Skip to content
Fang and defang indicators of compromise. You can test this project in a GUI here: http://ioc-fanger.hightower.space .
Branch: master
Clone or download

README.md

IOC Fanger

PyPi Travis CI Codecov Codacy

Python package to fang and defang indicators of compromise in text. You can test out this project here: http://ioc-fanger.hightower.space.

Defanging - converting indicators of compromise from the normal form (which can become links) to a form which cannot accidentally become a link:

example.com => example[.]com

Fanging - converting indicators of compromise from a defanged form to the normal, original form:

example[.]com => example.com

What can it fang?

Just about everything. Check out the tests to see some examples of what this package can handle.

Installation

The recommended means of installation is using pip:

pip install ioc_fanger

Alternatively, you can install ioc_fanger as follows:

git clone https://github.com/ioc-fang/ioc_fanger.git && cd ioc_fanger;
python setup.py install --user;

Usage

Via Python

Use ioc_fanger as follows:

import ioc_fanger

ioc_fanger.defang("example.com http://bad.com/phishing.php")  # example[.]com hXXp://bad[.]com/phishing[.]php
ioc_fanger.fang("example[.]com hXXp://bad[.]com/phishing[.]php")  # example.com http://bad.com/phishing.php

Via Command Line

Once the package is installed, there will be two commands available in the command line:

  • fang
  • defang

After each command, provide the text you would like to fang/defang:

fang "example[.]com"  # example.com
defang "example.com"  # example[.]com

Adding More Fanging/Defanging Options

You can view the current fanging patterns here and the defanging patterns here.

To add more fanging options, edit fang.json and add an entry for the new pattern you would like to fang. The available keys for each entry are:

  • find (required): This is the string pattern you would like to find
  • replace (required): This is the string used to replace all instances to pattern specified by the find key
  • case_sensitive (optional - boolean): If this is true, the pattern specified by the find key will be treated as case sensitive (it will only be replaced if the case is an exact match)
  • regex (optional - boolean): If this is true, the pattern specified by the find key will be treated as a regex (it will not be escaped before use)

Other Helpful Projects

If you are working with IOCs, you may find the https://github.com/fhightower/ioc-finder project helpful. It is a project designed to parse indicators of compromise from text (it uses grammars rather than regexes).

Credits

This package was created with Cookiecutter and the fhightower/python-project-template project template.

You can’t perform that action at this time.