MCPcopy Index your code
hub / github.com/assafmo/xioc

github.com/assafmo/xioc @v1.1.12

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.1.12 ↗ · + Follow
22 symbols 61 edges 4 files 10 documented · 45%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

xioc

Extract indicators of compromise from text, including "escaped" ones like hxxp://banana.com, 1.1.1[.]1 and phish at malicious dot com.

CircleCI Coverage Status Go Report Card GoDoc

Installation

  • Download a precompiled binary from https://github.com/assafmo/xioc/releases
  • Or... Use go get:

bash go get -u github.com/assafmo/xioc

  • Or... Use snap install (Ubuntu):

bash snap install xioc

  • Or use Ubuntu PPA:

bash curl -SsL https://assafmo.github.io/ppa/ubuntu/KEY.gpg | sudo apt-key add - sudo curl -SsL -o /etc/apt/sources.list.d/assafmo.list https://assafmo.github.io/ppa/ubuntu/assafmo.list sudo apt update sudo apt install xioc

Features

  • Extract IOCs (indicators of compromise) from an input text:
  • IPv4
  • IPv6
  • Domain
  • URL
  • Email
  • MD5
  • SHA1
  • SHA256
  • Translate some kinds of "escaping"/"defanging" techniques:
  • (dot), [dot], (.), [.], {.} to ..
  • (at), [at], (@), [@], {@} to @.
  • hxxp, hzzzp, hxxxp, hXXp, h__p, h**p to http.
  • Command line interface
  • Go library

Command line usage

$ xioc -h
Usage of xioc:
  -o string
        Extract only specified types.
        Types must be comma seperated. E.g: xioc -o "ip4,domain,url,md5"
        Available types:
                - ip4
                - ip6
                - domain
                - url
                - email
                - md5
                - sha1
                - sha256
  -v    Print version and exit
$ REPORT="https://unit42.paloaltonetworks.com/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"
$ lynx -dump "$REPORT" | xioc
sha256  5beb50d95c1e720143ca0004f5172cb8881d75f6c9f434ceaff59f34fa1fe378
domain  energy.gov.mn
email   altangadas@energy.gov.mn
sha256  10090692ff40758a08bd66f806e0f2c831b4b9742bbf3d19c250e778de638f57
# ...
$ REPORT="https://unit42.paloaltonetworks.com/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"
$ lynx -dump "$REPORT" | xioc -o email,sha256
sha256  5beb50d95c1e720143ca0004f5172cb8881d75f6c9f434ceaff59f34fa1fe378
email   altangadas@energy.gov.mn
sha256  10090692ff40758a08bd66f806e0f2c831b4b9742bbf3d19c250e778de638f57
email   ganbat_g@bpo.gov.mn
# ...

Library usage

Full API:
GoDoc

package main

import (
    "fmt"

    "github.com/assafmo/xioc/xioc"
)

func main() {
    input := `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
    banana.com
    hxxp://i.robot.com/robots.txt
    1.2.3.4
    1.1.1[.]1
    info at gmail dot com
    hxxps://m.twitter[dot]com/`

    fmt.Println(xioc.ExtractDomains(input)) // => [i.robot.com m.twitter.com gmail.com banana.com]
    fmt.Println(xioc.ExtractSHA256s(input)) // => [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
    fmt.Println(xioc.ExtractMD5s(input))    // => []
    fmt.Println(xioc.ExtractIPv4s(input))   // => [1.2.3.4 1.1.1.1]
    fmt.Println(xioc.ExtractURLs(input))    // => [http://i.robot.com/robots.txt https://m.twitter.com/]
    fmt.Println(xioc.ExtractEmails(input))  // => [info@gmail.com]
}

Sources

  • Test email address: http://codefool.tumblr.com/post/15288874550/list-of-valid-and-invalid-email-addresses
  • Domains can start with a number: https://serverfault.com/a/638270
  • IPv6 Examples: http://www.gestioip.net/docu/ipv6_address_examples.html
  • Fang and defang IOCs: https://github.com/ioc-fang/ioc_fanger
  • Indicator of Compromise (De)Fanging Project: https://ioc-fang.hightower.space/
  • InQuest/python-iocextract test data: https://github.com/InQuest/python-iocextract/tree/master/test_data
  • Email address can be treated as case-insensitive: https://stackoverflow.com/a/9808332

Extension points exported contracts — how you extend this code

Core symbols most depended-on inside this repo

replaceDot
called by 4
xioc/funcs.go
dropCR
called by 3
main.go
filterOnlyValidIPs
called by 3
xioc/funcs.go
ExtractIPv4s
called by 2
xioc/funcs.go
ExtractIPv6s
called by 2
xioc/funcs.go
hasKnownTLD
called by 2
xioc/funcs.go
ExtractEmails
called by 2
xioc/funcs.go
ExtractURLs
called by 2
xioc/funcs.go

Shape

Function 21
FuncType 1

Languages

Go100%

Modules by API surface

xioc/funcs.go13 symbols
main.go5 symbols
xioc/funcs_test.go4 symbols

For agents

$ claude mcp add xioc \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact