Last active
March 7, 2021 16:34
-
-
Save keithmccammon/d04e0e36b879e76d7ab1285ae6d87eca to your computer and use it in GitHub Desktop.
Make a Surveyor definition given a file full of indicators, one per line. Warning: This is a hack and performs no grouping. It's just a really fast means of asking Cb Response "where do these things appear?"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """ | |
| To use me: | |
| 1) Make a file full of indicators, one per line, call it indicators.txt. | |
| NOTE: This was written to handle IP addresses. Change line 40 from ipaddr to md5 if passing hashes. | |
| 2) python iocs_to_definition.py indicators.txt | |
| 3) Run Surveyor using the output definition file indicators.json | |
| """ | |
| import json | |
| import sys | |
| if __name__ == '__main__': | |
| input_file = sys.argv[1] | |
| with open(input_file, 'rb') as indicators: | |
| indicator_list = [] | |
| for indicator in indicators.readlines(): | |
| indicator_list.append(indicator.strip()) | |
| output_file = 'indicators.json' | |
| with open(output_file, 'wb') as output_file: | |
| output_file.write('{\n\t"FOO": {\n') | |
| list_len = len(indicator_list) | |
| counter = 0 | |
| for indicator in indicator_list: | |
| counter += 1 | |
| output_file.write('\t\t\t"ipaddr": ["{0}"]'.format(indicator)) | |
| if counter != list_len: | |
| output_file.write(',') | |
| output_file.write('\n') | |
| if counter == list_len: | |
| output_file.write('\t}\n}\n') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment