Documentation
¶
Index ¶
- Variables
- func GetIOCsCounts(iocs []*IOC) map[Type]int
- func GetIOCsReader(ctx context.Context, reader io.Reader, getFangedIOCs bool, matches chan *IOC) error
- func PrintIOCs(iocs []*IOC, format string) string
- func PrintIOCsCSV(iocs []*IOC) string
- func PrintIOCsStats(iocs []*IOC) string
- func PrintIOCsTable(iocs []*IOC) string
- func StandardizeDefangs(iocs []*IOC)
- type IOC
- func GetIOCs(data string, getFangedIOCs bool) []*IOC
- func GetIOCsFromHTML(htmlContent *string) ([]*IOC, error)
- func GetIOCsFromRSS(ctx context.Context, url string) ([]*IOC, error)
- func GetIOCsFromURLPage(req *http.Request) ([]*IOC, error)
- func ParseIOC(ioc string) *IOC
- func SortByType(iocs []*IOC) []*IOC
- type Type
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var Types = []Type{ Bitcoin, MD5, SHA1, SHA256, SHA512, Domain, Email, IPv4, IPv6, URL, File, CVE, CAPEC, CWE, CPE, }
Types of all IOCs
Functions ¶
func GetIOCsCounts ¶
GetIOCsCounts Given []IOC return count of each
func GetIOCsReader ¶
func GetIOCsReader(ctx context.Context, reader io.Reader, getFangedIOCs bool, matches chan *IOC) error
GetIOCsReader Get iocs from reader TODO: This is not deterministic output
Example ¶
reader := strings.NewReader(`this is a bad url http[://]google[.]com/path`)
iocs := make(chan *IOC)
go func() {
defer close(iocs)
err := GetIOCsReader(context.Background(), reader, false, iocs)
if err != nil {
panic(err)
}
}()
for ioc := range iocs {
// Print IOC
fmt.Println(ioc)
}
Output:
func PrintIOCs ¶
PrintIOCs Takes IOCs and prints them according to the format desired Format can be csv or table
func PrintIOCsCSV ¶
PrintIOCsCSV Takes []IOC and returns them in a csv format
func PrintIOCsStats ¶
PrintIOCsStats Given iocs print the stats associated with them
func PrintIOCsTable ¶
PrintIOCsTable Takes []IOC and returns them in a csv format
func StandardizeDefangs ¶
func StandardizeDefangs(iocs []*IOC)
StandardizeDefangs will run all IOCs through a Fang() then Defang(), which will make all the IOCs of the same defanged style.
Types ¶
type IOC ¶
IOC Struct to store an IOC and it's type
func GetIOCs ¶
GetIOCs Return a slice of IOCs from the provided data. getFangedIOCs will also return IOCs that are fanged (ex: google.com).
Example ¶
data := `this is a bad url http[://]google[.]com/path` iocs := GetIOCs(data, false) iocs = SortByType(iocs) StandardizeDefangs(iocs) fmt.Println(iocs)
Output: [google[.]com|Domain hxxp[://]google[.]com/path|URL]
func GetIOCsFromHTML ¶
GetIOCsFromHTML Takes a html page as a string and will extract the IOCs
func GetIOCsFromRSS ¶
GetIOCsFromRSS Given RSS feed url, parse articles for IOCs
func GetIOCsFromURLPage ¶
GetIOCsFromURLPage Given a url get IOCs from the _text_ of the page
func ParseIOC ¶
ParseIOC Parses a single IOC and gets its type. It will only return the highest IOC type (so if it's an email, it will return the email, not the domain in the email)
func SortByType ¶
SortByType takes a group of IOCs and sorts them by their type
func (*IOC) Defang ¶
Defang Takes an IOC and defangs it using the standard defangReplacements
Example ¶
ioc := &IOC{IOC: "google.com", Type: Domain}
ioc = ioc.Defang()
fmt.Println(ioc)
ioc = ioc.Fang()
fmt.Println(ioc)
Output: google[.]com|Domain google.com|Domain
func (*IOC) Fang ¶
Fang Takes an IOC and removes the defanging stuff from it (converts to a fanged IOC). Ex: john[AT]gmail[dot]com -> john@gmail.com
Source Files