IPv4 extraction doesn't recognize netstat command input

[deadbits]

iocextract doesn't seem to recognize any IPv4 addresses from netstat output since they all end with .<port number> or the protocol. For example, 10.1.1.117.4222 and 10.1.1.117.https. It pulls out IPv6 adddresses just fine, though.

This would be a super useful addition to have when triaging host events from an DFIR standpoint :)

Any suggested work around or is there a possible patch that would cover this?

[battleoverflow]

Hi, @deadbits!

This feature is now included in the development branch. It currently extracts HTTP, HTTPS, and FTP a bit differently than its numeric counterparts, but should still extract it all in some way. Once I've pushed a new version to PyPI, I'll post another comment here.

Here's a quick example with the library:

import iocextract

def extract_url_list():

    url_list = [
        "10[.]1[.]1[.]117[.]4222",
        "10[.]1[.]1[.]117[.]https",
        "10[.]1[.]1[.]117[.]http",
        "10[.]10[.]1[.]117[.]ftp",
        "10[.]10[.]1[.]117"
    ]

    for url in url_list:
        print(list(iocextract.extract_ipv4s(url, refang=True)))

extract_url_list()

Still working on improving the CLI to work accordingly for IPv4s specifically, but for now, you could use something like this to return the same result:

iocextract --input info.txt --extract-urls --refang --rm_scheme

NOTE: The info.txt file contains the same values from the list in the library example.

[battleoverflow]

New version is now available on PyPI: https://pypi.org/project/iocextract/1.14.0/