CYBERSECURITY

Threat Hunting Tool Highlight - IOC-Fanger

Threat Hunting Tool Highlight - IOC-Fanger

Avatar Phillip Kittelson | 27 Aug 23 | 2 min read |
Share this:

One of my favorite CommandLine tools is IOC-Fanger. I work with potentially malicious links and IP addresses, often obtain Indicators of Compromise (IOCs) or have to generate a report for others to read, where I do not want users to click on the links, or automated tools to resolve the hostname or IP address. IOC-Fanger is a Python library, and can be installed using pip pip install ioc-fanger.

Alternatively, the tool can be cloned:

git clone https://github.com/ioc-fang/ioc_fanger.git && cd ioc_fanger;
python setup.py install --user;

After installation, you’ll have access to IOC-Fanger via the command line using fang and defang or, since it’s a Python library, you can import using import ioc_fanger and calling ioc_fanger.defang() or ioc_fanger.fang() your IOCs, or variables containing the IOCs, inside the ().

The Quick Start Page shows the use below:

import ioc_fanger

ioc_fanger.defang("example.com http://bad.com/phishing.php")  # example[.]com hXXp://bad[.]com/phishing[.]php
ioc_fanger.fang("example[.]com hXXp://bad[.]com/phishing[.]php")  # example.com http://bad.com/phishing.php

If you are using command line, you can echo an IOC and | the output to fang or defang, depending on which way you’re going.

echo www.malware.com | defang

output -> www[.]malware[.]com
echo www[.]malware[.]com | fang

output -> www.malware.com

Working with a large set of IOCs, can be stored in a txt file where you can cat the file contents out to the CommandLine and | into defang or fang and output that into anothet working text file.

cat ioc.txt | defang

output ->   www[.]malware[.]com
            1[.]1[.]1[.]1
            hXXps://malware[.]com
            hXXp://virus[.]ru
            172[.]16[.]66[.]33

Handles Operations (not a comprehensive list):

Defang

  • https://
  • http://
  • Email addresses turn @ in to [at], example me@me.com -> me[at]me.com

Fang

  • IOCs with [dot]
  • Email addresses with [@] brackets, example me[@]me.com -> me@me.com
  • Email addresses with [at] brackets, example me[at]me.com -> me@me.com
  • hXXps://
  • hXXp://
Back...

Tags: cybersecurity