ioc-fanger 5.0.0

Python package to defang and fang indicators of compromise from text.

IOC Fanger

Python package to fang (example[.]com => example.com) and defang (example.com => example[.]com) indicators of compromise in text.

Read more in our interactive documentation!

What can be fanged?

ioc_fanger.fang recognises the following defanging patterns and restores them to their normal form:

• Brackets, parentheses, or braces around a . or , — e.g. example[.]com, example(.)com, example{.}com, example[,]com
• Brackets, parentheses, or braces around a : — e.g. http[:]//example.com
• The literal word DOT, dot, punto, or punkt standing in for a . — e.g. example[dot]com, example DOT com, example-punto-com
• Brackets, parentheses, or braces around :// — e.g. http[://]example.com
• Brackets, parentheses, or braces around www — e.g. [www]example.com
• Brackets, parentheses, or braces around a - — e.g. service[-]ict.nl
• @ replaced with at, et, arroba, or @ itself wrapped in brackets/parentheses/braces — e.g. user[at]example.com, user(@)example.com, user AT example.com
• Defanged URL schemes such as hXXp://, hXXps://, hxxp://, xxxx://, xxxxs://, xxxx[s]://, as well as bracketed variants like [http]:// and htt[p]://
• URL schemes split by extra slashes or whitespace — e.g. http:///example.com, http: //example.com, https : //example.com
• IPv4 addresses written with commas instead of dots — e.g. 8,8,8,8 → 8.8.8.8
• Backslash-, caret-, or angle-bracket-escaped dots — e.g. example\.com, example^.com, example<.>com
• Backslash-escaped slashes — e.g. http:\/\/example.com
• Stray whitespace around an @ in an email — e.g. user @ example.com

These patterns combine, so inputs like hXXp://bad[.]example[dot]com/file[.]php are fully restored in a single call.

What can be defanged?

ioc_fanger.defang applies a small, deliberately conservative set of substitutions so the output is unambiguous to re-fang:

• A . between two word characters becomes [.] — e.g. example.com → example[.]com, 8.8.8.8 → 8[.]8[.]8[.]8
• The URL schemes http: and https: become hXXp: and hXXps: — e.g. http://example.com → hXXp://example[.]com
• An @ between two non-whitespace characters becomes (at) — e.g. user@example.com → user(at)example[.]com

Developer Docs

For those working on or testing this library, here's some helpful tips.

Updating Benchmarks

This project uses pytest-benchmark to test the performance impact of changes.

By default, every time you run tests it will compare the new results with the existing results.

If you need to update the benchmarks, open the pyproject.toml and replace all flags starting with --benchmark with:

--benchmark-save=benchmark

This will save a file in the .benchmarks/ dir.