CYBERSECURITY
Threat Hunting Tool Highlight - IOC-Fanger
Phillip Kittelson | 27 Aug 23 | 2 min read |One of my favorite CommandLine tools is IOC-Fanger. I work with potentially malicious links and IP addresses, often obtain Indicators of Compromise (IOCs) or have to generate a report for others to read, where I do not want users to click on the links, or automated tools to resolve the hostname or IP address.
IOC-Fanger is a Python library, and can be installed using pip pip install ioc-fanger
.
Alternatively, the tool can be cloned:
git clone https://github.com/ioc-fang/ioc_fanger.git && cd ioc_fanger;
python setup.py install --user;
After installation, you’ll have access to IOC-Fanger via the command line using fang
and defang
or, since it’s a Python library, you can import using import ioc_fanger
and calling ioc_fanger.defang()
or ioc_fanger.fang()
your IOCs, or variables containing the IOCs, inside the ().
The Quick Start Page shows the use below:
import ioc_fanger
ioc_fanger.defang("example.com http://bad.com/phishing.php") # example[.]com hXXp://bad[.]com/phishing[.]php
ioc_fanger.fang("example[.]com hXXp://bad[.]com/phishing[.]php") # example.com http://bad.com/phishing.php
If you are using command line, you can echo
an IOC and |
the output to fang or defang, depending on which way you’re going.
echo www.malware.com | defang
output -> www[.]malware[.]com
echo www[.]malware[.]com | fang
output -> www.malware.com
Working with a large set of IOCs, can be stored in a txt file where you can cat
the file contents out to the CommandLine and |
into defang
or fang
and output that into anothet working text file.
cat ioc.txt | defang
output -> www[.]malware[.]com
1[.]1[.]1[.]1
hXXps://malware[.]com
hXXp://virus[.]ru
172[.]16[.]66[.]33
Handles Operations (not a comprehensive list):
Defang
https://
http://
- Email addresses turn
@
in to[at]
, exampleme@me.com
->me[at]me.com
Fang
- IOCs with
[dot]
- Email addresses with
[@]
brackets, exampleme[@]me.com
->me@me.com
- Email addresses with
[at]
brackets, exampleme[at]me.com
->me@me.com
hXXps://
hXXp://