From 6fb8589cb3f7aeb1c4ccab96dbc987ec07cc863d Mon Sep 17 00:00:00 2001 From: Alessandro Riva Date: Sat, 19 Oct 2024 15:47:05 +0200 Subject: [PATCH] Add domain regex to extract-ioc --- cmd/extract_ioc.go | 48 ++++++++++++++++++++---------------------- internal/util/regex.go | 1 + internal/util/util.go | 20 ++++++++++++++++++ 3 files changed, 44 insertions(+), 25 deletions(-) create mode 100644 internal/util/util.go diff --git a/cmd/extract_ioc.go b/cmd/extract_ioc.go index bd97e9d..4f16cfa 100644 --- a/cmd/extract_ioc.go +++ b/cmd/extract_ioc.go @@ -17,10 +17,11 @@ import ( ) type iocOutput struct { - URLs []string `json:"urls"` - IPs []string `json:"ips"` - Emails []string `json:"emails"` - Hashes []string `json:"hashes"` + URLs []string `json:"urls"` + IPs []string `json:"ips"` + Emails []string `json:"emails"` + Domains []string `json:"domains"` + Hashes []string `json:"hashes"` } var extractIocCmd = &cobra.Command{ @@ -48,18 +49,20 @@ func extractIOCs(filePath string, asJSON bool) { } // Find all IOCs - uniqueURLs := removeDuplicates(util.URLRegex.FindAllString(string(data), -1)) - uniqueIPs := removeDuplicates(util.IPRegex.FindAllString(string(data), -1)) - uniqueEmails := removeDuplicates(util.EmailRegex.FindAllString(string(data), -1)) - uniqueHashes := removeDuplicates(util.SHA256Regex.FindAllString(string(data), -1)) + uniqueURLs := util.RemoveDuplicates(util.URLRegex.FindAllString(string(data), -1)) + uniqueIPs := util.RemoveDuplicates(util.IPRegex.FindAllString(string(data), -1)) + uniqueEmails := util.RemoveDuplicates(util.EmailRegex.FindAllString(string(data), -1)) + uniqueDomains := util.RemoveDuplicates(util.DomainRegex.FindAllString(string(data), -1)) + uniqueHashes := util.RemoveDuplicates(util.SHA256Regex.FindAllString(string(data), -1)) if asJSON { // Prepare data for JSON output iocData := iocOutput{ - URLs: uniqueURLs, - IPs: uniqueIPs, - Emails: uniqueEmails, - Hashes: uniqueHashes, + URLs: uniqueURLs, + IPs: uniqueIPs, + Emails: uniqueEmails, + Domains: uniqueDomains, + Hashes: uniqueHashes, } // Marshal to JSON and print @@ -100,6 +103,14 @@ func extractIOCs(filePath string, asJSON bool) { } } + // Print Domains + if len(uniqueDomains) > 0 { + color.Green("\nDomains:") + for _, email := range uniqueDomains { + fmt.Println(email) + } + } + // Print SHA256 Hashes if len(uniqueHashes) > 0 { color.Green("\nSHA256 Hashes:") @@ -109,16 +120,3 @@ func extractIOCs(filePath string, asJSON bool) { } } } - -// Helper function to remove duplicate IOCs -func removeDuplicates(items []string) []string { - uniqueItems := make(map[string]bool) - result := []string{} - for _, item := range items { - if !uniqueItems[item] { - uniqueItems[item] = true - result = append(result, item) - } - } - return result -} diff --git a/internal/util/regex.go b/internal/util/regex.go index 75f01aa..cba4722 100644 --- a/internal/util/regex.go +++ b/internal/util/regex.go @@ -13,5 +13,6 @@ var ( RFC1918Regex = regexp.MustCompile(`^(10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})$`) URLRegex = regexp.MustCompile(`https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()!@:%_\+.~#?&\/\/=]*)`) EmailRegex = regexp.MustCompile(`[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}`) + DomainRegex = regexp.MustCompile(`(?:(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+(?:[a-zA-Z]{2,})|localhost)`) SHA256Regex = regexp.MustCompile(`\b[a-fA-F0-9]{64}\b`) ) diff --git a/internal/util/util.go b/internal/util/util.go new file mode 100644 index 0000000..250c447 --- /dev/null +++ b/internal/util/util.go @@ -0,0 +1,20 @@ +/* +Copyright © 2024 Alessandro Riva + +Licensed under the MIT License. +See the LICENSE file for details. +*/ +package util + +// Remove duplicates from a slice +func RemoveDuplicates(items []string) []string { + uniqueItems := make(map[string]bool) + result := []string{} + for _, item := range items { + if !uniqueItems[item] { + uniqueItems[item] = true + result = append(result, item) + } + } + return result +}