Wiki

IP activity

On this example we will see how IPSets and IPBloomSets works, we will try to detect Tor activity on the network by providing a list of IP addresses to the engine.

import pyaiengine

Define a callback function for the set.

def callback(flow):

    print("Detecting ToR on ", str(flow))

We use a external list of Tor IPs from https://www.dan.me.uk/torlist/ and we load them into a IPSetManager object

def loadTorIPs():

    ipset_mng = pyaiengine.IPSetManager()

Create and assing to the IPSet/IPBloomSet the specific callback

    ipset = pyaiengine.IPSet()
    ipset.callback = callback

Read the IPs and add them to the IPSet/IPBloomSet

    """ Take a big list of IP address that belongs to ToR """
    req = urllib2.Request("https://www.dan.me.uk/torlist/")
    try:
        response = urllib2.urlopen(req)
        for line in response.readlines():
            ip = line.strip()
            try:
                socket.inet_aton(ip)
            except:
                continue
            ipset.add_ip_address(ip)
    except urllib2.URLError as e:
        print("Error:",e)

Attach the IPSet/IPBloomSet to the IPSetManager and return it

    ipset_mng.add_ip_set(ipset)

    return ipset_mng

On the main thread, create a Lan stack object.

if __name__ == '__main__':

    st = pyaiengine.StackLan()

Allocate the maximum number of flows on the TCP stack.

    st.tcp_flows = 1638400

Assing the Tor IPs to the stack

    st.tcp_ip_set_manager = loadTorIPs()

Create a instance of the PacketDispatcher, attach the Lan stack and run the engine.

    with  pyaiengine.PacketDispatcher("re0") as pd:
        pd.stack = st
        pd.run()