IPv4 address dot in square brackets

Question

I have been asked to block IP address of the form:

1.111.1[.]111

I have never come across a dot in square brackets in IPv4. Does it have any meaning or interpretation?

That is not a valid IP V4 address. Either some typo or some strange attenpt to suggest a regular expression. Just forget it. — arkascha, Apr 23 '20 at 17:38
It _could_ be that the author tried to express a 24bit network mask. That is usually noted as `1.111.1.111/24`. Which also is not a valid address, it is not meant to be. It is an agreed upon notation. — arkascha, Apr 23 '20 at 17:39
I double down this question. Threat intel bois always go like xx[.]xx[.]xx[.]xx and I also don't know why. Found this question while searching it myself. — MedAl, Jun 07 '21 at 10:26

MedAl · Accepted Answer · 2021-06-07T12:09:28.267

[Answer edited after Espresso wise comment]

Some valuable information on the topic can be found here : https://inquest.readthedocs.io/projects/iocextract/en/latest/

Quote:

It is common practice for malware analysts or endpoint software to “defang” IOCs such as URLs and IP addresses, in order to prevent accidental exposure to live malicious content. Being able to extract and aggregate these IOCs is often valuable for analysts. Unfortunately, existing “IOC extraction” tools often pass right by them, as they are not caught by standard regex.

For example, the simple defanging technique of surrounding periods with brackets: 127[.]0[.]0[.]1

Existing tools that use a simple IP address regex will ignore this IOC entirely.

To summarize, this notation make links/ip impossible to click or use "by error" in order to mitigate the risks linked to those Indicator Of Compromise.

Espresso, you are absolutely right. Let me edit. – MedAl Jun 07 '21 at 12:07 — MedAl, Jun 07 '21 at 12:07

IPv4 address dot in square brackets

1 Answers1