Feature Request/Suggestion add document filename IOC type #5

Open
johnmccash opened this Issue Nov 21, 2012 · 2 comments

Projects

None yet

2 participants

@johnmccash

It would be useful to highlight filenames ending in various document type extensions, as well as dlls, exes, sys files, etc.

Owner

Highlighting file names or paths would definitely be useful. But it’s been hard to develop a regular expression that can reliably distinguish file names from surrounding text since file names can be so flexible. A permissive regular expression highlights a lot of strings that aren’t really files, and a restrictive regular expression misses a lot of files. We’d love to hear any suggestions on implementation, but so far the success rate for parsing file names has just been too low to include the functionality.

How about just including filenames that have common image, document or executable extensions (.gif, .jpg, .bmp, .txt, .text, .pdf, .xls, .xlsx, .doc, .docx, .exe, .dll, .sys, .scr, .bat) and using whitespace as beginning & ending delimiters? I agree it’s not going to catch all instances, or the whole filename in many cases, but I think it will be quite useful anyway. You could even include a feature to turn it off, if some find it objectionable.
Thoughts?
John

From: Stephen Brannon [mailto:notifications@github.com]
Sent: Tuesday, November 27, 2012 12:01 PM
To: stephenbrannon/IOCextractor
Cc: McCash John-GKJN37
Subject: Re: [IOCextractor] Feature Request/Suggestion add document filename IOC type (#5)

Highlighting file names or paths would definitely be useful. But it’s been hard to develop a regular expression that can reliably distinguish file names from surrounding text since file names can be so flexible. A permissive regular expression highlights a lot of strings that aren’t really files, and a restrictive regular expression misses a lot of files. We’d love to hear any suggestions on implementation, but so far the success rate for parsing file names has just been too low to include the functionality.


Reply to this email directly or view it on GitHubhttps://github.com/stephenbrannon/IOCextractor/issues/5#issuecomment-10769016.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment