chg: [IPAddress module] migrate IPAddress module

pull/594/head
Terrtia 2023-05-15 11:39:16 +02:00
parent 7669c16c74
commit ed9682798e
No known key found for this signature in database
GPG Key ID: 1E1B1F50D84613D0
4 changed files with 95 additions and 92 deletions

View File

@ -1,90 +0,0 @@
#!/usr/bin/env python3
# -*-coding:UTF-8 -*
"""
The IP Module
======================
This module is consuming the global channel.
It first performs a regex to find IP addresses and then matches those IPs to
some configured ip ranges.
The list of IP ranges are expected to be in CIDR format (e.g. 192.168.0.0/16)
and should be defined in the config.cfg file, under the [IP] section
"""
import time
import re
import sys
from pubsublogger import publisher
from lib.objects.Items import Item
from Helper import Process
from ipaddress import IPv4Network, IPv4Address
# TODO REWRITE ME -> IMPROVE + MIGRATE TO MODULE
def search_ip(message):
item = Item(message)
content = item.get_content()
# regex to find IPs
reg_ip = re.compile(r'^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)', flags=re.MULTILINE)
# list of the regex results in the Item, may be null
results = reg_ip.findall(content)
matching_ips = []
for ip in results:
ip = '.'.join([str(int(x)) for x in ip.split('.')])
address = IPv4Address(ip)
for network in ip_networks:
if address in network:
matching_ips.append(address)
if len(matching_ips) > 0:
print(f'{item.get_id()} contains {len(matching_ips)} IPs')
publisher.warning(f'{item.get_id()} contains {item.get_id()} IPs')
# Tag message with IP
msg = f'infoleak:automatic-detection="ip";{item.get_id()}'
p.populate_set_out(msg, 'Tags')
if __name__ == '__main__':
# If you wish to use an other port of channel, do not forget to run a subscriber accordingly (see launch_logs.sh)
# Port of the redis instance used by pubsublogger
publisher.port = 6380
# Script is the default channel used for the modules.
publisher.channel = 'Script'
# Section name in bin/packages/modules.cfg
config_section = 'IP'
# Setup the I/O queues
p = Process(config_section)
ip_networks = []
networks = p.config.get("IP", "networks")
if not networks:
print('No IP ranges provided')
sys.exit(0)
try:
for network in networks.split(","):
ip_networks.append(IPv4Network(network))
print(f'IP Range: {network}')
except:
print('Please provide a list of valid IP addresses')
sys.exit(0)
# Sent to the logging a description of the module
publisher.info("Run IP module")
# Endless loop getting messages from the input queue
while True:
# Get one message from the input queue
message = p.get_from_set()
if message is None:
publisher.debug("{} queue is empty, waiting".format(config_section))
time.sleep(1)
continue
# Do something with the message from the queue
search_ip(message)

View File

@ -237,6 +237,8 @@ function launching_scripts {
sleep 0.1
screen -S "Script_AIL" -X screen -t "Iban" bash -c "cd ${AIL_BIN}/modules; ${ENV_PY} ./Iban.py; read x"
sleep 0.1
screen -S "Script_AIL" -X screen -t "IPAddress" bash -c "cd ${AIL_BIN}/modules; ${ENV_PY} ./IPAddress.py; read x"
sleep 0.1
screen -S "Script_AIL" -X screen -t "Keys" bash -c "cd ${AIL_BIN}/modules; ${ENV_PY} ./Keys.py; read x"
sleep 0.1
screen -S "Script_AIL" -X screen -t "Languages" bash -c "cd ${AIL_BIN}/modules; ${ENV_PY} ./Languages.py; read x"
@ -301,7 +303,6 @@ function launching_scripts {
sleep 0.1
# screen -S "Script_AIL" -X screen -t "MISPtheHIVEfeeder" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./MISP_The_Hive_feeder.py; read x"
# sleep 0.1
screen -S "Script_AIL" -X screen -t "IPAddress" bash -c "cd ${AIL_BIN}; ${ENV_PY} ./IPAddress.py; read x"
}

92
bin/modules/IPAddress.py Executable file
View File

@ -0,0 +1,92 @@
#!/usr/bin/env python3
# -*-coding:UTF-8 -*
"""
The IP Module
======================
This module is consuming the global channel.
It first performs a regex to find IP addresses and then matches those IPs to
some configured ip ranges.
The list of IP ranges are expected to be in CIDR format (e.g. 192.168.0.0/16)
and should be defined in the config.cfg file, under the [IP] section
"""
import os
import re
import sys
from ipaddress import IPv4Network, IPv4Address
sys.path.append(os.environ['AIL_BIN'])
##################################
# Import Project packages
##################################
from modules.abstract_module import AbstractModule
from lib.ConfigLoader import ConfigLoader
from lib.objects.Items import Item
from lib import regex_helper
# TODO REWRITE ME -> PERF + IPV6 + Tracker ?
class IPAddress(AbstractModule):
"""Telegram module for AIL framework"""
def __init__(self):
super(IPAddress, self).__init__()
config_loader = ConfigLoader()
# Config Load ip_networks
self.ip_networks = set()
networks = config_loader.get_config_str("IP", "networks")
if not networks:
print('No IP ranges provided')
sys.exit(0)
try:
for network in networks.split(","):
self.ip_networks.add(IPv4Network(network))
print(f'IP Range To Search: {network}')
except:
print('Please provide a list of valid IP addresses')
sys.exit(0)
self.re_ipv4 = r'(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)'
re.compile(self.re_ipv4)
self.redis_cache_key = regex_helper.generate_redis_cache_key(self.module_name)
self.max_execution_time = 60
# Send module state to logs
self.logger.info(f"Module {self.module_name} initialized")
def compute(self, message, r_result=False):
item = Item(message)
content = item.get_content()
# list of the regex results in the Item
results = self.regex_findall(self.re_ipv4, item.get_id(), content)
results = set(results)
matching_ips = []
for ip in results:
ip = '.'.join([str(int(x)) for x in ip.split('.')])
address = IPv4Address(ip)
for network in self.ip_networks:
if address in network:
self.logger.info(address)
matching_ips.append(address)
if len(matching_ips) > 0:
self.logger.info(f'{item.get_id()} contains {len(matching_ips)} IPs')
self.redis_logger.warning(f'{item.get_id()} contains {item.get_id()} IPs')
# Tag message with IP
msg = f'infoleak:automatic-detection="ip";{item.get_id()}'
self.add_message_to_queue(msg, 'Tags')
if __name__ == "__main__":
module = IPAddress()
module.run()
# module.compute('submitted/2023/05/15/submitted_8a6136c2-c7f2-4c9e-8f29-e1a62315b482.gz')

View File

@ -156,7 +156,7 @@ publish = Importers
[Crawler]
publish = Importers,Tags
[IP]
[IPAddress]
subscribe = Item
publish = Tags