Closed deadbits closed 1 year ago
Hi, @deadbits!
This feature is now included in the development branch. It currently extracts HTTP, HTTPS, and FTP a bit differently than its numeric counterparts, but should still extract it all in some way. Once I've pushed a new version to PyPI, I'll post another comment here.
Here's a quick example with the library:
import iocextract
def extract_url_list():
url_list = [
"10[.]1[.]1[.]117[.]4222",
"10[.]1[.]1[.]117[.]https",
"10[.]1[.]1[.]117[.]http",
"10[.]10[.]1[.]117[.]ftp",
"10[.]10[.]1[.]117"
]
for url in url_list:
print(list(iocextract.extract_ipv4s(url, refang=True)))
extract_url_list()
Still working on improving the CLI to work accordingly for IPv4s specifically, but for now, you could use something like this to return the same result:
iocextract --input info.txt --extract-urls --refang --rm_scheme
NOTE: The info.txt
file contains the same values from the list in the library example.
New version is now available on PyPI: https://pypi.org/project/iocextract/1.14.0/
iocextract doesn't seem to recognize any IPv4 addresses from netstat output since they all end with
.<port number>
or the protocol. For example,10.1.1.117.4222
and10.1.1.117.https
. It pulls out IPv6 adddresses just fine, though.This would be a super useful addition to have when triaging host events from an DFIR standpoint :)
Any suggested work around or is there a possible patch that would cover this?