Plotly has a requirement for the pandas library so it is easy to read this data in: import pandas as pĭf = p.read_csv("countries.txt", names=("country", "participants")) csv which looked something like: Country,Particpants MappingĪs an output from the previous steps, stored the data as a simple. We now have a list of countries and the appropriate data to start building a map. In order to draw a map, you need to provide the graphing library a set of geospatial data which draws the borders, etc. We chose to use the Plotly Graphing Libraries to build a " Choropleth" (think "map colored by value") (and a new term I frequently use to sound smart.) with open("tor_list.txt", "r") as f:Īt this point, we have a decent list of addresses we should exclude from the country mapping results. We can grab these lists and check the IP addresses against them as well. For example provides a list of these IP addresses and the Tor Project maintains a list of exit nodes at. There are also instances of known VPN services and Tor exit nodes which may not appear in these lists and are unrelated to ASNs. If any(keyword in org.lower() for keyword in ):Īt the end of this process, we have a binned grouping of ASNs with count. if str(number) in cloud_asns:Īdditionally, a simple keyword search will reveal some of the bigger players: for org in as_organizations: Find one to your liking, and use it to get a better idea of which addresses may be coming from a cloud provider. Number = tonomous_system_numberĪSNs don't tell us much without context, but there are several Github repos which maintain a mapping of Cloud/Colo ASNs (e.g. Again, Maxmind offers a database for mapping IP to ASN. So, let's try to find the ASNs for our IPs, and maps those against known cloud provider ASNs. If an IP address is originating from Amazon or Google Cloud, there is a reasonable probability that the endpoint is a VPC terminating a VPN. There are several Github repos which attempt to tackle this in several different ways. Maxmind provides an Anonymous IP database which aims to tackle exactly this situation, but since WE LOVE OPEN SOURCE EVERYTHING!!, we wanted to figure this out via other methods. We assumed, given our audience, that many of our security conscious participants would be using a VPN of some sort. If we bin these codes together, we have a distribution of participants by country: if alpha_3 not in iso_codes: import pycountryĪlpha_3 = (alpha_2=iso_code).alpha_3 Luckily, there is a module for this conversion: pycountry.
#Maxmind python code
The plotly map we are using requires the ISO-3/Alpha-3 code versus the Alpha-2 code generated from Maxmind.
#Maxmind python iso
This returns an Alpha-2 ISO code which we can later use to fill a map. Iso_code = untry(ip_address).country.iso_code In this case we use the database and Python module as such: import geoip2.database They also provide a solid Python library on Github which you can use to easily interact with the databases. Maxmind provides a Country database which we downloaded and queried against. For example, in our case, we wanted to draw a world map indicating where participants were coming from. Maxmind provides their "GeoLite2" databases for the cost of creating an account.
#Maxmind python free
Geolocating IP addressesĪ simple resource we found for mapping a physical location to an IP address are the free Maxmind databases. We had several data points to work from, and there are plenty of open tools available, so it is just a matter of cobbling those items together to create a sweet, sweet map. As part of the #OpenSOC event Recon InfoSec recently conducted, we wanted to visualize where all of our participants were coming from.
0 kommentar(er)
