ioc-fanger 3.2.3

Python package to defang and fang indicators of compromise from text.

IOC Fanger

Python package to fang and defang indicators of compromise in text.

import ioc_fanger

ioc_fanger.defang("example.com http://bad.com/phishing.php")  # example[.]com hXXp://bad[.]com/phishing[.]php
ioc_fanger.fang("example[.]com hXXp://bad[.]com/phishing[.]php")  # example.com http://bad.com/phishing.php

Defanging - converting indicators of compromise from the normal form (which can become links) to a form which cannot accidentally become a link:

example.com => example[.]com

Fanging - converting indicators of compromise from a defanged form to the normal, original form:

example[.]com => example.com

What can it fang?

Just about everything. Check out the tests to see some examples of what this package can handle.

Installation

The recommended means of installation is using pip:

pip install ioc_fanger

Alternatively, you can install ioc_fanger as follows:

git clone https://github.com/ioc-fang/ioc_fanger.git && cd ioc_fanger;
python setup.py install --user;

Usage

Via Python

Use ioc_fanger as follows:

import ioc_fanger

ioc_fanger.defang("example.com http://bad.com/phishing.php")  # example[.]com hXXp://bad[.]com/phishing[.]php
ioc_fanger.fang("example[.]com hXXp://bad[.]com/phishing[.]php")  # example.com http://bad.com/phishing.php

Via Command Line

Once you install the package, there will be two commands available in the command line:

• fang
• defang

After each command, provide the text you would like to fang/defang:

fang "example[.]com"  # example.com

defang "example.com"  # example[.]com

Development

👋  If you want to contribute to this project, test it locally, or just explore it - we have some helpful instructions below.

Prerequisites

If you want to test, lint, or explore a project, make sure you have docker and docker-compose installed (if you don't see: installing docker).

Then you can use the test, lint, and dev docker compose services listed below!

Test a Project 🧪

To test a project, run the following command from the root directory of the project:

docker-compose run --rm test

Typically, this command will run pytest on the project's test suite. To view the details of what this command does, take a look at the test service in the project's docker-compose.yml file.

Lint a Project 🧹

To lint a project, run the following command from the root directory of the project:

docker-compose run --rm lint

Typically, this command will run linters on the project's code with the goal of improving code quality and catching bugs before we release them (you can read more about the benefits of linting here). To view the details of what this command does, take a look at the lint service in the project's docker-compose.yml file.

Explore a Project 🔭

To explore a project, you can drop into a "dev" environment which is an IPython shell with the project and all its requirements loaded. To do this, run the following command from the root directory of the project:

docker-compose run --rm dev

To see what this command does, take a look at the dev service in the project's docker-compose.yml file.

Feedback

If you have any ideas to improve this package, please raise an issue!

Other Helpful Projects

If you are working with indicators of compromise (a.k.a. observables), you may find the ioc-finder project helpful. The ioc-finder project parses indicators of compromise from text (using grammars).

Credits

We created this package using Cookiecutter and the fhightower/python-project-template project template.