• Stars
    star
    1,296
  • Rank 36,309 (Top 0.8 %)
  • Language
    Python
  • License
    GNU Affero Genera...
  • Created over 10 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

AIL framework - Analysis Information Leak framework. Project moved to https://github.com/ail-project

AIL framework

Latest Release
CI
Gitter
Contributors
License

AIL framework - Framework for Analysis of Information Leaks

AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams. AIL framework is flexible and can be extended to support other functionalities to mine or process sensitive information (e.g. data leak prevention).

Dashboard

Finding webshells with AIL

AIL V5.0 Version:

AIL v5.0 introduces significant improvements and new features:

  • Codebase Rewrite: The codebase has undergone a substantial rewrite, resulting in enhanced performance and speed improvements.
  • Database Upgrade: The database has been migrated from ARDB to Kvrocks.
  • New Correlation Engine: AIL v5.0 introduces a new powerful correlation engine with two new correlation types: CVE and Title.
  • Enhanced Logging: The logging system has been improved to provide better troubleshooting capabilities.
  • Tagging Support: AIL objects now support tagging, allowing users to categorize and label extracted information for easier analysis and organization.
  • Trackers: Improved objects filtering, PGP and decoded tracking added.
  • UI Content Visualization: The user interface has been upgraded to visualize extracted and tracked information.
  • New Crawler Lacus: improve crawling capabilities.
  • Modular Importers and Exporters: New importers (ZMQ, AIL Feeders) and exporters (MISP, Mail, TheHive) modular design. Allow easy creation and customization by extending an abstract class.
  • Module Queues: improved the queuing mechanism between detection modules.
  • New Object CVE and Title: Extract an correlate CVE IDs and web page titles.

Features

  • Modular architecture to handle streams of unstructured or structured information
  • Default support for external ZMQ feeds, such as provided by CIRCL or other providers
  • Multiple Importers and feeds support
  • Each module can process and reprocess the information already analyzed by AIL
  • Detecting and extracting URLs including their geographical location (e.g. IP address location)
  • Extracting and validating potential leaks of credit card numbers, credentials, ...
  • Extracting and validating leaked email addresses, including DNS MX validation
  • Module for extracting Tor .onion addresses for further analysis
  • Keep tracks of credentials duplicates (and diffing between each duplicate found)
  • Extracting and validating potential hostnames (e.g. to feed Passive DNS systems)
  • A full-text indexer module to index unstructured information
  • Terms, Set of terms, Regex, typo squatting and YARA tracking and occurrence
  • YARA Retro Hunt
  • Many more modules for extracting phone numbers, credentials, and more
  • Alerting to MISP to share found leaks within a threat intelligence platform using MISP standard
  • Detecting and decoding encoded file (Base64, hex encoded or your own decoding scheme) and storing files
  • Detecting Amazon AWS and Google API keys
  • Detecting Bitcoin address and Bitcoin private keys
  • Detecting private keys, certificate, keys (including SSH, OpenVPN)
  • Detecting IBAN bank accounts
  • Tagging system with MISP Galaxy and MISP Taxonomies tags
  • UI submission
  • Create events on MISP and cases on The Hive
  • Automatic export on detection with MISP (events) and The Hive (alerts) on selected tags
  • Extracted and decoded files can be searched by date range, type of file (mime-type) and encoding discovered
  • Correlations engine and Graph to visualize relationships between decoded files (hashes), PGP UIDs, domains, username, and cryptocurrencies addresses
  • Websites, Forums and Tor Hidden-Services hidden services crawler to crawl and parse output
  • Domain availability monitoring to detect up and down of websites and hidden services
  • Browsed hidden services are automatically captured and integrated into the analyzed output, including a blurring screenshot interface (to avoid "burning the eyes" of security analysts with sensitive content)
  • Tor hidden services is part of the standard framework, all the AIL modules are available to the crawled hidden services
  • Crawler scheduler to trigger crawling on demand or at regular intervals for URLs or Tor hidden services

Installation

To install the AIL framework, run the following commands:

# Clone the repo first
git clone https://github.com/ail-project/ail-framework.git
cd ail-framework

# For Debian and Ubuntu based distributions
./installing_deps.sh

# Launch ail
cd ~/ail-framework/
cd bin/
./LAUNCH.sh -l

The default installing_deps.sh is for Debian and Ubuntu based distributions.

