Analysis Information Leak framework
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
Terrtia 01f459109f
chg: [feeder] rename bgp_monitor
2 weeks ago
.github/workflows fix: [github workflows] fix test 1 year ago
bin chg: [feeder] rename bgp_monitor 2 weeks ago
configs chg: [logs] add syslog level + facility + script startup message 3 weeks ago
doc chg: [doc] Splash Manager Configuration 2 years ago
docsphinx/source Initial import of AIL framework - Analysis Information Leak framework 8 years ago
files chg: [Credential + tags] add misp-taxonomies submodule + fix typo 1 year ago
logs Travis, print logs 7 years ago
other_installers Uncomment update and explain in docker readme 2 years ago
samples/2021/01/01 chg: [modules + tests] fix modules + test modules on samples 1 year ago
tests chg: [add Hosts module] 4 months ago
tools chg: [modules] create new modules repository + small fixs 1 year ago
update chg: [v4.2.1] add pubsublogger update 3 weeks ago
var/www fix: [api] fix crawler api response 2 weeks ago
.dockerignore Update .dockerignore 1 year ago
.gitchangelog.rc chg: [gitchangelog.rc] updated to output Markdown 1 year ago
.gitignore chg: [passiveDns D4 Client] add passiveDns D4 Client 2 years ago
.gitmodules chg: [Credential + tags] add misp-taxonomies submodule + fix typo 1 year ago
.travis.yml chg: [travis] -> bionic 2 years ago
HOWTO.md Update HOWTO.md 1 year ago
LICENSE Initial import of AIL framework - Analysis Information Leak framework 8 years ago
OVERVIEW.md chg: [merge master] 2 years ago
README.md chg: [doc] GI Badge 11 months ago
SECURITY.md Create SECURITY.md 8 months ago
centos_installing_deps.sh CentOS 8 installation script Fixed a problem 1 year ago
crawler_hidden_services_install.sh fix: [install crawler] remove old python requirement 2 years ago
install_virtualenv.sh chg: [install vitualenv] remove travis env 3 months ago
installing_deps.sh fix: [installer] remove old tor install 4 months ago
python3_upgrade.sh python 3 upgrade mv old redis db 4 years ago
requirements.txt add: [tracker] typo-squatting 5 months ago
reset_AIL.sh fix: [reset_AIL] add helper + fix soft reset 2 years ago

README.md

AIL

Latest Release
CI
Gitter
Contributors
License

Logo

AIL framework - Framework for Analysis of Information Leaks

AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams. AIL framework is flexible and can be extended to support other functionalities to mine or process sensitive information (e.g. data leak prevention).

Dashboard

Finding webshells with AIL

Features

  • Modular architecture to handle streams of unstructured or structured information
  • Default support for external ZMQ feeds, such as provided by CIRCL or other providers
  • Multiple feed support
  • Each module can process and reprocess the information already processed by AIL
  • Detecting and extracting URLs including their geographical location (e.g. IP address location)
  • Extracting and validating potential leaks of credit card numbers, credentials, ...
  • Extracting and validating leaked email addresses, including DNS MX validation
  • Module for extracting Tor .onion addresses (to be further processed for analysis)
  • Keep tracks of duplicates (and diffing between each duplicate found)
  • Extracting and validating potential hostnames (e.g. to feed Passive DNS systems)
  • A full-text indexer module to index unstructured information
  • Statistics on modules and web
  • Real-time modules manager in terminal
  • Global sentiment analysis for each providers based on nltk vader module
  • Terms, Set of terms and Regex tracking and occurrence
  • Many more modules for extracting phone numbers, credentials and others
  • Alerting to MISP to share found leaks within a threat intelligence platform using MISP standard
  • Detect and decode encoded file (Base64, hex encoded or your own decoding scheme) and store files
  • Detect Amazon AWS and Google API keys
  • Detect Bitcoin address and Bitcoin private keys
  • Detect private keys, certificate, keys (including SSH, OpenVPN)
  • Detect IBAN bank accounts
  • Tagging system with MISP Galaxy and MISP Taxonomies tags
  • UI paste submission
  • Create events on MISP and cases on The Hive
  • Automatic paste export at detection on MISP (events) and The Hive (alerts) on selected tags
  • Extracted and decoded files can be searched by date range, type of file (mime-type) and encoding discovered
  • Graph relationships between decoded file (hashes), similar PGP UIDs and addresses of cryptocurrencies
  • Tor hidden services crawler to crawl and parse output
  • Tor onion availability is monitored to detect up and down of hidden services
  • Browser hidden services are screenshot and integrated in the analysed output including a blurring screenshot interface (to avoid "burning the eyes" of the security analysis with specific content)
  • Tor hidden services is part of the standard framework, all the AIL modules are available to the crawled hidden services
  • Generic web crawler to trigger crawling on demand or at regular interval URL or Tor hidden services

