I need to find links in an html email
I'm not exactly sure how to approach this. I have an IOC that is an image in an html based email with a height=0 and width=0. I think I need write a LUA parser. I'm not up to speed with this. Is there anyone that can help?
Sample message segment:
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"></head>
<img src="hxxp://www.badsite.com/directory/image.png" width="0" height="0">
Institute for Defense Analyses
There's a couple standard parsers that come close to what you want, but not exactly.
The phishing_lua parser will register the host portion of links found in email messages - including img src. Optionally it will also register the path components (directory, filename, extension).
The HTML_threat parser will register the existence of most hidden elements (iframe, div, span, etc.). But not img. Perhaps it could, but there would be a lot of noise since that's a tactic commonly used by tracking, advertising, etc.
As a custom parser, if the HTML will always look exactly like that, you could simply use that exact string as your token then register meta when the token matches - creating a signature essentially. Something as simple as this would work,
local badImg = nw.createParser("badImg", "badImg")
nw.createMeta(self.keys.ioc, "bad image")
['<img src="hxxp://www.badsite.com/directory/image.png" width="0" height="0">'] = badImg.onImg