lurdan · September 24, 2020 08:00
diff --git a/check-ip-reputation.sh b/check-ip-reputation.sh
 #!/bin/bash

 # cf. https://www.skyarch.net/blog/?p=7423
 ip2dec() {
  local IFS=.
  local C=($1)
  printf "%s\n" $(( (${C[0]} << 24) | (${C[1]} << 16) | (${C[2]} << 8) | ${C[3]} ))
 }

 mask2dec() {
  local MASK=${1:-32}
  expr $MASK + 1 >/dev/null 2>&1
  if [ $? -lt 2 ]; then
    CIDR=$MASK
  else
    local X=${1##*255.}
    set -- 0^^^128^192^224^240^248^252^254^ $(( (${#1} - ${#X})*2 )) ${X%%.*}
    X=${1%%$3*}
    CIDR=$(( $2 + (${#X}/4) ))
  fi
  printf "%s\n" $(( 0xFFFFFFFF ^ ((2 ** (32-$CIDR))-1) ))
 }

 iprange() {
  local TARGET=$(ip2dec $1)
  local NETWORK=(${2//\// })

  local SUBNET=$(ip2dec ${NETWORK[0]})
  local MASK=$(mask2dec ${NETWORK[1]})

  local NETADDR=$(( $SUBNET & $MASK ))
  local BRDADDR=$(( $SUBNET | (0xFFFFFFFF ^ $MASK) ))

  [ $NETADDR -le $TARGET -a $TARGET -le $BRDADDR ] && return 0 || return 1
 }

 _usage() {
  echo "$0 <target logfile> <ip list file>"
  exit 1
 }
 [ $# -eq 0 ] && _usage

 LOG=$1
 if [ ! -r $LOG ]; then
  echo "Error: failed to open specified logfile."
  exit 1
 fi

 LIST=${2:-emerging-Block-IPs.txt}
 [ -r emerging-Block-IPs.txt ] || wget https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
 _LIST=$( egrep -v '(^#|^$)' $LIST | sort -u )

 echo "Searching malicious IPs..."
 grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' $LOG -o | sort -u | while read TARGET
 do
  FLAG=0
  AR=(${TARGET//\./ })
  HEAD=$( expr ${AR[0]} + 0 )
  echo "$_LIST" | grep "^${HEAD}\." | while read MALIP
  do
    if iprange $TARGET $MALIP
    then
      echo "found: $TARGET in $MALIP"
      FLAG=1
      break
    fi
  done
 #  if [ $FLAG -eq 0 ]; then echo "$TARGET ($HEAD) is not listed."; fi
 done
	#!/bin/bash

	# cf. https://www.skyarch.net/blog/?p=7423
	ip2dec() {
	local IFS=.
	local C=($1)
	printf "%s\n" $(( (${C[0]} << 24) \| (${C[1]} << 16) \| (${C[2]} << 8) \| ${C[3]} ))
	}

	mask2dec() {
	local MASK=${1:-32}
	expr $MASK + 1 >/dev/null 2>&1
	if [ $? -lt 2 ]; then
	CIDR=$MASK
	else
	local X=${1##*255.}
	set -- 0^^^128^192^224^240^248^252^254^ $(( (${#1} - ${#X})2 )) ${X%%.}
	X=${1%%$3*}
	CIDR=$(( $2 + (${#X}/4) ))
	fi
	printf "%s\n" $(( 0xFFFFFFFF ^ ((2 ** (32-$CIDR))-1) ))
	}

	iprange() {
	local TARGET=$(ip2dec $1)
	local NETWORK=(${2//\// })

	local SUBNET=$(ip2dec ${NETWORK[0]})
	local MASK=$(mask2dec ${NETWORK[1]})

	local NETADDR=$(( $SUBNET & $MASK ))
	local BRDADDR=$(( $SUBNET \| (0xFFFFFFFF ^ $MASK) ))

	[ $NETADDR -le $TARGET -a $TARGET -le $BRDADDR ] && return 0 \|\| return 1
	}

	_usage() {
	echo "$0 <target logfile> <ip list file>"
	exit 1
	}
	[ $# -eq 0 ] && _usage

	LOG=$1
	if [ ! -r $LOG ]; then
	echo "Error: failed to open specified logfile."
	exit 1
	fi

	LIST=${2:-emerging-Block-IPs.txt}
	[ -r emerging-Block-IPs.txt ] \|\| wget https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
	_LIST=$( egrep -v '(^#\|^$)' $LIST \| sort -u )

	echo "Searching malicious IPs..."
	grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' $LOG -o \| sort -u \| while read TARGET
	do
	FLAG=0
	AR=(${TARGET//\./ })
	HEAD=$( expr ${AR[0]} + 0 )
	echo "$_LIST" \| grep "^${HEAD}\." \| while read MALIP
	do
	if iprange $TARGET $MALIP
	then
	echo "found: $TARGET in $MALIP"
	FLAG=1
	break
	fi
	done
	# if [ $FLAG -eq 0 ]; then echo "$TARGET ($HEAD) is not listed."; fi
	done