Tuesday, February 12, 2013

Automating OpenIOC with Splunk

This year a colleague of mine, @trakzon, and I talked about integrating MIR, OpenIOC and other network data sources such as BRO and Palo Alto Network Firewalls logs with Splunk at MIRCon. We never got around to publishing the code until now.   Here is the code to automate the searching of OpenIOC format IOCs through Splunk’s API:

As always we welcome feedback and features. 

Tuesday, February 5, 2013

Auto-Generating OpenIOCs

Wow, it has been two years since last post, and this post will not be mind blowing. For the past couple of years I have been busy building an incident response team and SOC so I have not had a lot of time write much worth posting. I finally got some free time this last week and created a quick and dirty script to create OpenIOC format IOCs from unstructured data. This was a pain point in my teams day to day operations since we use OpenIOC format IOCs for just about every part of our automation to look for known indicators, be in in Splunk or MIR. The script is not complicated but saves a ton of time when you have to import a long list of IOCs (MD5’s, IP’s or domain names). To execute the script all you need is a basic install of python, no other libraries. I’ll walk through an example of its use below. First step is to find a source for IOCs. In a perfect world all IOCs would be in a structured format already but most of the time they are not. In this example I will be creating IOC’s from a a FireEye blog post. If you want to play along here is the site: http://blog.fireeye.com/research/2013/02/operation-beebus.html Just copy the contents the blog post to a file. Once you have the contents copied over execute the script as below, “blobofIOCs” is the copied content:

This will create an OpenIOC format IOC in the same directory:

From here you aren’t done it does most of the work but you have to edit some of the property files and check for BAD IOCs. You can load the IOC up in Mandiant IOC editor located here:

When parsed it will look similar to the figure below:

“ioc_creator.py” will generate domain, IP, MD5 hash, registry and file path IOCs. Be sure to change the name, add groups, and change the description as it defaults to BulkImport . The IOC will still load into MIR if you don’t change this but you want to change this data for context if it ever hits. The IOC also has some bad auto-generated IOCs. The “File Full Path contains “\Windows,” which is a bad IOC, as well as the single registry path contains.  Delete these BAD IOCs out. “ioc_creator.py” defaults IOC term logic to the following for each IOC term type:
  • FileItem/FullPath – contains
  •  RegistryPath – contains
  • Network/DNS – contains
  • PortItem/remoteIP – is
  • FileItem/Md5sum - is
The auto-generation will catch some very high false positive IOCs so make sure to use IOC lint and double check what has been auto-generated for you.  In the end my IOC was cleaned up to look like the following figure:

Please let me know of any bugs or features needed. The script can be found here: