ThreatNet::Filter::Network - Filter events within a set of IP ranges
# Filter for IPs in our broadband customers' range my $Broadband = ThreatNet::Filter::Network->new( keep => '123.123.0.0/16' ); # Create a filter for "local" and other things we want to discard # (including our own personal broadband IP in the above network) my $NotLocal = ThreatNet::Filter::Network->new( discard => qw{ 123.123.123.123 LOCAL 111.245.76.248/29 222.234.52.192/29 } ); sub boot_zombies { my $Msg = shift; if ( $Broadband->keep($Msg) and $NotLocal->keep($Msg) ) { my $account = $RadiusServer->ip_to_account($Msg->ip); $account->disable(); $account->disconnect(); $account->add_support_note("You are infected with a virus"); } }
ThreatNet::Filter::Network is a filter class for creating network filters.
ThreatNet::Filter::Network
That is, for filtering event streams to just those events that did (or did not) occur within a particular network.
The objects only check in two modes.
The keep keyword as first argument indicates events should be kept if they match any of the networks.
keep
The discard keyword as first argument indicates events should be kept only if they do not match any of networks.
discard
For more complex network masks, see the ThreatNet::Filter::Chain class for chaining groups of keep and discard filters together.
The actual matching is done using the Net::IP::Match::XS module. Any values that can be used by it can also be used with it can thus also be used with ThreatNet::Filter::Network.
In addition to the normal IP specification above, ThreatNet::Filter::Network also supports keyword expansion for a number of standard sets of network masks.
When specified by name, they will be expanded into a list of IP ranges.
Thus you can do something like the following.
my $Remove = ThreatNet::Filter::Network->new( discard => 'RFC1918', '123.123.123.0/24' );
This will filter out the three standard "local" IP blocks specified by RFC1918, plus the addition range 123.123.123.0 - 123.123.123.255.
All keywords are case-insensitive.
The RFC1918 keyword is expanded to the three network blocks reserved for local intranets. This specifically does NOT include the localhost address space.
RFC1918
The RFC3330 keyword is expanded to a larger set of network blocks restricted for various purposes as identifier in RFC3330. This includes those from RFC1918, the localhost block, and several additional blocks reserved for benchmarking, IP 6to4 identifiers and various other blocks that should not appear in threat messages.
RFC3330
Where correctness is a factor, such as posting to a non-tolerant channel, this filter should be applied before issuing messages, as they are highly likely to be fraudulent or technically nonsensical.
tolerant
The LOCAL keyword is expanded to represent the most common interpretation of a "local" address, which is the RFC1918 addresses, plus the 127.0.0.0/8 localhost block.
LOCAL
127.0.0.0/8
Please note that because the module on which this filter is based only supports IPv4 ranges, this filter class is only capable of processing ThreatNet::Message::IPv4 (or subclass) objects.
Any other message types passed to keep will be returns undef, and thus will act as a null filter in most configurations.
undef
The new constructor takes a param of either keep or discard, followed by a list of one or more values which are either an expandable keyword or an ip ranges compatible with Net::IP::Match::XS.
new
A ThreatNet filter is created which limits a message stream to events either inside or outside of the resulting network.
Returns a new ThreatNet::Filter::Network object, or undef if given invalid params.
The type accessor returns the type of the network filter.
type
Returns either 'keep' or 'discard'.
'keep'
'discard'
The network accessor returns the list of ip ranges as provided to the constructor.
network
The keep method takes a ThreatNet::Message::IPv4 message as per the ThreatNet::Filter specification, and checks it against the network specification and keep|discard type.
ThreatNet::Message::IPv4
Returns true if the message should be kept, false if not, or undef on error.
All bugs should be filed via the bug tracker at
http://rt.cpan.org/NoAuth/ReportBug.html?Queue=ThreatNet-Filter
For other issues, or commercial enhancement and support, contact the author
Adam Kennedy <adamk@cpan.org>
http://ali.as/devel/threatnetwork.html, ThreatNet::Filter, ThreatNet::Message::IPv4.
Copyright (c) 2005 Adam Kennedy. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
The full text of the license can be found in the LICENSE file included with this module.
To install ThreatNet, copy and paste the appropriate command in to your terminal.
cpanm
cpanm ThreatNet
CPAN shell
perl -MCPAN -e shell install ThreatNet
For more information on module installation, please visit the detailed CPAN module installation guide.