IOC-parser

IOC-Parser is a script that will extract the IOCs from a given (text-based) file and output it in .csv-format. Or - as a module - returns a list of instances with an IOC-value and an IOC-type.

Installation

• as a module: pip install iocparser
• as a stand-alone script: git clone https://github.com/renzejongman/iocparser

Usage

./iocparser.py -s [source-file] -o [outputfile.csv]

Use in a custom script

from iocparser import IOCParser
textObj = IOCParser("text")
results = textObj.parse()

Classes

• .IOC(kind, value)
  Instances of this very simple class are generated by the IOCParser class.
  kind = "IP", "uri", "md5", "sha1", "sha256", "CVE", "email" or "file"
  value = The value of the IOCParser-class and returned as a list.
  

• .IOCParser(text) This class takes a text as input, extracts all the IOCs and returns them as a list of instances of the IOC-class.
  text = the raw text (as a variable) to be parsed.
  

Other files

• extensions: the file extensions needed to detect a filename (and not mistake them for URIs)
• tlds: the Top Level Domains (TLDs) needed to recognise URI`s (and not mistake them for files)
  feel free to manipulate those files, but make sure there are no empty lines in either of them, or the script will break.