AIL/ail-framework
7
0
Fork 0
mirror of https://github.com/ail-project/ail-framework.git synced 2024-11-10 08:38:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
ail-framework/bin/IPAddress.py

106 lines
3.3 KiB
Python
Raw Normal View History

Added: IP matching module
2019-09-23 16:22:25 +00:00
#!/usr/bin/env python3
# -*-coding:UTF-8 -*
"""
The IP Module
======================
This module is consuming the global channel.
It first performs a regex to find IP addresses and then matches those IPs to
some configured ip ranges.
The list of IP ranges are expected to be in CIDR format (e.g. 192.168.0.0/16)
and should be defined in the config.cfg file, under the [IP] section
"""
import time
import re
from pubsublogger import publisher
from packages import Paste
from Helper import Process
#
# Thanks to Syed Sadat Nazrul
# URL: https://medium.com/@sadatnazrul/checking-if-ipv4-address-in-network-python-af61a54d714d
def ip_to_binary(ip):
octet_list_int = ip.split(".")
octet_list_bin = [format(int(i), '08b') for i in octet_list_int]
binary = ("").join(octet_list_bin)
return binary
def get_addr_network(address, net_size):
#Convert ip address to 32 bit binary
ip_bin = ip_to_binary(address)
#Extract Network ID from 32 binary
network = ip_bin[0:32-(32-net_size)]
return network
def ip_in_prefix(ip_address, prefix):
#CIDR based separation of address and network size
[prefix_address, net_size] = prefix.split("/")
#Convert string to int
net_size = int(net_size)
#Get the network ID of both prefix and ip based net size
prefix_network = get_addr_network(prefix_address, net_size)
ip_network = get_addr_network(ip_address, net_size)
return ip_network == prefix_network
def search_ip(message):
paste = Paste.Paste(message)
content = paste.get_p_content()
# regex to find IPs
reg_ip = re.compile(r'^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)', flags=re.MULTILINE)
# list of the regex results in the Paste, may be null
results = reg_ip.findall(content)
matching_ips = []
print(results)
for res in results:
for network in ip_networks:
if ip_in_prefix(res,network):
matching_ips.append(res)
if len(matching_ips) > 0:
print('{} contains {} IPs'.format(paste.p_name, len(matching_ips)))
publisher.warning('{} contains {} IPs'.format(paste.p_name, len(matching_ips)))
#Tag message with IP
msg = 'infoleak:automatic-detection="ip";{}'.format(message)
p.populate_set_out(msg, 'Tags')
#Send to duplicate
p.populate_set_out(message, 'Duplicate')
if __name__ == '__main__':
# If you wish to use an other port of channel, do not forget to run a subscriber accordingly (see launch_logs.sh)
# Port of the redis instance used by pubsublogger
publisher.port = 6380
# Script is the default channel used for the modules.
publisher.channel = 'Script'
# Section name in bin/packages/modules.cfg
config_section = 'IP'
# Setup the I/O queues
p = Process(config_section)
ip_networks = p.config.get("IP", "networks").split(",")
# Sent to the logging a description of the module
publisher.info("Run IP module")
# Endless loop getting messages from the input queue
while True:
# Get one message from the input queue
message = p.get_from_set()
if message is None:
publisher.debug("{} queue is empty, waiting".format(config_section))
time.sleep(1)
continue
# Do something with the message from the queue
search_ip(message)
Reference in a new issue Copy permalink