forked from lambinh/BL-useful-scripts-to-share
-
Notifications
You must be signed in to change notification settings - Fork 0
/
check_tcp_established_plus_VT.py
127 lines (106 loc) · 4.25 KB
/
check_tcp_established_plus_VT.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
'''
__author__ = "Binh Lam"
__credits__ = ["Binh Lam"]
__license__ = "GPL"
__version__ = "1.0.0"
__maintainer__ = "Binh Lam"
'''
import os
import re
import json
import urllib.request
import platform
from prettytable import PrettyTable
import requests
# Set up VirusTotal API key at:
# https://www.virustotal.com/
VT_API_KEY = "YOUR_VIRUSTOTAL_API_KEY"
# Function to get the geolocation information of an IP address
def get_ip_geo(ip):
# Make a request to the IP info API
url = 'http://ipinfo.io/' + ip + '/json'
try:
response = urllib.request.urlopen(url)
data = json.load(response)
org = data['org']
city = data['city']
country = data['country']
region = data['region']
# Return the organization, city, country, and region of the IP
return org, city, country, region
except:
# Return None if the request fails
return None, None, None, None
# Function to get the established connections from the system
def get_established_connections():
# Get the netstat command based on the platform
if platform.system() == 'Windows':
netstat_command = "netstat -na | findstr ESTABLISHED"
else:
netstat_command = "netstat -na | grep ESTABLISHED"
# Run the netstat command and retrieve its output
netstat_output = os.popen(netstat_command).read()
# Split the output into lines
lines = netstat_output.split("\n")
# Create a list to store the established connections
connections = []
# Parse the output to extract the foreign host IP and application port
for line in lines:
# Use regular expression to match the foreign host IP and port for MacOS
match = re.search("(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\.(\d+) +(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\.(\d+) +.*", line)
if match:
foreign_ip = match.group(3)
port = match.group(4)
connections.append((foreign_ip, port))
continue
# Use regular expression to match the foreign host IP and port for Linux or Windows
match = re.search("(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d+) +(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d+) +.*", line)
if match:
foreign_ip = match.group(3)
port = match.group(4)
connections.append((foreign_ip, port))
# Remove duplicate IP addresses
unique_connections = set(connections)
# Return the unique connections
return unique_connections
# Function to check if the IP is in the VirusTotal database
def check_ip_vt(ip):
# Set the VirusTotal API endpoint and parameters
url = 'https://www.virustotal.com/api/v3/ip_addresses/' + ip
headers = {
'x-apikey': VT_API_KEY
}
try:
# Make a request to the VirusTotal API
response = requests.get(url, headers=headers)
# Check if the response was successful
if response.status_code == 200:
data = response.json()
attributes = data['data']['attributes']
# Check if the IP has any detections
if attributes['last_analysis_stats']['malicious'] > 0:
return True, attributes['last_analysis_stats']['malicious']
else:
return False, None
else:
return False, None
except:
return False, None
# Get the established connections
connections = get_established_connections()
# Create the table using the PrettyTable library
table = PrettyTable()
table.field_names = ["Foreign Host", "Application Port", "Organization", "City", "Country", "VirusTotal"]
# Add each connection's information to the table
for connection in connections:
foreign_ip, port = connection
org, city, country, region = get_ip_geo(foreign_ip)
vt_detected, vt_detections = check_ip_vt(foreign_ip)
# Add a row to the table for each connection, with VirusTotal detection status
if vt_detected:
table.add_row([foreign_ip, port, org if org else "", city if city else "", country if country else "", vt_detections])
print("ALERT: Connection to {} detected with {} VirusTotal hits".format(foreign_ip, vt_detections))
else:
table.add_row([foreign_ip, port, org if org else "", city if city else "", country if country else "", ""])
# Print the table
print(table)