Removing Bracks in IOC IP/URL

Sean · July 21, 2024, 5:45pm

I am working on a work a threat hunting workflow that will pull down IOCs from different locations (e.g. github, Rapid7 blog, etc) and I was wondering what was the best way to handle the brackets that are added to an IP address and domains. For example, 192.168.13.13 would be posted as 192.168.13[.]13 and somerandom.site.com would be posted as somerandom.site[.]com.

I have not found a plug-in that would allow me to easily do this and I was wondering how others were doing this. Is this going to need a script or regex black magic created in a snippit?

Thanks,
Sean

Sean · July 23, 2024, 2:46pm

I created a loop that runs the following python script called desanitizer-script:

def run(params={}):
sanitized_address = params.get(‘uri’)
return {“address”:sanitized_address.replace(‘[.]’, ‘.’)}

The input for the function is defined as:

{“uri”:“{{["desanitize-uri-loop-main"].[$item]}}”}

I add the script output to an array created for the loop’s output:

{{[“desanitizer-script”].[address]}}

To address the possibility of an error I include the following for “Only include if…”

{{[“desanitizer-script”].[$success]}}

Eric-Wilson · July 23, 2024, 7:43pm

You can also loop through the IOCs and use the String operations plugin to do the replacements if you don’t want to use the Python plugin.

Sean · July 24, 2024, 8:03pm

Oh, that is nice! I think I will switch over to that instead as can be used in the cloud and not on my orchestrator.

Thanks for telling me about this!

Sean · July 24, 2024, 8:04pm

While both of our posts work, I am marking yours as the solution since it is easier to use and requires less work on the back end.