From cea31283af33368946f8882d8f28782b12a9b1fb Mon Sep 17 00:00:00 2001
From: Kevin Hardy-Cooper <kevin.hardy-cooper@cyber.gc.ca>
Date: Tue, 14 Sep 2021 15:35:24 -0400
Subject: [PATCH] Only check domain if uri doesn't contain an IP

---
 jsjaws.py           | 20 +++++++++++---------
 test/test_jsjaws.py |  1 +
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/jsjaws.py b/jsjaws.py
index 14663c01..1fcc1fd3 100755
--- a/jsjaws.py
+++ b/jsjaws.py
@@ -505,15 +505,17 @@ def _extract_iocs_from_text_blob(self, blob: str, result_section: ResultSection,
             ioc_extracted = True
             result_section.add_tag("network.dynamic.domain", safe_domain)
         for uri in uris:
-            try:
-                if not any(protocol in uri for protocol in ["http", "ftp", "icmp", "ssh"]):
-                    tld = get_tld(f"http://{uri}", fail_silently=True)
-                else:
-                    tld = get_tld(uri, fail_silently=True)
-            except ValueError:
-                continue
-            if tld is None or f".{tld}" == file_ext:
-                continue
+            # If there is a domain in the uri, then do
+            if not any(ip in uri for ip in ips):
+                try:
+                    if not any(protocol in uri for protocol in ["http", "ftp", "icmp", "ssh"]):
+                        tld = get_tld(f"http://{uri}", fail_silently=True)
+                    else:
+                        tld = get_tld(uri, fail_silently=True)
+                except ValueError:
+                    continue
+                if tld is None or f".{tld}" == file_ext:
+                    continue
             safe_uri = safe_str(uri)
             ioc_extracted = True
             result_section.add_tag("network.dynamic.uri", safe_uri)
diff --git a/test/test_jsjaws.py b/test/test_jsjaws.py
index 92e53e12..029750c3 100755
--- a/test/test_jsjaws.py
+++ b/test/test_jsjaws.py
@@ -481,6 +481,7 @@ def test_extract_supplementary(jsjaws_class_instance):
             ("evil.ca/some/thing/bad.exe", "", {"network.dynamic.domain": ["evil.ca"], "network.dynamic.uri": ["evil.ca/some/thing/bad.exe"], "network.dynamic.uri_path": ["/some/thing/bad.exe"]}),
             ("wscript.shell", "", {}),
             ("blah.ca", ".ca", {}),
+            ("http://1.1.1.1/blah.exe", "", {'network.dynamic.ip': ['1.1.1.1'], 'network.dynamic.uri': ['http://1.1.1.1/blah.exe'], 'network.dynamic.uri_path': ['/blah.exe']}),
         ]
     )
     def test_extract_iocs_from_text_blob(blob, file_ext, correct_tags, jsjaws_class_instance):