ioc-extractor
IOC(Indicator of Compromise) extractor
Last updated 15 days ago by ninoseki .
MIT · Repository · Bugs · Original npm · Tarball · package.json
$ cnpm install ioc-extractor 
SYNC missed versions from official npm registry.

IOC extractor

npm version Build Status CodeFactor Coverage Status Documentation

IOC extractor is an npm package for extracting common IOC(Indicator of Compromise) from a block of text.

Note: the package is highly influenced by cacador.

Installation

npm install ioc-extractor

Usage

As a CLI

$ echo "1.1.1.1 8.8.8.8 example.com" | ioc-extractor
{"asns":[],"btcs":[],"cves":[],"domains":["example.com"],"emails":[],"gaPubIDs":[],"gaTrackIDs":[],"ipv4s":["1.1.1.1","8.8.8.8"],"ipv6s":[],"macAddresses":[],"md5s":[],"sha1s":[],"sha256s":[],"sha512s":[],"ssdeeps":[],"urls":[],"xmrs":[]}

# Using with jq
$ echo "1.1.1.1 8.8.8.8 example.com " | ioc-extractor | jq
{
  "asns": [],
  "btcs": [],
  "cves": [],
  "domains": [
    "example.com"
  ],
  "emails": [],
  "gaPubIDs": [],
  "gaTrackIDs": [],
  "ipv4s": [
    "1.1.1.1",
    "8.8.8.8"
  ],
  "ipv6s": [],
  "macAddresses": [],
  "md5s": [],
  "sha1s": [],
  "sha256s": [],
  "sha512s": [],
  "ssdeeps": [],
  "urls": [],
  "xmrs": []
}

As a library

var iocExtractor = require("ioc-extractor")

const input = '1.1.1[.]1 google(.)com f6f8179ac71eaabff12b8c024342109b';
const ioc = iocExtractor.getIOC(input);
console.log(ioc.md5s);
// => ['f6f8179ac71eaabff12b8c024342109b']
console.log(ioc.ipv4s);
// => ['1.1.1.1']
console.log(ioc.domains);
// => ['google.com']

console.log(JSON.stringify(ioc))
// => {"asns":[],"btcs":[],"cves":[],"domains":["google.com"],"emails":[],"gaPubIDs":[],"gaTrackIDs":[],"ipv4s":["1.1.1.1"],"ipv6s":[],"macAddresses":[],"md5s":["f6f8179ac71eaabff12b8c024342109b"],"sha1s":[],"sha256s":[],"sha512s":[],"ssdeeps":[],"urls":[],"xmrs":[]}

See docs for more details.

Details

This package supports the following IOCs:

  • Hashes: md5, sha1, sha256, sha512, ssdeep
  • Networks: domain, email, ipv4, ipv6, url, asn
  • Hardwares: mac address
  • Utilities: cve(CVE ID)
  • Cryptocurrencies: btc (BTC address), xmr (XMR address)
  • Trackers: gaTrackID (Google Analytics tracking ID), gaPubID (Google Adsense Publisher ID)

For Networks IOCs, the following defang/refang techniques are supported:

Techniques Defanged Refanged
[.] => . 1.1.1[.]1 1.1.1.1
(.) => . 1.1.1(.)1 1.1.1.1
{.} => . 1.1.1{.}1 1.1.1.1
\. => . example\.com example.com
[/] => / http://example.com[/]path http://example.com/path
[:] => : http[:]//example.com http://example.com
hxxp => http hxxps://google.com https://google.com
[at] => @ test[at]example.com test@example.com
[@] => @ test[@]example.com test@example.com
(@) => @ test(@)example.com test@example.com
{@} => @ test{@}example.com test@example.com
[dot] => . test@example[dot]com test@example.com
(dot) => . test@example(dot)com test@example.com
{dot} => . test@example{dot}com test@example.com
Partial 1.1.1[.1 1.1.1.1
Any combination hxxps[:]//test\.example[.)com[/]path https://test.example.com/path

SITX2 support

This package provides a partial support of STIX2 format.

$ echo "1.1.1.1 8.8.8.8 example.com" | ioc-extractor --sitx2 | jq
{
  "spec_version": "2.0",
  "type": "bundle",
  "objects": [
    {
      "type": "indicator",
      "id": "indicator--e0dc210b-fc7e-4dcc-8a5e-a220b32bd070",
      "created": "2019-09-07T12:40:13.104Z",
      "modified": "2019-09-07T12:40:13.104Z",
      "labels": [
        "malicious-activity"
      ],
      "pattern": "[ipv4-addr:value = '1.1.1.1']",
      "valid_from": "2019-09-07T12:40:13.104Z"
    },
    {
      "type": "indicator",
      "id": "indicator--f77971ea-37de-4ddb-a147-613fec3401b3",
      "created": "2019-09-07T12:40:13.104Z",
      "modified": "2019-09-07T12:40:13.104Z",
      "labels": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'google.com']",
      "valid_from": "2019-09-07T12:40:13.104Z"
    },
    {
      "type": "indicator",
      "id": "indicator--0461539a-dc75-4cd1-ab74-24d964c8609c",
      "created": "2019-09-07T12:40:13.104Z",
      "modified": "2019-09-07T12:40:13.104Z",
      "labels": [
        "malicious-activity"
      ],
      "pattern": "[file:hashes.md5 = 'f6f8179ac71eaabff12b8c024342109b']",
      "valid_from": "2019-09-07T12:40:13.104Z"
    }
  ]
}

The following indicator patterns are supported.

  • ipv4-addr
  • ipv6-addr
  • domain-name
  • url
  • email-addr
  • file:hashes.{md5|sha1|sha256|sha512}

Alternatives

Current Tags

  • 2.3.4                                ...           latest (15 days ago)

35 Versions

  • 2.3.4                                ...           15 days ago
  • 2.3.3                                ...           21 days ago
  • 2.3.2                                ...           4 months ago
  • 2.3.1                                ...           6 months ago
  • 2.3.0                                ...           7 months ago
  • 2.2.1                                ...           7 months ago
  • 2.2.0                                ...           9 months ago
  • 2.1.0                                ...           9 months ago
  • 2.0.4                                ...           10 months ago
  • 2.0.3                                ...           a year ago
  • 2.0.2                                ...           a year ago
  • 2.0.0                                ...           a year ago
  • 1.0.0                                ...           a year ago
  • 0.7.3                                ...           a year ago
  • 0.7.2                                ...           a year ago
  • 0.7.1                                ...           a year ago
  • 0.7.0                                ...           2 years ago
  • 0.6.1                                ...           2 years ago
  • 0.6.0                                ...           2 years ago
  • 0.5.1                                ...           2 years ago
  • 0.5.0                                ...           2 years ago
  • 0.4.3                                ...           2 years ago
  • 0.4.2                                ...           2 years ago
  • 0.4.1                                ...           2 years ago
  • 0.4.0                                ...           2 years ago
  • 0.3.0                                ...           2 years ago
  • 0.2.5                                ...           2 years ago
  • 0.2.4                                ...           2 years ago
  • 0.2.3                                ...           2 years ago
  • 0.2.2                                ...           2 years ago
  • 0.2.1                                ...           2 years ago
  • 0.2.0                                ...           2 years ago
  • 0.1.3                                ...           2 years ago
  • 0.1.2                                ...           2 years ago
  • 0.1.1                                ...           2 years ago
Maintainers (1)
Downloads
Today 0
This Week 0
This Month 31
Last Day 0
Last Week 0
Last Month 33
Dependencies (3)
Dev Dependencies (19)
Dependents (1)

Copyright 2014 - 2016 © taobao.org |