- Notifications
You must be signed in to change notification settings - Fork13
Extract indicators of compromise from text, including "escaped" ones.
License
NotificationsYou must be signed in to change notification settings
assafmo/xioc
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Extract indicators of compromise from text, including "escaped" ones likehxxp://banana.com,1.1.1[.]1 andphish at malicious dot com.
Download a precompiled binary fromhttps://github.com/assafmo/xioc/releases
Or... Use
go get:go get -u github.com/assafmo/xioc
Or... Use snap install (Ubuntu):
snap install xioc
Or use Ubuntu PPA:
curl -SsL https://assafmo.github.io/ppa/ubuntu/KEY.gpg| sudo apt-key add -sudo curl -SsL -o /etc/apt/sources.list.d/assafmo.list https://assafmo.github.io/ppa/ubuntu/assafmo.listsudo apt updatesudo apt install xioc
- Extract IOCs (indicators of compromise) from an input text:
- IPv4
- IPv6
- Domain
- URL
- MD5
- SHA1
- SHA256
- Translate some kinds of "escaping"/"defanging" techniques:
(dot),[dot],(.),[.],{.}to..(at),[at],(@),[@],{@}to@.hxxp,hzzzp,hxxxp,hXXp,h__p,h**ptohttp.
- Command line interface
- Go library
$ xioc -hUsage of xioc: -o string Extract only specified types. Types must be comma seperated. E.g: xioc -o"ip4,domain,url,md5" Available types: - ip4 - ip6 - domain - url - email - md5 - sha1 - sha256 -v Print version andexit
$ REPORT="https://unit42.paloaltonetworks.com/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"$ lynx -dump"$REPORT"| xiocsha256 5beb50d95c1e720143ca0004f5172cb8881d75f6c9f434ceaff59f34fa1fe378domain energy.gov.mnemail altangadas@energy.gov.mnsha256 10090692ff40758a08bd66f806e0f2c831b4b9742bbf3d19c250e778de638f57# ...
$ REPORT="https://unit42.paloaltonetworks.com/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"$ lynx -dump"$REPORT"| xioc -o email,sha256sha256 5beb50d95c1e720143ca0004f5172cb8881d75f6c9f434ceaff59f34fa1fe378email altangadas@energy.gov.mnsha256 10090692ff40758a08bd66f806e0f2c831b4b9742bbf3d19c250e778de638f57email ganbat_g@bpo.gov.mn# ...
Full API:
package mainimport ("fmt""github.com/assafmo/xioc/xioc")funcmain() {input:=`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855banana.comhxxp://i.robot.com/robots.txt1.2.3.41.1.1[.]1info at gmail dot comhxxps://m.twitter[dot]com/`fmt.Println(xioc.ExtractDomains(input))// => [i.robot.com m.twitter.com gmail.com banana.com]fmt.Println(xioc.ExtractSHA256s(input))// => [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]fmt.Println(xioc.ExtractMD5s(input))// => []fmt.Println(xioc.ExtractIPv4s(input))// => [1.2.3.4 1.1.1.1]fmt.Println(xioc.ExtractURLs(input))// => [http://i.robot.com/robots.txt https://m.twitter.com/]fmt.Println(xioc.ExtractEmails(input))// => [info@gmail.com]}
- Test email address:http://codefool.tumblr.com/post/15288874550/list-of-valid-and-invalid-email-addresses
- Domains can start with a number:https://serverfault.com/a/638270
- IPv6 Examples:http://www.gestioip.net/docu/ipv6_address_examples.html
- Fang and defang IOCs:https://github.com/ioc-fang/ioc_fanger
- Indicator of Compromise (De)Fanging Project:https://ioc-fang.hightower.space/
- InQuest/python-iocextract test data:https://github.com/InQuest/python-iocextract/tree/master/test_data
- Email address can be treated as case-insensitive:https://stackoverflow.com/a/9808332
About
Extract indicators of compromise from text, including "escaped" ones.
Topics
Resources
License
Stars
Watchers
Forks
Packages0
No packages published