🚀 Feature Proposal

Improve the usage information for --file and --stdin.

Motivation

As @mcdonnnj pointed out in #7:

I do think the usage for --file and --stdin could be improved, because reading just the usage it was unclear to me that you could use those options to provide hashes.

Example

It would reduce the sort of confusion that generated #7.

Pitch

Eschew obfuscation!

🐛 Bug Report

Tagging @felddy and @dav3r

yavin | FAILED! => {

    "changed": true,

    "msg": "non-zero return code",

    "rc": 1,

    "stderr": "Shared connection to yavin closed.\r\n",

    "stderr_lines": [

        "Shared connection to yavin closed."

    ],

    "stdout": "Traceback (most recent call last):\r\n  File \"/home/gollam/.ansible/tmp/ansible-tmp-1593119061.2345998-36805-301601859236/ioc_scanner.py\", line 130, in <module>\r\n    sys.exit(main())\r\n  File \"/home/gollam/.ansible/tmp/ansible-tmp-1593119061.2345998-36805-301601859236/ioc_scanner.py\", line 102, in main\r\n    hashes = hash_file(file)\r\n  File \"/home/gollam/.ansible/tmp/ansible-tmp-1593119061.2345998-36805-301601859236/ioc_scanner.py\", line 48, in hash_file\r\n    hash_md5 = hashlib.md5()  # nosec\r\nValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips\r\n",

    "stdout_lines": [

        "Traceback (most recent call last):",

        "  File \"/home/gollam/.ansible/tmp/ansible-tmp-1593119061.2345998-36805-301601859236/ioc_scanner.py\", line 130, in <module>",

        "    sys.exit(main())",

        "  File \"/home/gollam/.ansible/tmp/ansible-tmp-1593119061.2345998-36805-301601859236/ioc_scanner.py\", line 102, in main",

        "    hashes = hash_file(file)",

        "  File \"/home/gollam/.ansible/tmp/ansible-tmp-1593119061.2345998-36805-301601859236/ioc_scanner.py\", line 48, in hash_file",

        "    hash_md5 = hashlib.md5()  # nosec",

        "ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips"

    ]

}

To Reproduce

Steps to reproduce the behavior:

Run the following:
ansible -i hosts-file all -m script -e "--file md5sums.txt" -a ./src/ioc_scan/ioc_scanner.py --become

Expected behavior

Expect no errors

Any helpful log output

Workaround:

Edit this line in ioc_scanner.py

hash_md5 = hashlib.md5(usedforsecurity=False) # nosec

🚀 Feature Proposal

Add the ability to scan for other hash types besides MD5, such as SHA-1 and SHA-256.

Motivation

When we are asked to scan for Indicators of Compromise (IOCs), we occasionally are given SHA-1 and SHA-256 hashes, in addition to MD5 hashes.

Example

Sample IOC hashes:

SHA256: b509f8545501588ecd828f970d91afc7c4aa6e238e838bd6a08ee2cd920fbe98
SHA-1:  31B54AEBDAF5FBC73A66AC41CCB35943CC9B7F72
SHA-1:  50973A3FC57D70C7911F7A952356188B9939E56B
SHA-1:  244EB62B9AC30934098CA4204447440D6FC4E259
SHA-1:  5C8F83CC4FF57E7C67925DF4D9DAABE5D0CC07E2

Pitch

It will give us more comprehensive scanning capabilities.

🚀 Feature Proposal

Instead of having the list of hashes located in ioc_scanner.py block, we would ideally be able to point to a text file (as is done with the hosts-file).

Motivation

Don't have to edit a python file each time you want to look for a new hash

Pitch

Because it currently is somewhat cumbersome. and could be improved :)

💥 Regression Report

Our APB runs on this repository keep erroring out because of some failed tests. See this APB run, for example.

Last working version

Looks like this was the last build that succeeded.

To Reproduce

• Check out the repo from scratch
• Install Python dependencies
• Run tests

Expected behavior

All tests should pass.

🐛 Bug Report

The given instructions in the README do not correctly run ioc_scanner.py using Ansible.

To Reproduce

Attempt to run ioc_scanner.py against a target with Ansible per the README's instructions.

Expected behavior

Running Ansible based on the example command works.

Any helpful log output

Traceback (most recent call last):
  File "/Users/redmind/.pyenv/versions/ioc-scanner/lib/python3.8/site-packages/ansible/executor/task_executor.py", line 158, in run
    res = self._execute()
  File "/Users/redmind/.pyenv/versions/ioc-scanner/lib/python3.8/site-packages/ansible/executor/task_executor.py", line 663, in _execute
    result = self._handler.run(task_vars=variables)
  File "/Users/redmind/.pyenv/versions/ioc-scanner/lib/python3.8/site-packages/ansible/plugins/action/script.py", line 80, in run
    source = parts[0]
IndexError: list index out of range
i-062eeafa99a01da3c | FAILED! => {
    "msg": "Unexpected failure during module execution.",
    "stdout": ""
}

🚀 Feature Proposal

There was some miscommunication in #7 with respect to command line arguments for this project. The way this library is written has the CLI side in ioc_scan_cli.py provide command line options, and then call the functionality in ioc_scanner.py appropriately. This is fine when using this package as installed with pip. However, when using Ansible to run the script on a remote host as we show in the README, it bypasses this design. If we want to support the idea of using ioc_scanner.py to scan using Ansible, then it would be helpful to use the standard argparse library to add support for a --file option in ioc_scanner.py.

Motivation

If we are going to continue to support the example Ansible method of using a part of this package, then it would beneficial to provide the bare minimum functionality of accepting the --file switch as provided by the library as a whole.

Example

ansible --inventory=hosts-file cool-servers --module-name=script \
--args="src/ioc_scan/ioc_scanner.py" --extra-vars="--file md5sums.txt" \
--become --ask-become-pass --user="ian.kilmister"

Pitch

It aligns with an example usage of a part of this library, and helps alleviate annoyances like that seen in #7