From 5da8208f943041e9ba4c9cf2bec2a22cb85eb254 Mon Sep 17 00:00:00 2001 From: Soufiane Tahiri Date: Tue, 26 Jan 2021 13:10:12 +0100 Subject: [PATCH 1/2] Update phishing_catcher.py Fixs the Shannon Entropy based on x0rz PR --- bin/phishing_catcher.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/bin/phishing_catcher.py b/bin/phishing_catcher.py index f497ddd..5da17d2 100644 --- a/bin/phishing_catcher.py +++ b/bin/phishing_catcher.py @@ -40,7 +40,7 @@ app_home = "{}/etc/apps/OSweep".format(os.environ['SPLUNK_HOME']) tp_modules = "{}/bin/_tp_modules".format(app_home) sys.path.insert(0, tp_modules) -import entropy +import math import pylev import tld import yaml @@ -60,6 +60,12 @@ def get_modules(): return return suspicious, confusables +def entropy(string): + """Calculates the Shannon entropy of a string""" + prob = [ float(string.count(c)) / len(string) for c in dict.fromkeys(list(string)) ] + entropy = - sum([ p * math.log(p) / math.log(2.0) for p in prob ]) + return entropy + def request_module(session, filename): """Return a list of tags.""" base_url = "https://raw.githubusercontent.com/x0rz/phishing_catcher/master{}" @@ -125,7 +131,7 @@ def score_domain(provided_ioc): except Exception: domain = provided_ioc - score += int(round(entropy.shannon_entropy(domain)*50)) + score += int(round(entropy(domain)*10)) domain = confusables.unconfuse(domain) words_in_domain = re.split("\W+", domain) From 450a9b7ca4d26744b9217eda9dfe94ddece1de1d Mon Sep 17 00:00:00 2001 From: Soufiane Tahiri Date: Tue, 26 Jan 2021 21:09:56 +0100 Subject: [PATCH 2/2] Update requirements.txt Removed entropy module. --- bin/requirements.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/bin/requirements.txt b/bin/requirements.txt index c2b703a..689313f 100644 --- a/bin/requirements.txt +++ b/bin/requirements.txt @@ -1,5 +1,4 @@ bs4 -entropy HTMLParser pylev PySocks