intelmq.bots.experts.rfc1918 package¶
Submodules¶
intelmq.bots.experts.rfc1918.expert module¶
- RFC 1918 Will Drop Local IP from a given record and a bit more.
It checks for RFC1918 IPv4 Hosts It checks for localhost, multicast and test LANs It checks for Link Local and Documentation LAN in IPv6 It checks for RFC538 ASNs
Need only to feed the parameter “fields” to set the name of the field parameter designed to be filtered out. Several parameters could be used, separated by “,” It could sanitize the whole records with the “drop” parameter set to “yes”
Sources: https://tools.ietf.org/html/rfc1918 https://tools.ietf.org/html/rfc2606 https://tools.ietf.org/html/rfc3849 https://tools.ietf.org/html/rfc4291 https://tools.ietf.org/html/rfc5737 https://en.wikipedia.org/wiki/IPv4 https://en.wikipedia.org/wiki/Autonomous_system_(Internet)
- intelmq.bots.experts.rfc1918.expert.BOT¶
alias of
RFC1918ExpertBot
- class intelmq.bots.experts.rfc1918.expert.RFC1918ExpertBot(*args, **kwargs)¶
Bases:
ExpertBot
Removes fields or discard events if an IP address or domain is invalid as defined in standards like RFC 1918 (invalid, local, reserved, documentation). IP address, FQDN and URL fields are supported
- static check(parameters)¶
The bot’s own check function can perform individual checks on it’s parameters. init() is not called before, this is a staticmethod which does not require class initialization.
- Parameters:
parameters – Bot’s parameters, defaults and runtime merged together
- Returns:
- None or a list of [log_level, log_message] pairs, both
strings. log_level must be a valid log level.
- Return type:
output
- fields: str = 'destination.ip,source.ip,source.url'¶
- init()¶
- is_in_domains(value)¶
- is_in_net(ip)¶
- is_subdomain(value)¶
- policy: str = 'del,drop,drop'¶
- process()¶