Requirement:

  • Python 3.7+

Installation Notes

For Lacus Crawler installation instructions, refer to the HOWTO

Starting AIL

To start AIL, use the following commands:

cd bin/
./LAUNCH.sh -l

You can access the AIL framework web interface at the following URL:

https://localhost:7000/

The default credentials for the web interface are located in the DEFAULT_PASSWORDfile, which is deleted when you change your password.

Training

CIRCL organises training on how to use or extend the AIL framework. AIL training materials are available at https://github.com/ail-project/ail-training.

API

The API documentation is available in doc/README.md

HOWTO

HOWTO are available in HOWTO.md

Privacy and GDPR

For information on AIL's compliance with GDPR and privacy considerations, refer to the AIL information leaks analysis and the GDPR in the context of collection, analysis and sharing information leaks document.

this document provides an overview how to use AIL in a lawfulness context especially in the scope of General Data Protection Regulation.

Research using AIL

If you use or reference AIL in an academic paper, you can cite it using the following BibTeX:

@inproceedings{mokaddem2018ail,
  title={AIL-The design and implementation of an Analysis Information Leak framework},
  author={Mokaddem, Sami and Wagener, G{\'e}rard and Dulaunoy, Alexandre},
  booktitle={2018 IEEE International Conference on Big Data (Big Data)},
  pages={5049--5057},
  year={2018},
  organization={IEEE}
}

Screenshots

Websites, Forums and Tor Hidden-Services

Domain CIRCL

Login protected, pre-recorded session cookies:

Domain cookiejar

Extracted encoded files from items

Extracted files

Correlation Engine

Correlation decoded image

Investigation

Investigation

Tagging system

Tags

Tags search

MISP Export

misp_export

MISP and The Hive, automatic events and alerts creation

tags_misp_auto

UI submission

ui_submit

Trackers

tracker-create

tracker-yara

retro-hunt

License

    Copyright (C) 2014 Jules Debra
    Copyright (c) 2021 Olivier Sagit
    Copyright (C) 2014-2023 CIRCL - Computer Incident Response Center Luxembourg (c/o smile, security made in LΓ«tzebuerg, Groupement d'IntΓ©rΓͺt Economique)
    Copyright (c) 2014-2023 RaphaΓ«l Vinot
    Copyright (c) 2014-2023 Alexandre Dulaunoy
    Copyright (c) 2016-2023 Sami Mokaddem
    Copyright (c) 2018-2023 Thirion AurΓ©lien

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.

    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

More Repositories

1

Circlean

USB key cleaner
Python
446
star
2

url-abuse

URL Abuse - A Versatile Software for URL review, analysis and black-list reporting
Python
140
star
3

bgp-ranking

BGP ranking is a free software to calculate the security ranking of Internet Service Provider (ASN).
Python
103
star
4

cve-portal

Common Vulnerabilities and Exposures - Portal
Python
82
star
5

potiron

Potiron - Normalize, Index and Visualize Network Capture
Python
82
star
6

PyPDNS

Client API to query any Passive DNS implementation following the Passive DNS - Common Output Format.
Python
74
star
7

factual-rules-generator

Factual-rules-generator is an open source project which aims to generate YARA rules about installed software from a machine.
Python
73
star
8

compliance

Legal, procedural and policies document templates for operating an IRT
63
star
9

douglas-quaid

Open source software for image correlation, distance and analysis
Python
61
star
10

PyCIRCLean

Python library used by CIRCLean (the USB sanitizer) and others
Python
48
star
11

IP-ASN-history

IP-ASN-history is a server software to store efficiently the history of BGP announces and quickly lookup IP addresses origins
Python
46
star
12

pcapdj

pcapdj - dispatch pcap files
C
45
star
13

carl-hauser

Open Source testing framework for image correlation, distance and analysis
Python
43
star
14

forensic-tools

CIRCL system forensic tools or a jumble of tools to support forensic
Python
41
star
15

yara-validator

Validates yara rules and tries to repair the broken ones.
Python
38
star
16

traceroute-circl

Traceroute improved wrapper for CSIRT and CERT operators
37
star
17

urlquery_python_api

Python API for URL Query
Python
34
star
18

vt-tools

Tools for VirusTotal
Python
34
star
19

IMAP-Proxy

Modular IMAP proxy (including PyCIRCLeanMail and MISP forward modules)
Python
26
star
20

