Python package to fang (example[.]com => example.com) and defang (example.com => example[.]com) indicators of compromise in text.
Read more in our interactive documentation!
ioc_fanger.fang recognises the following defanging patterns and restores them to their normal form:
- Brackets, parentheses, or braces around a
.or,— e.g.example[.]com,example(.)com,example{.}com,example[,]com - Brackets, parentheses, or braces around a
:— e.g.http[:]//example.com - The literal word
DOT,dot,punto, orpunktstanding in for a.— e.g.example[dot]com,example DOT com,example-punto-com - Brackets, parentheses, or braces around
://— e.g.http[://]example.com - Brackets, parentheses, or braces around
www— e.g.[www]example.com - Brackets, parentheses, or braces around a
-— e.g.service[-]ict.nl @replaced withat,et,arroba, or@itself wrapped in brackets/parentheses/braces — e.g.user[at]example.com,user(@)example.com,user AT example.com- Defanged URL schemes such as
hXXp://,hXXps://,hxxp://,xxxx://,xxxxs://,xxxx[s]://, as well as bracketed variants like[http]://andhtt[p]:// - URL schemes split by extra slashes or whitespace — e.g.
http:///example.com,http: //example.com,https : //example.com - IPv4 addresses written with commas instead of dots — e.g.
8,8,8,8→8.8.8.8 - Backslash-, caret-, or angle-bracket-escaped dots — e.g.
example\.com,example^.com,example<.>com - Backslash-escaped slashes — e.g.
http:\/\/example.com - Stray whitespace around an
@in an email — e.g.user @ example.com
These patterns combine, so inputs like hXXp://bad[.]example[dot]com/file[.]php are fully restored in a single call.
ioc_fanger.defang applies a small, deliberately conservative set of substitutions so the output is unambiguous to re-fang:
- A
.between two word characters becomes[.]— e.g.example.com→example[.]com,8.8.8.8→8[.]8[.]8[.]8 - The URL schemes
http:andhttps:becomehXXp:andhXXps:— e.g.http://example.com→hXXp://example[.]com - An
@between two non-whitespace characters becomes(at)— e.g.user@example.com→user(at)example[.]com
For those working on or testing this library, here's some helpful tips.
This project uses pytest-benchmark to test the performance impact of changes.
By default, every time you run tests it will compare the new results with the existing results.
If you need to update the benchmarks, open the pyproject.toml and replace all flags starting with --benchmark with:
--benchmark-save=benchmark
This will save a file in the .benchmarks/ dir.