1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""Report statistics about the artifact collection."""
from __future__ import print_function
from __future__ import unicode_literals
import sys
import time
from artifacts import definitions
from artifacts import reader
class ArtifactStatistics(object):
"""Generate and print statistics about artifact definitions."""
def __init__(self):
"""Initializes artifact statistics."""
super(ArtifactStatistics, self).__init__()
self.label_counts = {}
self.os_counts = {}
self.path_count = 0
self.reg_key_count = 0
self.source_type_counts = {}
self.total_count = 0
def _PrintDictAsTable(self, src_dict):
"""Prints a table of artifact definitions.
Args:
src_dict (dict[str, ArtifactDefinition]): artifact definitions by name.
"""
key_list = list(src_dict.keys())
key_list.sort()
print('|', end='')
for key in key_list:
print(' {0:s} |'.format(key), end='')
print('')
print('|', end='')
for key in key_list:
print(' :---: |', end='')
print('')
print('|', end='')
for key in key_list:
print(' {0!s} |'.format(src_dict[key]), end='')
print('\n')
def PrintOSTable(self):
"""Prints a table of artifact definitions by operating system."""
print('**Artifacts by OS**\n')
self._PrintDictAsTable(self.os_counts)
def PrintLabelTable(self):
"""Prints a table of artifact definitions by label."""
print('**Artifacts by label**\n')
self._PrintDictAsTable(self.label_counts)
def PrintSourceTypeTable(self):
"""Prints a table of artifact definitions by source type."""
print('**Artifacts by type**\n')
self._PrintDictAsTable(self.source_type_counts)
def PrintSummaryTable(self):
"""Prints a summary table."""
print("""
As of {0:s} the repository contains:
| **File paths covered** | **{1:d}** |
| :------------------ | ------: |
| **Registry keys covered** | **{2:d}** |
| **Total artifacts** | **{3:d}** |
""".format(
time.strftime('%Y-%m-%d'), self.path_count, self.reg_key_count,
self.total_count))
def BuildStats(self):
"""Builds the statistics."""
artifact_reader = reader.YamlArtifactsReader()
self.label_counts = {}
self.os_counts = {}
self.path_count = 0
self.reg_key_count = 0
self.source_type_counts = {}
self.total_count = 0
for artifact_definition in artifact_reader.ReadDirectory('data'):
if hasattr(artifact_definition, 'labels'):
for label in artifact_definition.labels:
self.label_counts[label] = self.label_counts.get(label, 0) + 1
for source in artifact_definition.sources:
self.total_count += 1
source_type = source.type_indicator
self.source_type_counts[source_type] = self.source_type_counts.get(
source_type, 0) + 1
if source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY:
self.reg_key_count += len(source.keys)
elif source_type == definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE:
self.reg_key_count += len(source.key_value_pairs)
elif source_type in (definitions.TYPE_INDICATOR_FILE,
definitions.TYPE_INDICATOR_DIRECTORY):
self.path_count += len(source.paths)
os_list = source.supported_os
for os_str in os_list:
self.os_counts[os_str] = self.os_counts.get(os_str, 0) + 1
def PrintStats(self):
"""Build stats and print in MarkDown format."""
self.BuildStats()
self.PrintSummaryTable()
self.PrintSourceTypeTable()
self.PrintOSTable()
self.PrintLabelTable()
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
statsbuilder = ArtifactStatistics()
statsbuilder.PrintStats()
return True
if __name__ == '__main__':
if not Main():
sys.exit(1)
else:
sys.exit(0)
|
