2018-03-15 16:40:59 +00:00
|
|
|
#!/usr/bin/env python
|
2018-03-17 16:12:08 +00:00
|
|
|
'''
|
|
|
|
|
esm2markdown - McAfee ESM correlation rule XML export to markdown converter
|
|
|
|
|
Copyright (C) 2018 Michael Clemens
|
|
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
|
|
|
any later version.
|
|
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with this program; if not, write to the Free Software Foundation,
|
|
|
|
|
Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
|
|
'''
|
|
|
|
|
|
2018-03-15 16:40:59 +00:00
|
|
|
import sys
|
|
|
|
|
from lxml import etree
|
|
|
|
|
|
2018-03-17 15:45:15 +00:00
|
|
|
style="**"
|
2018-03-17 18:56:05 +00:00
|
|
|
level1="* "
|
|
|
|
|
level2=" - "
|
|
|
|
|
level3=" - "
|
|
|
|
|
|
|
|
|
|
def line(level,key,value):
|
|
|
|
|
|
|
|
|
|
lvl = ""
|
|
|
|
|
output = ""
|
|
|
|
|
valout = ""
|
|
|
|
|
if level == 1:
|
|
|
|
|
lvl = level1
|
|
|
|
|
elif level == 2:
|
|
|
|
|
lvl = level2
|
|
|
|
|
elif level == 3:
|
|
|
|
|
lvl = level3
|
|
|
|
|
else:
|
|
|
|
|
lvl = ""
|
2018-03-17 19:56:08 +00:00
|
|
|
if key:
|
|
|
|
|
if value == "N/A":
|
|
|
|
|
output = lvl + style + key + style + "\n"
|
|
|
|
|
elif value:
|
|
|
|
|
output = lvl + style + key + style + " " + value + "\n"
|
|
|
|
|
else:
|
|
|
|
|
output = ""
|
2018-03-17 18:56:05 +00:00
|
|
|
return output
|
2018-03-15 16:40:59 +00:00
|
|
|
|
2018-03-17 19:56:08 +00:00
|
|
|
|
2018-03-15 16:40:59 +00:00
|
|
|
def main(xmlfile,outfile):
|
|
|
|
|
|
|
|
|
|
file = open(outfile,"w")
|
|
|
|
|
root = etree.parse(xmlfile)
|
|
|
|
|
|
|
|
|
|
for rule in root.getiterator('rule'):
|
2018-03-17 12:39:55 +00:00
|
|
|
# Get CDATA
|
2018-03-15 16:40:59 +00:00
|
|
|
text = rule.findtext('text')
|
|
|
|
|
cdata = etree.fromstring(text)
|
2018-03-17 12:39:55 +00:00
|
|
|
# Print rule name as header
|
2018-03-16 17:33:10 +00:00
|
|
|
message = "# " + rule.findtext('message')
|
2018-03-15 16:40:59 +00:00
|
|
|
file.write(message + "\n")
|
2018-03-17 12:39:55 +00:00
|
|
|
# Print rule description
|
2018-03-16 17:33:10 +00:00
|
|
|
description = rule.findtext('description')
|
2018-03-15 16:40:59 +00:00
|
|
|
file.write("## Description\n")
|
|
|
|
|
file.write(description +"\n")
|
2018-03-17 12:39:55 +00:00
|
|
|
# Print general rule information (ID, Normalization, Severity, all Tags, Group By)
|
2018-03-15 16:40:59 +00:00
|
|
|
file.write("## General Information\n")
|
2018-03-17 18:56:05 +00:00
|
|
|
file.write(line(1,"Rule ID:",rule.findtext('id')))
|
|
|
|
|
file.write(line(1,"Normalization ID:",rule.findtext('normid')))
|
|
|
|
|
file.write(line(1,"Severity:",rule.findtext('severity')))
|
2018-03-17 12:39:55 +00:00
|
|
|
for tags in rule.getiterator('tag'):
|
2018-03-17 18:56:05 +00:00
|
|
|
file.write(line(1,"Tag:",tags.text))
|
2018-03-17 15:07:35 +00:00
|
|
|
for rs in cdata.getiterator('ruleset'):
|
2018-03-17 18:56:05 +00:00
|
|
|
file.write(line(1,"Group By:",rs.get('correlationField')))
|
2018-03-15 16:40:59 +00:00
|
|
|
file.write("## Correlation Details\n")
|
2018-03-17 20:04:49 +00:00
|
|
|
parameters = 0
|
2018-03-17 12:39:55 +00:00
|
|
|
# Print rule parameters
|
2018-03-17 14:53:05 +00:00
|
|
|
for param in cdata.getiterator('param'):
|
2018-03-17 20:04:49 +00:00
|
|
|
if parameters == 0:
|
|
|
|
|
file.write("### Parameters\n")
|
|
|
|
|
parameters = 1
|
2018-03-17 19:56:08 +00:00
