MAEC to YAML

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

MAEC to YAML

Kirillov, Ivan A.

All,

 

Just wanted to let you know that we’ve recently added an experimental script to generate YAML output from input MAEC XML documents:

 

https://github.com/MAECProject/python-maec/blob/report_summary/scripts/maec_to_yaml.py

 

This scripts supports outputting the full, raw MAEC document, as well as a simplified and more human readable version which prunes some XML specific structures and tries to dereference all referenced entities as appropriate. An example chunk of the latter is below.

 

While on the subject of producing more human readable MAEC output, we’re also planning on releasing a greatly revised and updated version of the MAEC to HTML XSL transform in the near future.

 

Regards,

Ivan Kirillov

MAEC Project

MITRE

 

 

 

malware_subjects:

- malware_instance_object_attributes:

    properties:

      file_format: PE32 executable (GUI) Intel 80386, for MS Windows

      file_name: additional.exe

      file_path: /home/cboxuser/cuckoo/storage/binaries/8b035e18be2d24ef21125425a5f8e14ac9997824d3b0324156fbadf9f183119b

      hashes:

      - simple_hash_value: e2d5ef321050529f1ecf601d9f79d4a6

        type: MD5

      - simple_hash_value: f0ea1c08f4835435e8834d6b46f7fc2867afee6c

        type: SHA1

      - simple_hash_value: 8b035e18be2d24ef21125425a5f8e14ac9997824d3b0324156fbadf9f183119b

        type: SHA256

      - simple_hash_value: f5467aa1f586f5c9a52287e4393ab15c991f1788598d25178ff640d1ecf1385c2dea009a8713b90e0c1b9ec715d80e851266adc9f7a0db759639faac251af297

        type: SHA512

      - fuzzy_hash_value: 768:g2RULTrpIARQ+EwMBcf11dhf2jBpwutI1PqNtQ7aVC5rPbnot75BK:g2OrVRQTwQcN1kjy1PqNpVsbo5TK

        type: SSDEEP

      size_in_bytes: !!python/long '47616'

 findings_bundles:

    bundles:

    - collections:

        action_collections:

        - name: System Actions

          action_list:

          - name: load library

            timestamp: 2013-12-24 05:29:19.065000

            associated_objects:

            - association_type: input

              properties:

                name: kernel32.dll

          - name: get function address

            timestamp: 2013-12-24 05:29:19.065000

            associated_objects:

            - association_type: input

              properties:

                exports:

                  exported_functions:

                  - function_name: UnmapViewOfFile