Tool to extract indicators of compromise from security reports in PDF format
Python
Pull request Compare This branch is 2 commits ahead, 5 commits behind armbues:master.
Latest commit c0ab390 Mar 5, 2016 @threatminer Added PDF decryption
Permalink
Failed to load latest commit information.
whitelists
.gitignore Revert "Fixed error 'IOC_Parser' object has no attribute 'dedup_store'" Mar 30, 2015
LICENSE Initial commit Jan 31, 2015
README.md
__init__.py Added __init__.py Jul 8, 2015
iocp.py
output.py Syntax & typos Aug 10, 2015
patterns.ini Handling defanged IOCs Sep 18, 2015
requirements.txt Adds requirements.txt for PIP install Aug 3, 2015
whitelist.py Didn't allow underscore in path to whitelist folder Jun 30, 2015

README.md

ioc-parser

IOC Parser is a tool to extract indicators of compromise from security reports in PDF format. A good collection of APT related reports with many IOCs can be found here: APTNotes.

Usage

iocp.py [-h] [-p INI] [-i FORMAT] [-o FORMAT] [-d] [-l LIB] FILE

  • FILE File/directory path to report(s)
  • -p INI Pattern file
  • -i FORMAT Input format (pdf/txt/html)
  • -o FORMAT Output format (csv/json/yara)
  • -d Deduplicate matches
  • -l LIB Parsing library

Requirements

One of the following PDF parsing libraries:

For HTML parsing support:

For HTTP(S) support: