Add domain regex to extract-ioc

alex27riva · Oct 19, 2024 · 6fb8589 · 6fb8589
1 parent 5bf0032
commit 6fb8589
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 25 deletions.
diff --git a/cmd/extract_ioc.go b/cmd/extract_ioc.go
@@ -17,10 +17,11 @@ import (
 )
 
 type iocOutput struct {
-	URLs   []string `json:"urls"`
-	IPs    []string `json:"ips"`
-	Emails []string `json:"emails"`
-	Hashes []string `json:"hashes"`
+	URLs    []string `json:"urls"`
+	IPs     []string `json:"ips"`
+	Emails  []string `json:"emails"`
+	Domains []string `json:"domains"`
+	Hashes  []string `json:"hashes"`
 }
 
 var extractIocCmd = &cobra.Command{
@@ -48,18 +49,20 @@ func extractIOCs(filePath string, asJSON bool) {
 	}
 
 	// Find all IOCs
-	uniqueURLs := removeDuplicates(util.URLRegex.FindAllString(string(data), -1))
-	uniqueIPs := removeDuplicates(util.IPRegex.FindAllString(string(data), -1))
-	uniqueEmails := removeDuplicates(util.EmailRegex.FindAllString(string(data), -1))
-	uniqueHashes := removeDuplicates(util.SHA256Regex.FindAllString(string(data), -1))
+	uniqueURLs := util.RemoveDuplicates(util.URLRegex.FindAllString(string(data), -1))
+	uniqueIPs := util.RemoveDuplicates(util.IPRegex.FindAllString(string(data), -1))
+	uniqueEmails := util.RemoveDuplicates(util.EmailRegex.FindAllString(string(data), -1))
+	uniqueDomains := util.RemoveDuplicates(util.DomainRegex.FindAllString(string(data), -1))
+	uniqueHashes := util.RemoveDuplicates(util.SHA256Regex.FindAllString(string(data), -1))
 
 	if asJSON {
 		// Prepare data for JSON output
 		iocData := iocOutput{
-			URLs:   uniqueURLs,
-			IPs:    uniqueIPs,
-			Emails: uniqueEmails,
-			Hashes: uniqueHashes,
+			URLs:    uniqueURLs,
+			IPs:     uniqueIPs,
+			Emails:  uniqueEmails,
+			Domains: uniqueDomains,
+			Hashes:  uniqueHashes,
 		}
 
 		// Marshal to JSON and print
@@ -100,6 +103,14 @@ func extractIOCs(filePath string, asJSON bool) {
 			}
 		}
 
+		// Print Domains
+		if len(uniqueDomains) > 0 {
+			color.Green("\nDomains:")
+			for _, email := range uniqueDomains {
+				fmt.Println(email)
+			}
+		}
+
 		// Print SHA256 Hashes
 		if len(uniqueHashes) > 0 {
 			color.Green("\nSHA256 Hashes:")
@@ -109,16 +120,3 @@ func extractIOCs(filePath string, asJSON bool) {
 		}
 	}
 }
-
-// Helper function to remove duplicate IOCs
-func removeDuplicates(items []string) []string {
-	uniqueItems := make(map[string]bool)
-	result := []string{}
-	for _, item := range items {
-		if !uniqueItems[item] {
-			uniqueItems[item] = true
-			result = append(result, item)
-		}
-	}
-	return result
-}
diff --git a/internal/util/regex.go b/internal/util/regex.go
@@ -13,5 +13,6 @@ var (
 	RFC1918Regex = regexp.MustCompile(`^(10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})$`)
 	URLRegex     = regexp.MustCompile(`https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()!@:%_\+.~#?&\/\/=]*)`)
 	EmailRegex   = regexp.MustCompile(`[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}`)
+	DomainRegex  = regexp.MustCompile(`(?:(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+(?:[a-zA-Z]{2,})|localhost)`)
 	SHA256Regex  = regexp.MustCompile(`\b[a-fA-F0-9]{64}\b`)
 )
diff --git a/internal/util/util.go b/internal/util/util.go
@@ -0,0 +1,20 @@
+/*
+Copyright © 2024 Alessandro Riva
+
+Licensed under the MIT License.
+See the LICENSE file for details.
+*/
+package util
+
+// Remove duplicates from a slice
+func RemoveDuplicates(items []string) []string {
+	uniqueItems := make(map[string]bool)
+	result := []string{}
+	for _, item := range items {
+		if !uniqueItems[item] {
+			uniqueItems[item] = true
+			result = append(result, item)
+		}
+	}
+	return result
+}