_objects[0]) |
| 19 | + parsed_objects = maec.parse_xml_instance(filename) |
| 20 | + if parsed_objects and parsed_objects[0]: |
| 21 | + package_obj = parsed_objects[0][1] |
23 | 22 | if package_obj.malware_subjects: |
24 | 23 | for malware_subject in package_obj.malware_subjects: |
25 | 24 | for bundle in malware_subject.get_all_bundles(): |
26 | 25 | bundle_list.append(bundle) |
27 | | - elif binding_objects and binding_objects[1]: |
28 | | - bundle_list.append(Bundle.from_obj(binding_objects[1])) |
| 26 | + elif parsed_objects and parsed_objects[1]: |
| 27 | + bundle_list.append(parsed_objects[1][1]) |
29 | 28 |
|
30 | 29 | def main(): |
31 | 30 | infilenames = [] |
@@ -61,8 +60,9 @@ def main(): |
61 | 60 |
|
62 | 61 | # Matching properties dictionary |
63 | 62 | match_on_dictionary = {'FileObjectType': ['file_path'], |
64 | | - 'WindowsRegistryKeyObjectType': ['hive', 'values.name/data'], |
65 | | - 'WindowsMutexObjectType': ['name']} |
| 63 | + 'WindowsRegistryKeyObjectType': ['hive', 'key'], |
| 64 | + 'WindowsMutexObjectType': ['name'], |
| 65 | + 'WindowsProcessObjectType': ['name']} |
66 | 66 | # Perform the comparison and get the results |
67 | 67 | comparison_results = Bundle.compare(bundle_list, match_on = match_on_dictionary, case_sensitive = False) |
68 | 68 | # Pretty print the common and unique Objects |
|
0 commit comments