IOC Parser is a tool to extract indicators of compromise from security reports in PDF format. A good collection of APT related reports with many IOCs can be found here: APTNotes.
iocp [-h] [-p INI] [-i FORMAT] [-o FORMAT] [-d] [-l LIB] FILE
- FILE File/directory path to report(s)/Gmail account in double quotes ("username@gmail.com password")
- -p INI Pattern file
- -i FORMAT Input format (pdf/txt/docx/html/csv/xls/xlsx/gmail)
- -o FORMAT Output format (csv/json/yara/netflow/misp)
- -d Deduplicate matches
- -l LIB Parsing library
- -e MISP event ID
One of the following PDF parsing libraries:
For HTML parsing support:
- BeautifulSoup - pip install beautifulsoup4
For HTTP(S) support:
- requests - pip install requests
For XLS/XLSX support:
- xlrd - pip install xlrd
For Gmail support:
For MISP output support:
Modify misp_keys.ini with values relevant to your MISP environment to use output.
Installation of pymispwarninglist:
- git clone https://github.com/MISP/PyMISPWarningLists.git
- git submodule update --init
- pip3 install .