pcap-ioc

Python tool to extract potential IOCs from a pcap file using pyshark

List of IOCs extracted :

• IP addresses from IP packets
• Domains and IP addresses from DNS requests
• Domains, url, and user-agents from HTTP requests
• Domains from HTTPs X509 certificates

Install

pip install pcap_ioc

Use

• As a library

  from pcap_ioc import Pcap
  
  
  
  p = Pcap('FILE.pcap')
  
  for i in p.indicators:
  
      print(i)

   

   

• CLI tool
  To query MISP servers, you need to create a file ~/.misp with one entry for every MISP server for instance :

  [server1]
  
  url: https://misp1.example.org/
  
  key: KEYHERE
  
  default: true
  
  
  
  [server2]
  
  url: https://misp2.example.org/
  
  key: KEYHERE

   

  Then you can query one of these server with pcap_ioc misp -s misp2 file.pcap

Copyright (c) 2019 Tek

Source: https://github.com/Nothing2Hide/