我目前正在尝试使用python将一些YAML转换为JSON,并且很难正确地设置JSON格式。我的YAML文件包含多个如下所示的文档:
title: Windows Shell Spawning Suspicious Program
status: experimental
description: Detects a suspicious child process of a Windows shell
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth
date: 20018/04/06
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage:
- '*\mshta.exe'
- '*\powershell.exe'
- '*\cmd.exe'
- '*\rundll32.exe'
- '*\cscript.exe'
- '*\wscript.exe'
- '*\wmiprvse.exe'
Image:
- '*\schtasks.exe'
- '*\nslookup.exe'
- '*\certutil.exe'
- '*\bitsadmin.exe'
- '*\mshta.exe'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Administrative scripts
level: medium
...
我要为每个文档执行的操作是提取检测结果,字段,假阳性和水平,并将它们作为单独的数组放入JSON文档中。我的第一次尝试非常糟糕,只是将每个文档中的组集中到列表中:
data = {}
data['indicator'] = {}
data['indicator']['detection']=[]
data['indicator']['fields']=[]
data['indicator']['false positives']=[]
data['indicator']['level']=[]
with open(yaml_file, 'r') as yaml_in, open(json_file, 'a') as definition:
loadyaml = yaml.safe_load_all(yaml_in)
for item in loadyaml:
for header, subsections in item.iteritems():
if header == 'detection':
data['indicator']['detection'].append(subsections)
elif header == 'fields':
data['indicator']['fields'].append(subsections)
elif header == 'false positives':
data['indicator']['false positives'].append(subsections)
elif header == 'level':
data['indicator']['level'].append(subsections)
json.dump(data, definition, indent=4)
我希望将每个文档作为单独的指标输入到我的json文档中,并将它们的检测,字段,正负值和级别分组在一起-但我的python能力使我失望。
我对此有任何见识将不胜感激!
您可以通过迭代.load_all()和更小的程序来获得所需的输出:
import sys
import ruamel.yaml
import json
yaml = ruamel.yaml.YAML(typ='safe')
ind = dict()
data = dict(indicator=ind)
for d in yaml.load_all(open('input.yaml')):
for k in ('detection', 'fields', 'falsepositives', 'level'):
ind.setdefault(k, []).append(d[k])
json.dump(data, sys.stdout, indent=2)
如果您有一个文件input.yaml:
---
title: Windows Shell Spawning Suspicious Program
status: experimental
description: Detects a suspicious child process of a Windows shell
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth
date: 20018/04/06
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage:
- '*\mshta.exe'
- '*\powershell.exe'
- '*\cmd.exe'
- '*\rundll32.exe'
- '*\cscript.exe'
- '*\wscript.exe'
- '*\wmiprvse.exe'
Image:
- '*\schtasks.exe'
- '*\nslookup.exe'
- '*\certutil.exe'
- '*\bitsadmin.exe'
- '*\mshta.exe'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Administrative scripts
level: medium
...
---
title: Bash starting just what is asked
status: stabel
description: No negative side effects
references:
- https://nblue24.github.io/posts/2019/04/01/DownloadBed.html
author: Axel Roth
date: 2019/04/01
logsource:
product: linux
service: good
detection:
selection:
EventID: 42
ParentImage:
- '*/bash'
- '*/ash'
Image:
- systemctl
- init
condition: selection
fields:
- Shell
- ParentShell
falsepositives:
- root programs
level: high
...
您的输出将是:
{
"indicator": {
"detection": [
{
"selection": {
"EventID": 1,
"ParentImage": [
"*\\mshta.exe",
"*\\powershell.exe",
"*\\cmd.exe",
"*\\rundll32.exe",
"*\\cscript.exe",
"*\\wscript.exe",
"*\\wmiprvse.exe"
],
"Image": [
"*\\schtasks.exe",
"*\\nslookup.exe",
"*\\certutil.exe",
"*\\bitsadmin.exe",
"*\\mshta.exe"
]
},
"condition": "selection"
},
{
"selection": {
"EventID": 42,
"ParentImage": [
"*/bash",
"*/ash"
],
"Image": [
"systemctl",
"init"
]
},
"condition": "selection"
}
],
"fields": [
[
"CommandLine",
"ParentCommandLine"
],
[
"Shell",
"ParentShell"
]
],
"falsepositives": [
[
"Administrative scripts"
],
[
"root programs"
]
],
"level": [
"medium",
"high"
]
}
}
这适用于Python 2和3。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句