So, this blog has been about two years in the making before finally pulling the trigger on publishing my first couple of scripts and actually talking about them. Until I get around to rewriting my first GitHub contribution, we’ll be talking about my second project. Today, we talk about IoCSweep!
The main reason I’ve decided to publish this now is because of a course I attended by the SANS Institute called “Automating Information Security with Python“. Previously named “Python for Penetration Testers”, and created by Mark Baggett, the course teaches you both the fundamentals of programming in Python and how to reclaim some of that time you’d otherwise spend manually conducting tasks critical to your organization’s security program.
The Problem
Most security professionals don’t have the convenience or ability to retain continuous PCAP indefinitely, and mine is no different. One thing that is feasible though is to retain certain periods of PCAP and process it over time looking for new indicators of compromise. Bro can do this, as can a handful of other IDSs out there. Why recreate the wheel?
Because I can, and it works for us.
But seriously, one good use case is scanning through old PCAP data for known IPs or hostnames, to help give you an idea of when the initial compromise happened. This is simply one tool for the toolbox, but has the potential to find good leads in an incident handling context.
The Solution
The solution is simple!
python3 iocsweep.py -d -i iocs.txt captured.pcap
The script will then iterate through the data packet by packet looking for two things. The first being any DNS queries which will be reported in the log file. The second being any IPs that you have listed in your iocs.txt file will be annotated in the log, letting you know if it was found anywhere during traffic analysis.
The Future
So, this tool was clearly written very specifically for my particular usage scenario, but shared so I could mention that I got the GPYC certification (is anyone still reading? That’s a funny). I’m not exactly sure where to go from here, or what others might need. If you have requests, feel free to fork the project, or submit an issue on GitHub. As I figure that particular platform out, I’ll be sure to refine the page and description!