|
|
|
file.write(line(1,param.get('name'),"N/A"))
|
|
|
|
|
file.write(line(2,"Description:",param.get('description')))
|
|
|
|
|
file.write(line(2,"Default Value:",param.get('defaultvalue')))
|
2018-03-17 15:15:45 +00:00
|
|
|
# Print trigger information (Sequence, Timeout, Time Unit, Threshold)
|
2018-03-17 20:04:49 +00:00
|
|
|
triggers = 0
|
2018-03-17 14:53:05 +00:00
|
|
|
for trigger in cdata.getiterator('trigger'):
|
2018-03-17 20:04:49 +00:00
|
|
|
if triggers == 0:
|
|
|
|
|
file.write("### Triggers\n")
|
|
|
|
|
triggers = 1
|
2018-03-17 19:56:08 +00:00
|
|
|
file.write(line(1,trigger.get('name'),"N/A"))
|
|
|
|
|
file.write(line(2,"Timeout:",trigger.get('timeout')))
|
|
|
|
|
file.write(line(2,"Time Units:",trigger.get('timeUnit')))
|
|
|
|
|
file.write(line(2,"Threshold:",trigger.get('threshold')))
|
|
|
|
|
file.write(line(2,"Sequence:",trigger.get('ordered')))
|
2018-03-15 16:40:59 +00:00
|
|
|
file.write("### Rules\n")
|
2018-03-17 12:39:55 +00:00
|
|
|
# Parse CDATA element and print correlation rule match blocks
|
2018-03-15 16:40:59 +00:00
|
|
|
for r in cdata.getiterator('rule'):
|
2018-03-17 15:45:15 +00:00
|
|
|
o = ""
|
|
|
|
|
v = ""
|
|
|
|
|
t = ""
|
2018-03-17 14:53:05 +00:00
|
|
|
file.write("#### " + r.get('name') + "\n")
|
2018-03-15 16:40:59 +00:00
|
|
|
for e in r.iter():
|
2018-03-17 15:07:35 +00:00
|
|
|
if str(e.tag) == 'activate':
|
2018-03-17 19:56:08 +00:00
|
|
|
file.write(line(1,"Activate:",e.get('type')))
|
2018-03-17 15:07:35 +00:00
|
|
|
if str(e.tag) == 'action':
|
2018-03-17 19:56:08 +00:00
|
|
|
file.write(line(1,"Action","N/A"))
|
|
|
|
|
file.write(line(2,"Type:",e.get('type')))
|
|
|
|
|
file.write(line(2,"Trigger:",e.get('trigger')))
|
2018-03-15 16:40:59 +00:00
|
|
|
if str(e.tag) == 'match':
|
2018-03-17 19:56:08 +00:00
|
|
|
file.write(line(1,"Match","N/A"))
|
|
|
|
|
file.write(line(2,"Count:",e.get('count')))
|
|
|
|
|
file.write(line(2,"Match Type:",e.get('matchType')))
|
2018-03-15 16:40:59 +00:00
|
|
|
if str(e.tag) == 'matchFilter':
|
2018-03-17 19:56:08 +00:00
|
|
|
file.write(line(1,"Match Filter","N/A"))
|
|
|
|
|
file.write(line(2,"Logical Element Type:",e.get('type')))
|
2018-03-15 16:40:59 +00:00
|
|
|
if str(e.tag) == 'singleFilterComponent':
|
2018-03-17 19:56:08 +00:00
|
|
|
t = e.get('type')
|
2018-03-15 16:40:59 +00:00
|
|
|
if str(e.tag) == 'filterData':
|
|
|
|
|
if (e.get('name') == "operator"):
|
2018-03-17 15:45:15 +00:00
|
|
|
o = e.get('value')
|
2018-03-16 17:33:10 +00:00
|
|
|
if (e.get('name') == "value"):
|
2018-03-17 15:45:15 +00:00
|
|
|
v = e.get('value')
|
|
|
|
|
if o and v and t:
|
2018-03-17 19:56:08 +00:00
|
|
|
file.write(line(2,"Filter Component","N/A"))
|
2018-03-17 18:56:05 +00:00
|
|
|
file.write(line(3,"Condition:","'" + t + "' " + o + " '" + v + "'"))
|
2018-03-17 19:56:08 +00:00
|
|
|
v = ""
|
|
|
|
|
o = ""
|
|
|
|
|
file.write("******\n")
|
2018-03-15 16:40:59 +00:00
|
|
|
file.close()
|
|
|
|
|
|
|
|
|
|
if __name__=="__main__":
|
|
|
|
|
if len(sys.argv) != 3:
|
|
|
|
|
print('Invalid Numbers of Arguments. Script will be terminated.')
|
|
|
|
|
print('Usage: python esm2markdown <rule xml file> <markdown output file>')
|
|
|
|
|
print('Example: python esm2markdown RuleExport_2018_03_01_12_36_37.xml documentation.mk')
|
|
|
|
|
else:
|
|
|
|
|
main(sys.argv[1],sys.argv[2]);
|
