# ioc-hunter
IOC Hunter finds indicators of compromise (IOC). The parse_iocs function can extract IOCs from text.
The type_ioc function can determine the IOC type of a string that you pass in.
The IOCs that are recognized are:
- ssdeep
- sha256
- sha1
- md5
- email
- ipv4_public
- ipv4_private
- ipv6_public
- ipv6_private
- filename
- domain
- url
## Parse IOCs
The parse_iocs function parses IOCs in the list above from text. There is an option
to defang the IOCs that are passed back as well as an option to provide a whitelist regex.
This will also return IOCs labeled as ``unknown`` when text is found to be suspicious, but doesn't
match any of the IOC types.
from ioc_hunter import parse_iocs
text = "Your text goes here"
whitelist = r".*internaldomain\.com.*"
iocs = parse_iocs(text, defang=False, whitelist_regex=whitlist)
```
parse_iocs
Params:
text – A string to parse.
defang – If True, defang any IOCs we can (see DEFANGABLE). If False, return IOCs in their fanged state.
whitelist_regex – Any IOC matching this regex will be ignored
iocs_to_parse – A list of IOC types to look for (see IOC_TYPES_SEARCH_ORDER for options)
whitelist_domains – A list or CSV of domains to exclude from results. Excludes domains and URLs that match
whitelist_ip_cidr_ranges – A list or CSV of CIDR ranges to exclude from results. Excludes IPs and URLs that match
Returns:
A dictionary with the ioc type as the key and a list of iocs for each value.
```
## Type IOC
The type_ioc function takes in text and determines if that text matches any of the IOC types.
If it does not match any, it will return ``unkown``.
from ioc_hunter import type_ioc
suspected_ioc = "mydomain.com"
ioc_type = type_ioc(suspected_ioc)
```
type_ioc
Params:
ioc – The IOC to classify.
types_to_find – A list of types you want to look for.
Returns:
The type of the IOC as a string, (see IOC_TYPES_SEARCH_ORDER for options)
```
Raw data
{
"_id": null,
"home_page": "https://github.com/swimlane/ioc-hunter",
"name": "ioc-hunter",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": null,
"keywords": null,
"author": "Swimlane",
"author_email": "info@swimlane.com",
"download_url": "https://files.pythonhosted.org/packages/82/70/d4773ceb590b791d56f3ae705afa52940ceb42403c67ce19bcbf0fd1590b/ioc_hunter-1.4.1.tar.gz",
"platform": null,
"description": "# ioc-hunter\n\nIOC Hunter finds indicators of compromise (IOC). The parse_iocs function can extract IOCs from text. \nThe type_ioc function can determine the IOC type of a string that you pass in.\n\nThe IOCs that are recognized are:\n\n- ssdeep\n- sha256\n- sha1\n- md5\n- email\n- ipv4_public\n- ipv4_private\n- ipv6_public\n- ipv6_private\n- filename\n- domain\n- url\n\n## Parse IOCs\nThe parse_iocs function parses IOCs in the list above from text. There is an option\nto defang the IOCs that are passed back as well as an option to provide a whitelist regex.\nThis will also return IOCs labeled as ``unknown`` when text is found to be suspicious, but doesn't\nmatch any of the IOC types.\n\n from ioc_hunter import parse_iocs\n\n text = \"Your text goes here\"\n whitelist = r\".*internaldomain\\.com.*\"\n iocs = parse_iocs(text, defang=False, whitelist_regex=whitlist)\n\n```\nparse_iocs\n\nParams:\n text \u2013 A string to parse.\n defang \u2013 If True, defang any IOCs we can (see DEFANGABLE). If False, return IOCs in their fanged state.\n whitelist_regex \u2013 Any IOC matching this regex will be ignored\n iocs_to_parse \u2013 A list of IOC types to look for (see IOC_TYPES_SEARCH_ORDER for options)\n whitelist_domains \u2013 A list or CSV of domains to exclude from results. Excludes domains and URLs that match\n whitelist_ip_cidr_ranges \u2013 A list or CSV of CIDR ranges to exclude from results. Excludes IPs and URLs that match\nReturns:\n A dictionary with the ioc type as the key and a list of iocs for each value.\n```\n## Type IOC\n\nThe type_ioc function takes in text and determines if that text matches any of the IOC types.\nIf it does not match any, it will return ``unkown``.\n\n\n from ioc_hunter import type_ioc\n \n suspected_ioc = \"mydomain.com\"\n ioc_type = type_ioc(suspected_ioc)\n\n```\ntype_ioc\n\nParams:\n ioc \u2013 The IOC to classify.\n types_to_find \u2013 A list of types you want to look for.\nReturns:\n The type of the IOC as a string, (see IOC_TYPES_SEARCH_ORDER for options)\n```\n",
"bugtrack_url": null,
"license": null,
"summary": "Extract IOCs from text.",
"version": "1.4.1",
"project_urls": {
"Bug Tracker": "https://github.com/swimlane/ioc-hunter/issues",
"Homepage": "https://github.com/swimlane/ioc-hunter"
},
"split_keywords": [],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "7033855ed1d029cd915ce0742671f4b50d0a2daec1fad8566004a10beb255317",
"md5": "1d84b6c3a5424dc4338e88aabd07a419",
"sha256": "73df97c6ad94f7420b3a00811c5e9f81a5d16dc13fc74f513e0463b260ecaed4"
},
"downloads": -1,
"filename": "ioc_hunter-1.4.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "1d84b6c3a5424dc4338e88aabd07a419",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.7",
"size": 3589875,
"upload_time": "2025-02-03T09:12:34",
"upload_time_iso_8601": "2025-02-03T09:12:34.519952Z",
"url": "https://files.pythonhosted.org/packages/70/33/855ed1d029cd915ce0742671f4b50d0a2daec1fad8566004a10beb255317/ioc_hunter-1.4.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "8270d4773ceb590b791d56f3ae705afa52940ceb42403c67ce19bcbf0fd1590b",
"md5": "d7cbfc15964b6924a1a13d34a5922d79",
"sha256": "ddcefa5d7fce269d58d9874704232dc505a9d594661c1f6cfea5d7c67e8e8807"
},
"downloads": -1,
"filename": "ioc_hunter-1.4.1.tar.gz",
"has_sig": false,
"md5_digest": "d7cbfc15964b6924a1a13d34a5922d79",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7",
"size": 3593295,
"upload_time": "2025-02-03T09:12:37",
"upload_time_iso_8601": "2025-02-03T09:12:37.018380Z",
"url": "https://files.pythonhosted.org/packages/82/70/d4773ceb590b791d56f3ae705afa52940ceb42403c67ce19bcbf0fd1590b/ioc_hunter-1.4.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-02-03 09:12:37",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "swimlane",
"github_project": "ioc-hunter",
"github_not_found": true,
"lcname": "ioc-hunter"
}
JSON
