-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrenater.rb
112 lines (98 loc) · 3.21 KB
/
renater.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/usr/bin/env ruby
$VERBOSE = true
# Display warnings
############################################
# Search script for Renater alerts #
# Quickly hacked by Thomas 'Nymous' Gaudin #
# November 10, 2016 11:30 #
# License: WTFPL #
############################################
require 'date'
require 'zlib'
require 'ipaddr'
$stop = false
$ips_to_bust = {}
$datetime = nil
$malware_ip = nil
class Renater
class TooFarBehindError < RuntimeError; end
end
# Parse a squid3 log line for matching parameters
# Example line: 1478759119.952 559 172.30.227.23 TCP_CLIENT_REFRESH_MISS/200 639 GET http://163.172.84.20/hls/02/index.m3u8? - ORIGINAL_DST/163.172.84.20 application/vnd.apple.mpegurl
# @param [String] line a line from the log file
# @return [String] a line matching the parameters
def parse_line(line)
line_split = line.encode('UTF-8', invalid: :replace).split(' ')
timestamp = Time.at(line_split.first.to_i)
# If timestamps are within 30s of each other (to account for connexion delays)
# AND if IP matches 3rd field
if timestamp < ($datetime_to_time - 15)
raise Renater::TooFarBehindError
elsif (-15..15).include?(timestamp - $datetime_to_time) && line.include?($malware_ip.to_s)
$ips_to_bust[line_split[2] ] = timestamp.to_s # Add bad Res IP to the hash
$stop = true # Exit files loop if we find one or several matches
return line
end
return nil
end
while $datetime.nil?
print 'Enter formatted date (2016-11-10 07:25:19+01:00): '
begin
$datetime = DateTime.parse(gets.chomp)
rescue ArgumentError => e
puts 'Wrong date, try again!'
$datetime = nil
end
end
$datetime_to_time = $datetime.to_time
while $malware_ip.nil? || !$malware_ip.ipv4?
print 'Enter malicious IP: '
begin
$malware_ip = IPAddr.new gets.chomp
rescue IPAddr::InvalidAddressError => e
puts 'Wrong address, try again!'
$malware_ip = nil
end
end
puts ''
puts "Looking for IP #{$malware_ip} around #{$datetime.to_s}."
puts "Working folder is #{Dir.pwd}"
puts ''
log_files = Dir.glob('access.log*')
# This sorts access.log.2.gz before access.log.10.gz
log_files.sort_by! {|s| s[/\d+/].to_i}
begin
log_files.each do |file|
puts "Searching in #{file}..."
case File.extname file
when '.gz'
Zlib::GzipReader.open(file) do |gz|
gz.readlines.reverse_each do |line|
l = parse_line(line)
puts "#{gz.lineno}: #{l}" if l && ENV['DEBUG_RENATER'] == 'true'
end
end
else
File.open(file) do |f|
f.readlines.reverse_each do |line|
l = parse_line(line)
puts "#{f.lineno}: #{l}" if l && ENV['DEBUG_RENATER'] == 'true'
end
end
end
if $stop
puts ''
puts 'Stopping search, should have found enough results...'
puts 'Bad IPs:'
$ips_to_bust.each do |bad_ip, connexion_date|
puts " #{bad_ip.ljust(14)} at #{connexion_date}" # Left pad the string to 15 chars, e.g. '172.30.221.30 '
end
puts ''
puts 'Happy busting!'
break
end
end
rescue Renater::TooFarBehindError => e
puts ''
puts "Stop this! We're too far back! (What is this T-Rex doing here?)"
end