Analysis Information Leak framework
 
 
 
 
 
Go to file
Mokaddem fd4feb374f Merge branch 'newModuleInformation' into production 2017-02-28 11:12:06 +01:00
bin Merge branch 'newModuleInformation' into production 2017-02-28 11:12:06 +01:00
configs Added config redis 6382 2016-08-23 16:27:50 +02:00
doc Deleted all_modules.txt added by error 2017-02-15 11:49:58 +01:00
docsphinx/source Initial import of AIL framework - Analysis Information Leak framework 2014-08-06 11:43:40 +02:00
files Bug fix related with redis: 2016-08-09 11:59:36 +02:00
logs Travis, print logs 2016-01-19 12:01:45 +01:00
var/www Added path of the paste in the log of Categ.py 2017-02-14 10:59:47 +01:00
.dockerignore Added Dockerfile to automate the build of a Docker image based on Ubuntu 2016-08-27 10:29:20 +02:00
.gitignore Added new file in gitignore 2016-08-10 09:42:15 +02:00
.travis.yml Update travis 2016-07-25 11:38:41 +02:00
Dockerfile Added Dockerfile to automate the build of a Docker image based on Ubuntu 2016-08-27 10:29:20 +02:00
LICENSE Initial import of AIL framework - Analysis Information Leak framework 2014-08-06 11:43:40 +02:00
README.md Updated feeding AIL with pystemon 2017-02-14 09:40:04 +01:00
all_modules.txt Added all_modules file 2017-02-15 11:20:04 +01:00
docker_start.sh Added Dockerfile to automate the build of a Docker image based on Ubuntu 2016-08-27 10:29:20 +02:00
installing_deps.sh Merge branch 'installation-fix' into production 2016-10-27 16:22:16 +02:00
installing_deps_archlinux.sh ajout d'un script d'installation pour archlinux via pacman et yaourt. 2016-02-05 13:14:52 +01:00
pip_packages_requirement.txt Added action button and support of logs 2017-01-16 17:08:48 +01:00

README.md

Build Status

AIL

Logo

AIL framework - Framework for Analysis of Information Leaks

AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams. AIL framework is flexible and can be extended to support other functionalities to mine sensitive information.

Dashboard

Trending-Web Trending-Modules

Browsing

Browse-Pastes

Sentiment analysis

Sentiment

Terms manager and occurence

Term-Manager

Top terms

Term-Top Term-Plot

AIL framework screencast

Features

  • Modular architecture to handle streams of unstructured or structured information
  • Default support for external ZMQ feeds, such as provided by CIRCL or other providers
  • Each module can process and reprocess the information already processed by AIL
  • Detecting and extracting URLs including their geographical location (e.g. IP address location)
  • Extracting and validating potential leak of credit cards numbers
  • Extracting and validating email addresses leaked including DNS MX validation
  • Module for extracting Tor .onion addresses (to be further processed for analysis)
  • Extracting and validating potential hostnames (e.g. to feed Passive DNS systems)
  • A full-text indexer module to index unstructured information
  • Modules and web statistics
  • Global sentiment analysis for each providers based on nltk vader module
  • Terms tracking and occurrence
  • Many more modules for extracting phone numbers, credentials and others

Installation

Type these command lines for a fully automated installation and start AIL framework

git clone https://github.com/CIRCL/AIL-framework.git
cd AIL-framework
./installing_deps.sh
cd var/www/
./update_thirdparty.sh
cd ~/AIL-framework/
. ./AILENV/bin/activate
cd bin/
./LAUNCH.sh

The default installing_deps.sh is for Debian and Ubuntu based distributions. For Arch linux based distributions, you can replace it with installing_deps_archlinux.sh.

There is also a Travis file used for automating the installation that can be used to build and install AIL on other systems.

Starting AIL web interface

To start the web interface, you first need to fetch the required Javascript/CSS files:

cd $AILENV
cd var/www/
bash update_thirdparty.sh

and then you can start the web interface python script:

cd $AILENV
cd var/www/
Flask_server.py

Eventually you can browse the status of the AIL framework website at the following URL:

    ``http://localhost:7000/``

How to

How to feed the AIL framework

For the moment, there are two different ways to feed AIL with data:

  1. Be a collaborator of CIRCL and ask to access our feed. It will be sent to the static IP your are using for AIL.

  2. You can setup pystemon and use the custom feeder provided by AIL (see below).

###Feeding AIL with pystemon AIL is an analysis tool, not a collector! However, if you want to collect some pastes and feed them to AIL, the procedure is described below.

Nevertheless, moderate your queries!

Here are the steps to setup pystemon and feed data to AIL:

  1. Clone the pystemon's git repository

  2. Install its python dependencies inside your virtual environment

  3. Launch pystemon ./pystemon

  4. Edit your configuration file bin/packages/config.cfg and modify the pystemonpath path accordingly

  5. Launch pystemon-feeder ./pystemon-feeder.py

How to create a new module

If you want to add a new processing or analysis module in AIL, follow these simple steps:

  1. Add your module name in ./bin/packages/modules.cfg and subscribe to the Redis_Global at minimum.

  2. Use ./bin/template.py as a sample module and create a new file in bin/ with the module name used in the modules.cfg configuration.

How to contribute a module

Feel free to fork the code, play with it, make some patches or add additional analysis modules.

To contribute your module, feel free to pull your contribution.

Overview and License

Redis and LevelDB overview

  • Redis on TCP port 6379 - DB 1 - Paste meta-data
  •                      DB 0 - Cache hostname/dns
    
  • Redis on TCP port 6380 - Redis Pub-Sub only
  • Redis on TCP port 6381 - DB 0 - Queue and Paste content LRU cache
  • Redis on TCP port 6382 - DB 1-4 - Trending, terms and sentiments
  • LevelDB on TCP port - Lines duplicate

LICENSE

    Copyright (C) 2014 Jules Debra
    Copyright (C) 2014-2016 CIRCL - Computer Incident Response Center Luxembourg (c/o smile, security made in Lëtzebuerg, Groupement d'Intérêt Economique)
    Copyright (c) 2014-2016 Raphaël Vinot
    Copyright (c) 2014-2016 Alexandre Dulaunoy
    Copyright (c) 2016 Sami Mokaddem

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.

    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.