PyEUPI

Client API to query the Phishing Initiative service API
Python
22
star
21

email-abuse

Email Abuse - A Versatile Software for Email review, analysis and reporting
Python
19
star
22

bgpranking-redis-api

API to access the Redis database of a BGP Ranking instance.
Python
17
star
23

PyRichHeader

A Python parser for Rich Headers
Python
14
star
24

pe32-cert-dump

Dump and parse embedded certificates from Windows binaries
Shell
11
star
25

volatility-misp

Volatility plugin to interface with MISP
Python
10
star
26

PyCIRCLeanMail

Standalone CIRCLean/KittenGroomer code to sanitize emails.
Python
10
star
27

pbtc

Passive Bitcoin Project
Go
10
star
28

factual-rules

Factual rules are YARA rules to find legitimate software on raw disk acquisition.
YARA
10
star
29

open-data-security

open-data-security description format is a simple JSON format to describe dataset released as open data by security researchers, security vendors or CSIRTs
9
star
30

lnf-tools

lnf-tools is a set of Perl, Python libraries and C code to analyze and process large set of Netflow records.
Python
8
star
31

hackathon

Website for hackathon.hack.lu - 0x04 virtual hackathon
CSS
7
star
32

misp-darwin

Improving human readability of MISP threat intelligence
6
star
33

PyACDC

Data clearing house API for the Advanced Cyber Defence Centre (ACDC).
Python
5
star
34

dma-frontend

Pre-pre-pre Beta DMA frontend
Less
5
star
35

hash-whitelist-lookup

Python
5
star
36

revoker

Revoke active sessions
Python
4
star
37

ODFCleaner

Python module to cleanup ODF files.
XSLT
4
star
38

pypretalx

Query Pretalx via the API.
Python
4
star
39

mpss-micmgmt

mpss-micmgmt v3.6.1 (Intel Xeon Phi Coprocessor) for Ubuntu LTS 14.04 Trusty
HTML
4
star
40

PasswordTest

Web application to test your password
PHP
4
star
41

libscif

libscif v3.6.1 (Intel Xeon Phi Coprocessor) for Ubuntu LTS 14.04 Trusty
C
3
star
42

circlean-pi-gen

Shell
3
star
43

ail-packer

Packer Scripts to generate AIL-framework VMs
Shell
3
star
44

elfinsight

Utility that collects and aggregates information on ELF files.
Python
2
star
45

orbit-agents

orbit-agents
2
star
46

mpss-modules

MPSS module v3.6.1 (Intel Xeon Phi Coprocessor), with patches for linux-3.19 on Ubuntu LTS 14.04 Trusty
C
2
star
47

mpss-daemon

mpss-daemon v3.6.1 (Intel Xeon Phi Coprocessor) for Ubuntu LTS 14.04 Trusty
C
1
star
48

pisax-website

pisax.org website
HTML
1
star
49

douglas-quaid-results

Results of Douglas-Quaid
Python
1
star
50

junk-ip-indexer

Experiments indexing with IP and related attributes
C++
1
star
51

douglas-quaid-tests

Tests files for douglas-quaid
1
star
52

TestCasesCIRClean

A bunch of files to test if CIRCLean works properly. Contains malicious documents.
1
star
53

miccheck

miccheck v3.6.1 (Intel Xeon Phi Coprocessor) for Ubuntu LTS 14.04 Trusty
Python
1
star
54

openpgp-keys-filterlists

OpenPGP keys filterlists maintained by CIRCL
1
star
55

miclib

miclib v3.6.1 (Intel Xeon Phi Coprocessor) for Ubuntu LTS 14.04 Trusty (extracted from mpss-micmgmt)
C++
1
star