Data Input
Please enter some text to process
IP List Cleaner & Refanger
Sanitize messy threat intelligence reports and firewall logs instantly. Our tool refangs defanged IPs (e.g., converting 1[.]1[.]1[.]1 back to 1.1.1.1), removes duplicates, and provides a numerically sorted list ready for immediate import into your SIEM, ACLs, or blocklists.
Automated Refanging
Smart Deduplication
SOC Analyst Ready
How to Use the IP List Cleaner & Refanger
What is IP Defanging & Refanging?
Security teams defang IP addresses (e.g., 1[.]2[.]3[.]4) when sharing threat intel to prevent accidental clicks or auto-hyperlinking in ticketing systems. This tool refangs them back to standard format so you can immediately use them in firewall rules, SIEM filters, or blocklists.
Step-by-Step Instructions
- 1Paste Input: Dump raw firewall logs, SIEM exports, or threat intel reports directly into the input box. No pre-cleaning required.
- 2Auto Refang: The tool normalises
[.],(.),{.}, and[dot]variants to standard dots automatically. - 3Click Clean & Deduplicate: Valid IPv4 addresses are extracted, duplicates are removed, and results are sorted numerically.
- 4Copy or Download: Use the Copy button for quick clipboard transfer, or Download to save a timestamped
.txtfile.
Pro Tip: The duplicate audit panel shows every address that appeared more than once — useful for identifying the noisiest IPs in your logs.
Frequently Asked Questions
What defanging formats does this tool support?
The tool handles all four common SOC variants: square-bracket dot [.], parenthesis dot (.), curly-bracket dot {.}, and the written-out [dot] form (case-insensitive). Any combination across the same address is handled correctly.
Will the tool pick up IPs embedded inside URLs or log lines?
Yes. The extraction regex scans for any valid IPv4 pattern regardless of surrounding characters — it will correctly extract addresses from entries like GET http://203.0.113.5/malware or src=10.0.0.1 dst=172.16.0.50 without manual pre-processing.
How are results sorted?
Addresses are sorted numerically (by their 32-bit integer value), not alphabetically. This means 10.0.0.2 correctly comes before 10.0.0.10, which is critical when building ordered ACLs or blocklists.
Does the Download button save a CSV?
For this tool the download saves a plain .txt file — one IP per line — rather than CSV. This format is directly compatible with most firewall import wizards, threat intelligence platforms, and scripting pipelines that expect a flat address list.
Why do cybersecurity analysts need deduplication?
Log exports and SIEM alerts frequently repeat the same source IPs thousands of times. Deduplicating before importing into a blocklist prevents unnecessarily large rule sets and makes it easier to spot which addresses appear most often — a key indicator of persistent attackers or scanning activity.