Skip to content

Commit

Permalink
new de-defangs
Browse files Browse the repository at this point in the history 
1. {.} => .
2. {@} => @
3. allow whitespace before and after special defangs like {.}, [@],
(at), etc.
  • Loading branch information
@assafmo
assafmo committed Jan 23, 2019
1 parent 08175ae commit 2d1614e
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 2 deletions.
4 changes: 2 additions & 2 deletions xioc/funcs.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,14 @@ func init() {
}
}

var dot = `(\.| dot |\(dot\)|\[dot\]|\(\.\)|\[\.\])`
var dot = `(\.|\p{Z}dot\p{Z}|\p{Z}?(\(dot\)|\[dot\]|\(\.\)|\[\.\]|\{\.\})\p{Z}?)`
var dotRegex = regexp.MustCompile(`(?i)` + dot)

func replaceDot(s string) string {
return dotRegex.ReplaceAllString(s, ".")
}

var at = `(@| at |\(at\)|\[at\]|\(@\)|\[@\])`
var at = `(@|\p{Z}at\p{Z}|\p{Z}?(\(at\)|\[at\]|\(@\)|\[@\]|\{@\})\p{Z}?)`
var atRegex = regexp.MustCompile(`(?i)` + at)

func replaceAt(s string) string {
Expand Down
12 changes: 12 additions & 0 deletions xioc/tests.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -585,5 +585,17 @@
"hxxp://papaya.рф/sitemap.xml": {
"urls": ["http://papaya.рф/sitemap.xml"],
"domains": ["papaya.рф"]
},
"hxxps://revcode{.}eu/": {
"urls": ["https://revcode.eu/"],
"domains": ["revcode.eu"]
},
"research {@} fireeye DOT COM": {
"emails": ["research@fireeye.com"],
"domains": ["fireeye.com"]
},
"aminjalali_58 (at) yahoo.com intelreports (at) kaspersky [dot] com": {
"emails": ["aminjalali_58@yahoo.com", "intelreports@kaspersky.com"],
"domains": ["yahoo.com", "kaspersky.com"]
}
}

0 comments on commit 2d1614e

Please sign in to comment.