Extracts web domain and IP address, implements rendering functions and tests #1944
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…d tests This PR partially resolves mandiant#1907. It extracts web domains and IP addresses, and implements rendering functions and tests. These changes likely don't require updates to the documentation, but if some users want to, they should be able to repurpose many of the extraction functions without too much trouble. Unfortunately, I'll probably be unavailable during the next few days, but this weekend, I'll ensure the PR passes the CI tests. I'll probably also add some more tests for the rendering functions. Please let me know if you have any questions or suggestions! Below is example output for the default mode: +------------------------------+ | IP addresses and web domains | |------------------------------+ | google.com | | 192.123.232.08 | | my-w3bs1te.net | | maliciooous.r4ndom-site.uhoh | | whoops.net | +------------------------------+ Here is example output for verbose and vverbose modes: +-----------------------------------------------------------+ | IP addresses and web domains | |-----------------------------------------------------------+ | google.com | | |----IP address: | | |----192.0.0.1 | | |----Functions used to communicate with google.com: | | |----InternetConnectA | | |----HttpOpenRequestA | | |----FtpGetFileA | | |----3 occurrances | | | | | 192.123.232.08 | | |----Functions used to communicate with 192.123.232.08:| | |----... | | | +-----------------------------------------------------------+
|
very cool, I'll have to take a closer look in the upcoming week at this! thanks for the suggestions. |
|
Thanks @mr-tz! I'm just working on a couple bugs so I'll lyk when it's done! |
VascoSch92
reviewed
Feb 23, 2024
| CD = Path(__file__).resolve().parent.parent.parent | ||
|
|
||
| # these constants are also defined in capa.main | ||
| # defined here to avoid a circular import |
There was a problem hiding this comment.
Perhpas define a script with all these constants inside? It is better than having repeated code
| from capa.render.result_document import ResultDocument | ||
| from capa.features.extractors.base_extractor import FeatureExtractor | ||
|
|
||
| CD = Path(__file__).resolve().parent.parent.parent |
There was a problem hiding this comment.
CD is for current directory?
| for tuple in obj: | ||
| strings.append(tuple[0]) | ||
|
|
||
| return strings |
There was a problem hiding this comment.
Return [tuple[0] for tuple in obj]
| """ | ||
| invalid_list = ["win", "exe", "dll", "med"] # add more to this list | ||
|
|
||
| for domain in invalid_list: |
There was a problem hiding this comment.
Return not string in invalid_list
| if re.search(DOMAIN_PATTERN, string): | ||
| if not invalid_domain(string): | ||
| try: | ||
| domain_counts[string] += 1 |
There was a problem hiding this comment.
domain_counts[string] = domain_counts.get(string, 0) + 1
In this way you don't use a try block. Faster and better
|
|
||
| elif is_ip_addr(string): | ||
| try: | ||
| ip_counts[string] += 1 |
|
can this be closed as superseded by #2031? |
|
@mr-tz Yes, I'll go ahead and close it! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR partially resolves #1907. It extracts web domains and IP addresses, and implements rendering functions and tests.
These changes likely don't require updates to the documentation, but if some users want to, they should be able to repurpose many of the extraction functions fairly easily.
Unfortunately, I'll probably be unavailable during the next few days, but this weekend, I'll ensure this PR passes the CI tests.
I'll probably also add some more tests for the rendering functions.
Please let me know if you have any questions or suggestions!
Below is example output for the default mode:
Here is example output for verbose and vverbose modes:
Checklist