Created
July 25, 2022 16:24
-
-
Save lopes/219675b42fdc31722936b26b1898febd to your computer and use it in GitHub Desktop.
Finds Indicators of Compromise (IoCs) in text files.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/env python3 | |
''' | |
Finds Indicators of Compromise (IoCs) in text files. | |
Usage: | |
$ iocfinder.py file.txt | |
Based on: | |
1. https://github.com/stephenbrannon/IOCextractor | |
2. https://github.com/PaloAltoNetworks/ioc-parser | |
Todo: | |
1. Allow whitelists | |
2. Separate regexes from code | |
3. Create more patterns, such as IPv6 and SHA{1,256} | |
4. Perform more tests (multiline, another charset...) | |
5. Make output more friendly | |
6. Create help | |
7. Allow commands - to find specific patterns, for instance | |
''' | |
from sys import argv | |
from re import compile, search, IGNORECASE | |
patterns = { | |
'hash_md5': r'\b([a-f]|[0-9]){32}\b', | |
'url': r'\b([a-z]{3,}://[\S]{3,})\b', | |
'email': r'\b([a-z][_a-z0-9-.]+@[a-z0-9-]+\.[a-z]+)\b', | |
'ipv4': r'\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b' | |
} | |
with open(argv[1], 'r') as f: | |
for line in f: | |
for pattern in patterns.values(): | |
p = compile(pattern, IGNORECASE) | |
matches = search(p, line) | |
if matches: print(matches) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment