def test_markdown_fanging(): s = '[https://i.imgur.com/abc.png](https://i.imgur.com/abc.png)' assert ioc_fanger.fang( s) == 'https://i.imgur.com/abc.png]https://i.imgur.com/abc.png)' s = '_o_o.lgms.nl_' assert ioc_fanger.fang(s) == '_o_o.lgms.nl_'
def test_issue_47(): s = "a. [b" result = ioc_fanger.fang(s) assert result == "a. [b" s = "a. (b" result = ioc_fanger.fang(s) assert result == "a. (b"
def test_odd_hXXp_replacement(): s = 'In the UI: https://help.passivetotal.org/tags_&_classifications.html (https://help.passivetotal.org/tags_&_classifications.html)' assert ioc_fanger.fang( s ) == 'In the UI: https://help.passivetotal.org/tags_&_classifications.html https://help.passivetotal.org/tags_&_classifications.html)' # this is based on the text of an incident found here: https://app.threatconnect.com/auth/incident/incident.xhtml?incident=2952580883&owner=Technical%20Blogs%20and%20Reports#/ s = 'domain (www.example.com).' assert ioc_fanger.fang(s) == 'domain www.example.com).'
def test_email_addresses(defanged_email_address_text, fanged_email_address_text): """Make sure email addresses are properly fanged.""" fanged_addresses = ioc_fanger.fang(defanged_email_address_text) assert fanged_addresses == fanged_email_address_text s = 'test@[192.168.0.1]' fanged_data = ioc_fanger.fang(s) assert fanged_data == 'test@[192.168.0.1]'
def test_systematic_dot(): """.""" s = "fooDOTcom" assert ioc_fanger.fang(s) == "foo.com" s = "foo[DOT]com" assert ioc_fanger.fang(s) == "foo.com" s = "foo{DOT}com" assert ioc_fanger.fang(s) == "foo.com" s = "foo(DOT)com" assert ioc_fanger.fang(s) == "foo.com" s = "foodotcom" assert ioc_fanger.fang(s) == "foodotcom" s = "foo[dot]com" assert ioc_fanger.fang(s) == "foo.com" # see https://github.com/ioc-fang/ioc_fanger/issues/30 s = "foo{dot}com" assert ioc_fanger.fang(s) == "foo.com" s = "foo(dot)com" assert ioc_fanger.fang(s) == "foo.com" s = "foo-dot-com" assert ioc_fanger.fang(s) == "foo.com"
def test_issue_53__urls_in_query_strings_fanged(): """Make sure URLs in query strings are properly fanged.""" # imagining s is part of a query string, make sure s is unchanged s = "--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip" result = ioc_fanger.fang(s) assert result == "--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip" # imagining s is part of a query string, make sure s is unchanged s = "--~Chttps://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip" result = ioc_fanger.fang(s) assert result == "--~Chttps://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip"
def test_spanish_defanging(): s = 'me (arroba) example (punto) com' assert ioc_fanger.fang(s) == '*****@*****.**' s = 'me(arroba)example(punto)com' assert ioc_fanger.fang(s) == '*****@*****.**' s = 'me [arroba] example [punto] com' assert ioc_fanger.fang(s) == '*****@*****.**' s = 'me[arroba]example[punto]com' assert ioc_fanger.fang(s) == '*****@*****.**'
def test_german_defanging(): s = 'me@example (punkt) com' assert ioc_fanger.fang(s) == '*****@*****.**' s = 'me@example(punkt)com' assert ioc_fanger.fang(s) == '*****@*****.**' s = 'me@example [punkt] com' assert ioc_fanger.fang(s) == '*****@*****.**' s = 'me@example[punkt]com' assert ioc_fanger.fang(s) == '*****@*****.**'
def test_german_defanging(): s = "me@example (punkt) com" assert ioc_fanger.fang(s) == "*****@*****.**" s = "me@example(punkt)com" assert ioc_fanger.fang(s) == "*****@*****.**" s = "me@example [punkt] com" assert ioc_fanger.fang(s) == "*****@*****.**" s = "me@example[punkt]com" assert ioc_fanger.fang(s) == "*****@*****.**"
def test_email_addresses(defanged_email_address_text, fanged_email_address_text): """Make sure email addresses are properly fanged.""" fanged_addresses = ioc_fanger.fang(defanged_email_address_text) assert fanged_addresses == fanged_email_address_text s = "test@[192.168.0.1]" fanged_data = ioc_fanger.fang(s) assert fanged_data == "test@[192.168.0.1]" s = "john.smith(comment)@example.com" fanged_data = ioc_fanger.fang(s) assert fanged_data == "john.smith(comment)@example.com"
def test_systematic_period_square_brackets(): """.""" s = 'foo[.]com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo].[com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo[.[com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo].]com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo[.com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo.[com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo].com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo.]com' assert ioc_fanger.fang(s) == 'foo.com'
def test_issue_34(): s = '''[Researcher email address]. Best Regards,''' result = ioc_fanger.fang(s) print(result) assert result == '''[Researcher email address.
def test_issue_53__percent_encoded_urls_fanged_properly(): """Testing to make sure percent encoded URLs are properly fanged.""" s = "https://asf.goole.com/mail?url=http%3A%2F%2Ffreasdfuewriter.com%2Fcs%2Fimage%2FCommerciaE.jpg&t=1575955624&ymreqid=733bc9eb-e8f-34cb-1cb5-120010019e00&sig=x2Pa2oOYxanG52s4vyCEFg--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip" result = ioc_fanger.fang(s) assert ( result == "https://asf.goole.com/mail?url=http%3A%2F%2Ffreasdfuewriter.com%2Fcs%2Fimage%2FCommerciaE.jpg&t=1575955624&ymreqid=733bc9eb-e8f-34cb-1cb5-120010019e00&sig=x2Pa2oOYxanG52s4vyCEFg--~Chttp://uniddloos.zddfdd.org/CBA0019_file_00002_pdf.zip" )
def main(): """.""" args = parse_arguments() text = tcex.playbook.read(args.text) tcex.log.info('Text before fanging: {}'.format(text)) fanged_text = ioc_fanger.fang(text) # output the reversed string to downstream playbook apps tcex.playbook.create_output('fangedText', fanged_text) tcex.log.info('Text after fanging: {}'.format(fanged_text)) tcex.exit(0)
def test_issue_34(): s = """[Researcher email address]. Best Regards,""" result = ioc_fanger.fang(s) print(result) assert ( result == """[Researcher email address. Best Regards,""" )
def process_text(): """Fang/defang indicators of compromise.""" text = request.form['text'] action = request.form['action'] if not text: flash('Please enter some text.', 'error') return redirect(url_for('index')) else: if action == 'fang': processed_text = ioc_fanger.fang(text) else: processed_text = ioc_fanger.defang(text) return processed_text
def test_odd_misc(): s = "www\.example\.com" assert ioc_fanger.fang(s) == 'www.example.com' s = "www^.example^.com" assert ioc_fanger.fang(s) == 'www.example.com' s = "foo[-]bar.com" assert ioc_fanger.fang(s) == 'foo-bar.com' s = "[www].example.com" assert ioc_fanger.fang(s) == 'www.example.com' s = "(www).example.com" assert ioc_fanger.fang(s) == 'www.example.com' s = 'https://example.com\/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = """diota[-]ar.com:80/.well-known/acme-challenge/mxr.pdf diota[-]ar.com/.well-known/acme-challenge/mxr.pdf""" assert ioc_fanger.fang( s) == """diota-ar.com:80/.well-known/acme-challenge/mxr.pdf diota-ar.com/.well-known/acme-challenge/mxr.pdf""" s = """xxxxs://proverka[.]host/ Email: silena[.]berillo(at)gmail[.]com, hto2018(at)yandex[.]ru""" assert ioc_fanger.fang( s ) == """https://proverka.host/ Email: [email protected], [email protected]""" s = """code to (https://www.linkedin.com/feed/hashtag/?keywords=%23IOCs)<https://example.in/foo>""" data = ioc_fanger.fang(s) assert data == """code to https://www.linkedin.com/feed/hashtag/?keywords=%23IOCs)<https://example.in/foo>""" s = 'analysis), yo' data = ioc_fanger.fang(s) assert data == s
def test_systematic_period_curly_braces(): s = 'foo{.}com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo}.{com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo{.{com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo{.com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo.{com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo}.}com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo}.com' assert ioc_fanger.fang(s) == 'foo.com' s = 'foo.}com' assert ioc_fanger.fang(s) == 'foo.com'
def test_odd_brackets(): s = "www[.[example[.[com" assert ioc_fanger.fang(s) == 'www.example.com' s = "www].]example].]com" assert ioc_fanger.fang(s) == 'www.example.com' s = "www].[example].[com" assert ioc_fanger.fang(s) == 'www.example.com' s = "www.[example.[com" assert ioc_fanger.fang(s) == 'www.example.com' s = "www.]example.]com" assert ioc_fanger.fang(s) == 'www.example.com' s = "www[.example[.com" assert ioc_fanger.fang(s) == 'www.example.com' s = "www].example].com" assert ioc_fanger.fang(s) == 'www.example.com'
def ioc_fang_defang(text, action): """Expand or collapse an IPv6 address.""" response = str() error = False if action == 'fang': try: response = ioc_fanger.fang(text) except Exception as e: error = True response = str(e) elif action == 'defang': try: response = ioc_fanger.defang(text) except Exception as e: error = True response = str(e) else: raise RuntimeError( "Unknown action provided to ioc_fang_defang function: {}".format( action)) return response, error
def test_issue_24(): s = 'seasharpee' assert ioc_fanger.fang(s) == 'seasharpee'
def test_issue_16(): s = "www[.example.com" assert ioc_fanger.fang(s) == 'www.example.com'
def test_parenthetical_period(): s = "www(.)example(.)com" assert ioc_fanger.fang(s) == 'www.example.com'
def test_debug(): # make sure using debug still works properly s = '192[.]168[.]4[.]2' assert ioc_fanger.fang(s, debug=True) == '192.168.4.2'
def test_fanging(defanged_text, fanged_text): """Test fanging.""" test_fanged_text = ioc_fanger.fang(defanged_text) assert test_fanged_text == fanged_text
def fang_benchmark(): return ioc_fanger.fang(SAMPLE_TEXT_DEFANGED)
def test_email_addresses(defanged_email_address_text, fanged_email_address_text): """Make sure email addresses are properly fanged.""" fanged_addresses = ioc_fanger.fang(defanged_email_address_text) assert fanged_addresses == fanged_email_address_text
def test_odd_schemes(): s = 'xxxx://example.com/test.php' assert ioc_fanger.fang(s) == 'http://example.com/test.php' s = 'xxxxx://example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'xXxX://example.com/test.php' assert ioc_fanger.fang(s) == 'http://example.com/test.php' s = 'xXxXx://example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'hxxp://example.com/test.php' assert ioc_fanger.fang(s) == 'http://example.com/test.php' s = 'hXXp://example.com/test.php' assert ioc_fanger.fang(s) == 'http://example.com/test.php' s = 'hxxps://example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'hXXps://example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'http ://example.com/test.php' assert ioc_fanger.fang(s) == 'http://example.com/test.php' s = 'https ://example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'http:// example.com/test.php' assert ioc_fanger.fang(s) == 'http://example.com/test.php' s = 'https:// example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'http//example.com/test.php' assert ioc_fanger.fang(s) == 'http://example.com/test.php' s = 'https//example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'http// example.com/test.php' assert ioc_fanger.fang(s) == 'http://example.com/test.php' s = 'https// example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'http:///example.com/test.php' assert ioc_fanger.fang(s) == 'http://example.com/test.php' s = 'http:/// example.com/test.php' assert ioc_fanger.fang(s) == 'http://example.com/test.php' s = 'http :///example.com/test.php' assert ioc_fanger.fang(s) == 'http://example.com/test.php' s = 'https:///example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'https:/// example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'https :///example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = '[http]://example.com/test.php' assert ioc_fanger.fang(s) == 'http://example.com/test.php' s = '[https]://example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = '(http)://example.com/test.php' assert ioc_fanger.fang(s) == 'http://example.com/test.php' s = '(https)://example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'http!://example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'https!://example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'https@://example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'httpA://example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'https&://example.com/test.php' assert ioc_fanger.fang(s) == 'https://example.com/test.php' s = 'https&://example.com/test.php https://example.com/test.php http&://example.com/test.php xxXpA://example.com/test.php' assert ioc_fanger.fang( s ) == 'https://example.com/test.php https://example.com/test.php https://example.com/test.php https://example.com/test.php' s = 'hxxps[://]example[.]com/test[.]html' assert ioc_fanger.fang(s) == 'https://example.com/test.html'
def prepare_text(text): """Fang (https://ioc-fang.hightower.space/) and encode the text in such a way that all Unicode domain names are converted into their punycode representation.""" text = ioc_fanger.fang(text) # text = text.encode('idna').decode('utf-8') return text
def test_odd_email_address_spacing(): s = "foo@barDOTcom" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo@bar DOT com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo@bar DOT com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo @ bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo @ bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo @ bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo @ bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "fooATbar.com" assert ioc_fanger.fang(s) == '*****@*****.**' # make sure that the `AT` parsing isn't too broad... it shouldn't replace 'AT' with '@' if the 'AT' is preceded by a capital letter s = "fooMATbar.com" assert ioc_fanger.fang(s) == 'fooMATbar.com' # see the previous comment, except this makes sure that 'AT' isn't postceded by a capital letter s = "fooATAbar.com" assert ioc_fanger.fang(s) == 'fooATAbar.com' s = "foo AT bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo AT bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo AT bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo AT bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo[AT]bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo(AT)bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo[at]bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo(at)bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo[ET]bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo(ET)bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo[et]bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo(et)bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo [AT] bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo (AT) bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo [at] bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo (at) bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo [ET] bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo (ET) bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo [et] bar.com" assert ioc_fanger.fang(s) == '*****@*****.**' s = "foo (et) bar.com" assert ioc_fanger.fang(s) == '*****@*****.**'