iocextract
iocextract copied to clipboard
InQuest
Defanged Indicator of Compromise (IOC) Extractor.
Hey, I was looking to use this for decoding some base64 strings inside json and it did not see to find the following when using refang. ``` }, "data": {...
The url is: `https://www.mysite.com/endpoint?param=abc--~C` the trailing `>` is always stripped off the url even through it is part of it. When I extract_iocs I get: `https://www.mysite.com/endpoint?param=abc--~C
Things that look like timestamps, and things like `1:6:0`, are getting through. If we can't improve the regex to catch these, maybe add a filter on the iterator?
It seems that refang'ing urls with a scheme not listed in line: https://github.com/InQuest/python-iocextract/blob/4da913206d8e94a6a3b137c011c89e9707cb3966/iocextract.py#L626 replaces it with 'http': https://github.com/InQuest/python-iocextract/blob/4da913206d8e94a6a3b137c011c89e9707cb3966/iocextract.py#L631. Maybe a hard-coded conversion mapping could be used, e.g.: ```python refang_schemes =...
iocextract doesn't seem to recognize any IPv4 addresses from netstat output since they all end with `.` or the protocol. For example, `10.1.1.117.4222` and `10.1.1.117.https`. It pulls out IPv6 adddresses...
It'd be great to be able to provide a directory path to iocextract and have it iterate over all files, extracting IOC's from each as it goes. for example, i...
text = "I found this IP: 192.168.0.1 on 23:00:00" In this text 192.168.0.1 and 23:00:00 both were found as an IP `extract_ips`
My IOC is https://example[.]com/k265/aHR0cHM6Ly91NzAwNy5zY29y iocextract.extract_urls(IOC, refang=True) Getting error: File "/usr/local/lib/python3.11/dist-packages/iocextract.py", line 522, in extract_encoded_urls url = base64.b64decode(url).decode("utf-8", "replace") ^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/base64.py", line 88, in b64decode return binascii.a2b_base64(s, strict_mode=validate) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ binascii.Error:...
