## EyeON: Eye on Operational Networks
### a firmware inventory/threat analysis tool


In [None]:
from eyeon import observe
from pprint import pprint

### Objects
EyeON consists of two parts - an `observe` call and a `parse` call. `observe` works on a single file to return a suite of identifying metrics. `parse` calls `observe` recursively, returning an observation for each file in a directory. Both of these can be run either from a library import or a `CLI` command.

In [None]:
obs = observe.Observe("./tests/binaries/Wintap/Wintap.exe")


### Data Standard
Depending on the file type, e.g. PE or ELF, different observations will be collected. 
For instance, PE files typically contain more metadata and have signature information. Here we show some high-level characteristics, and we can dig into the certificates more thoroughly.

In [None]:
print("authentihash:", obs.authentihash)
print("filename:", obs.filename)
print("file magic:", obs.magic)
print("signature_validation:", obs.signatures[0]["verification"])

In [None]:
pprint(obs.metadata)

In [None]:
for sig in obs.signatures:
    print("digest algorithm:", sig["digest_algorithm"])
    print("digest value:", sig["sha1"])
    print("signers", sig["signers"])
    print("cert validation:", sig["verification"])
    for cert in sig["certs"]:
        pprint(cert)
        break
    break

There is also a Command Line component installed with the `eyeon` library containing 2 options: `eyeon observe` and `eyeon parse`.
`observe` generates output for a single file, whereas `parse` scans a directory.

It can be called as below (note `!` executes a terminal command):

In [None]:
! eyeon --help

In [None]:
! eyeon observe --output-dir ./outputs ./tests/binaries/Wintap/Wintap.exe
! jq . ./outputs/Wintap.*