2323 inquestlabs [options] yara hexcase <instring>
2424 inquestlabs [options] yara uint <instring> [--offset=<offset>] [--hex]
2525 inquestlabs [options] yara widere <regex> [(--big-endian|--little-endian)]
26+ inquestlabs [options] yara cidr <ipv4>
2627 inquestlabs [options] lookup ip <ioc>
2728 inquestlabs [options] lookup domain <ioc>
2829 inquestlabs [options] report <ioc>
8384
8485# extract version from installed package metadata
8586__application_name__ = "inquestlabs"
86- __version__ = "1.2.3 "
87+ __version__ = "1.2.4 "
8788# __version__ = version(__application_name__)
8889__full_version__ = f"{ __application_name__ } { __version__ }
8990
@@ -144,7 +145,7 @@ def __init__ (self, api_key=None, config=None, proxies=None, base_url=None, retr
144145 self .api_key = api_key
145146 self .base_url = base_url
146147 self .config_file = config
147- self .retries = retries
148+ self .retries = retries
148149 self .proxies = proxies
149150 self .verify_ssl = verify_ssl
150151 self .verbosity = verbose
@@ -214,7 +215,7 @@ def __init__ (self, api_key=None, config=None, proxies=None, base_url=None, retr
214215 self .__VERBOSE ("api_key_source=%s" % self .api_key_source , INFO )
215216
216217 ####################################################################################################################
217- def API (self , api , data = None , path = None , method = "GET" , raw = False ):
218+ def API (self , api , data = None , path = None , method = "GET" , raw = False , params = None ):
218219 """
219220 Internal API wrapper.
220221
@@ -228,6 +229,8 @@ def API (self, api, data=None, path=None, method="GET", raw=False):
228229 :param method: API method, one of "GET" or "POST".
229230 :type raw: bool
230231 :param raw: Default behavior is to expect JSON encoded content, raise this flag to expect raw data.
232+ :type method: str
233+ :param method: Set a parameter for the request.
231234
232235 :rtype: dict | str
233236 :return: Response dictionary or string if 'raw' flag is raised.
@@ -258,6 +261,7 @@ def API (self, api, data=None, path=None, method="GET", raw=False):
258261 "headers" : headers ,
259262 "proxies" : self .proxies ,
260263 "verify" : self .verify_ssl ,
264+ "params" : params
261265 }
262266
263267 # make attempts to dance with the API endpoint, use a jittered exponential back-off delay.
@@ -1243,6 +1247,23 @@ def yara_uint (self, magic, offset=0, is_hex=False):
12431247
12441248 return self .API ("/yara/trigger" , dict (trigger = magic , offset = offset , is_hex = is_hex ))
12451249
1250+ ####################################################################################################################
1251+ def cidr_to_regex (self , data ):
1252+ """
1253+ Produce a regular expression from a IPv4 CIDR notation in a form suitable for usage as a YARA string.
1254+
1255+ :type regex: str
1256+ :param regex: Regular expression to convert.
1257+
1258+ :rtype: str
1259+ :return: Regex string suitable for YARA.
1260+ """
1261+
1262+ # dance with the API and return results.
1263+ return self .API ("/yara/cidr2regex" , params = {
1264+ "cidr" : data
1265+ })
1266+
12461267########################################################################################################################
12471268########################################################################################################################
12481269########################################################################################################################
@@ -1414,6 +1435,10 @@ def main ():
14141435 elif args ['widere' ]:
14151436 print (labs .yara_widere (args ['<regex>' ], endian ))
14161437
1438+ # inquestlabs [options] yara cidr <ipv4>
1439+ elif args ['cidr' ]:
1440+ print (labs .cidr_to_regex (args ['<ipv4>' ]))
1441+
14171442 # huh?
14181443 else :
14191444 raise inquestlabs_exception ("yara argument parsing fail." )
0 commit comments