Installation

Type these command lines for a fully automated installation and start AIL framework:

# Clone the repo first
git clone https://github.com/ail-project/ail-framework.git
cd ail-framework

# For Debian and Ubuntu based distributions
./installing_deps.sh

# For Centos based distributions (Tested: Centos 8)
chmod u+x centos_installing_deps.sh
./centos_installing_deps.sh

# Launch ail
cd ~/ail-framework/
cd bin/
./LAUNCH.sh -l

The default installing_deps.sh is for Debian and Ubuntu based distributions.

There is also a Travis file used for automating the installation that can be used to build and install AIL on other systems.

Requirement:

  • Python 3.6+

Installation Notes

In order to use AIL combined with ZFS or unprivileged LXC it's necessary to disable Direct I/O in $AIL_HOME/configs/6382.conf by changing the value of the directive use_direct_io_for_flush_and_compaction to false.

Tor installation instructions can be found in the HOWTO

Starting AIL

cd bin/
./LAUNCH.sh -l

Eventually you can browse the status of the AIL framework website at the following URL:

https://localhost:7000/

The default credentials for the web interface are located in DEFAULT_PASSWORD. This file is removed when you change your password.

Training

CIRCL organises training on how to use or extend the AIL framework. AIL training materials are available at https://www.circl.lu/services/ail-training-materials/.

API

The API documentation is available in doc/README.md

HOWTO

HOWTO are available in HOWTO.md

Privacy and GDPR

AIL information leaks analysis and the GDPR in the context of collection, analysis and sharing information leaks document provides an overview how to use AIL in a lawfulness context especially in the scope of General Data Protection Regulation.

Research using AIL

If you write academic paper, relying or using AIL, it can be cited with the following BibTeX:

@inproceedings{mokaddem2018ail,
  title={AIL-The design and implementation of an Analysis Information Leak framework},
  author={Mokaddem, Sami and Wagener, G{\'e}rard and Dulaunoy, Alexandre},
  booktitle={2018 IEEE International Conference on Big Data (Big Data)},
  pages={5049--5057},
  year={2018},
  organization={IEEE}
}

Screenshots

Tor hidden service crawler

Tor hidden service

Trending-Modules

Extracted encoded files from pastes

Extracted files from pastes Relationships between extracted files from encoded file in unstructured data

Browsing

Browse-Pastes

Tagging system

Tags

MISP and The Hive, automatic events and alerts creation

paste_submit

Paste submission

paste_submit

Sentiment analysis

Sentiment

Terms tracker

Term-tracker

AIL framework screencast

Command line module manager

Module-Manager

License

    Copyright (C) 2014 Jules Debra
    Copyright (C) 2014-2021 CIRCL - Computer Incident Response Center Luxembourg (c/o smile, security made in Lëtzebuerg, Groupement d'Intérêt Economique)
    Copyright (c) 2014-2021 Raphaël Vinot
    Copyright (c) 2014-2021 Alexandre Dulaunoy
    Copyright (c) 2016-2021 Sami Mokaddem
    Copyright (c) 2018-2021 Thirion Aurélien
    Copyright (c) 2021 Olivier Sagit

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.

    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.