2019-09-23 18:22:25 +02:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
# -*-coding:UTF-8 -*
|
|
|
|
"""
|
|
|
|
The IP Module
|
|
|
|
======================
|
|
|
|
|
|
|
|
This module is consuming the global channel.
|
|
|
|
|
2020-02-03 15:29:37 +01:00
|
|
|
It first performs a regex to find IP addresses and then matches those IPs to
|
2019-09-23 18:22:25 +02:00
|
|
|
some configured ip ranges.
|
|
|
|
|
|
|
|
The list of IP ranges are expected to be in CIDR format (e.g. 192.168.0.0/16)
|
|
|
|
and should be defined in the config.cfg file, under the [IP] section
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
import time
|
|
|
|
import re
|
2020-02-03 15:29:37 +01:00
|
|
|
import sys
|
2019-09-23 18:22:25 +02:00
|
|
|
from pubsublogger import publisher
|
2022-10-25 16:25:19 +02:00
|
|
|
from lib.objects.Items import Item
|
2019-09-23 18:22:25 +02:00
|
|
|
from Helper import Process
|
2019-10-02 21:33:02 +02:00
|
|
|
from ipaddress import IPv4Network, IPv4Address
|
2019-09-23 18:22:25 +02:00
|
|
|
|
2022-10-25 16:25:19 +02:00
|
|
|
# TODO REWRITE ME -> IMPROVE + MIGRATE TO MODULE
|
2019-09-23 18:22:25 +02:00
|
|
|
|
|
|
|
def search_ip(message):
|
2022-10-25 16:25:19 +02:00
|
|
|
item = Item(message)
|
|
|
|
content = item.get_content()
|
2019-09-23 18:22:25 +02:00
|
|
|
# regex to find IPs
|
|
|
|
reg_ip = re.compile(r'^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)', flags=re.MULTILINE)
|
2022-10-25 16:25:19 +02:00
|
|
|
# list of the regex results in the Item, may be null
|
2019-09-23 18:22:25 +02:00
|
|
|
results = reg_ip.findall(content)
|
|
|
|
matching_ips = []
|
|
|
|
|
2020-02-10 10:44:06 +01:00
|
|
|
for ip in results:
|
|
|
|
ip = '.'.join([str(int(x)) for x in ip.split('.')])
|
|
|
|
address = IPv4Address(ip)
|
2019-09-23 18:22:25 +02:00
|
|
|
for network in ip_networks:
|
2019-10-02 21:33:02 +02:00
|
|
|
if address in network:
|
|
|
|
matching_ips.append(address)
|
2019-09-23 18:22:25 +02:00
|
|
|
|
|
|
|
if len(matching_ips) > 0:
|
2022-10-25 16:25:19 +02:00
|
|
|
print(f'{item.get_id()} contains {len(matching_ips)} IPs')
|
|
|
|
publisher.warning(f'{item.get_id()} contains {item.get_id()} IPs')
|
2019-09-23 18:22:25 +02:00
|
|
|
|
2022-10-25 16:25:19 +02:00
|
|
|
# Tag message with IP
|
|
|
|
msg = f'infoleak:automatic-detection="ip";{item.get_id()}'
|
2019-09-23 18:22:25 +02:00
|
|
|
p.populate_set_out(msg, 'Tags')
|
2022-10-25 16:25:19 +02:00
|
|
|
|
2019-09-23 18:22:25 +02:00
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
# If you wish to use an other port of channel, do not forget to run a subscriber accordingly (see launch_logs.sh)
|
|
|
|
# Port of the redis instance used by pubsublogger
|
|
|
|
publisher.port = 6380
|
|
|
|
# Script is the default channel used for the modules.
|
|
|
|
publisher.channel = 'Script'
|
|
|
|
|
|
|
|
# Section name in bin/packages/modules.cfg
|
|
|
|
config_section = 'IP'
|
|
|
|
# Setup the I/O queues
|
|
|
|
p = Process(config_section)
|
|
|
|
|
2019-10-02 21:33:02 +02:00
|
|
|
ip_networks = []
|
2021-02-23 15:16:29 +01:00
|
|
|
networks = p.config.get("IP", "networks")
|
|
|
|
if not networks:
|
|
|
|
print('No IP ranges provided')
|
|
|
|
sys.exit(0)
|
2020-02-03 15:29:37 +01:00
|
|
|
try:
|
2021-02-23 15:16:29 +01:00
|
|
|
for network in networks.split(","):
|
2020-02-03 15:29:37 +01:00
|
|
|
ip_networks.append(IPv4Network(network))
|
2021-02-23 15:16:29 +01:00
|
|
|
print(f'IP Range: {network}')
|
2020-02-03 15:29:37 +01:00
|
|
|
except:
|
|
|
|
print('Please provide a list of valid IP addresses')
|
|
|
|
sys.exit(0)
|
2019-09-23 18:22:25 +02:00
|
|
|
|
|
|
|
# Sent to the logging a description of the module
|
|
|
|
publisher.info("Run IP module")
|
|
|
|
|
|
|
|
# Endless loop getting messages from the input queue
|
|
|
|
while True:
|
|
|
|
# Get one message from the input queue
|
|
|
|
message = p.get_from_set()
|
|
|
|
if message is None:
|
|
|
|
publisher.debug("{} queue is empty, waiting".format(config_section))
|
|
|
|
time.sleep(1)
|
|
|
|
continue
|
|
|
|
|
|
|
|
# Do something with the message from the queue
|
|
|
|
search_ip(message)
|