NAME

ThreatNet::Filter::Network - Filter events within a set of IP ranges

SYNOPSIS

# Filter for IPs in our broadband customers' range
my $Broadband = ThreatNet::Filter::Network->new( keep => '123.123.0.0/16' );

# Create a filter for "local" and other things we want to discard
# (including our own personal broadband IP in the above network)
my $NotLocal = ThreatNet::Filter::Network->new( discard => qw{
    123.123.123.123
    LOCAL
    111.245.76.248/29
    222.234.52.192/29
    } );

sub boot_zombies {
	my $Msg = shift;
	if ( $Broadband->keep($Msg) and $NotLocal->keep($Msg) ) {
		my $account = $RadiusServer->ip_to_account($Msg->ip);
		$account->disable();
		$account->disconnect();
		$account->add_support_note("You are infected with a virus");
	}
}

DESCRIPTION

ThreatNet::Filter::Network is a filter class for creating network filters.

That is, for filtering event streams to just those events that did (or did not) occur within a particular network.

The objects only check in two modes.

The keep keyword as first argument indicates events should be kept if they match any of the networks.

The discard keyword as first argument indicates events should be kept only if they do not match any of networks.

For more complex network masks, see the ThreatNet::Filter::Chain class for chaining groups of keep and discard filters together.

Specifying the Networks

The actual matching is done using the Net::IP::Match::XS module. Any values that can be used by it can also be used with it can thus also be used with ThreatNet::Filter::Network.

Keyword Expansion

In addition to the normal IP specification above, ThreatNet::Filter::Network also supports keyword expansion for a number of standard sets of network masks.

When specified by name, they will be expanded into a list of IP ranges.

Thus you can do something like the following.

my $Remove = ThreatNet::Filter::Network->new(
    discard => 'RFC1918', '123.123.123.0/24'
    );

This will filter out the three standard "local" IP blocks specified by RFC1918, plus the addition range 123.123.123.0 - 123.123.123.255.

All keywords are case-insensitive.

RFC1918

The RFC1918 keyword is expanded to the three network blocks reserved for local intranets. This specifically does NOT include the localhost address space.

RFC3330

The RFC3330 keyword is expanded to a larger set of network blocks restricted for various purposes as identifier in RFC3330. This includes those from RFC1918, the localhost block, and several additional blocks reserved for benchmarking, IP 6to4 identifiers and various other blocks that should not appear in threat messages.

Where correctness is a factor, such as posting to a non-tolerant channel, this filter should be applied before issuing messages, as they are highly likely to be fraudulent or technically nonsensical.

LOCAL

The LOCAL keyword is expanded to represent the most common interpretation of a "local" address, which is the RFC1918 addresses, plus the 127.0.0.0/8 localhost block.

Message Compatibility

Please note that because the module on which this filter is based only supports IPv4 ranges, this filter class is only capable of processing ThreatNet::Message::IPv4 (or subclass) objects.

Any other message types passed to keep will be returns undef, and thus will act as a null filter in most configurations.

METHODS

new ('keep' | 'discard'), $network, ...

The new constructor takes a param of either keep or discard, followed by a list of one or more values which are either an expandable keyword or an ip ranges compatible with Net::IP::Match::XS.

A ThreatNet filter is created which limits a message stream to events either inside or outside of the resulting network.

Returns a new ThreatNet::Filter::Network object, or undef if given invalid params.

type

The type accessor returns the type of the network filter.

Returns either 'keep' or 'discard'.

network

The network accessor returns the list of ip ranges as provided to the constructor.

keep $Message

The keep method takes a ThreatNet::Message::IPv4 message as per the ThreatNet::Filter specification, and checks it against the network specification and keep|discard type.

Returns true if the message should be kept, false if not, or undef on error.

SUPPORT

All bugs should be filed via the bug tracker at

http://rt.cpan.org/NoAuth/ReportBug.html?Queue=ThreatNet-Filter

For other issues, or commercial enhancement and support, contact the author

AUTHORS

Adam Kennedy <adamk@cpan.org>

SEE ALSO

http://ali.as/devel/threatnetwork.html, ThreatNet::Filter, ThreatNet::Message::IPv4.

COPYRIGHT

Copyright (c) 2005 Adam Kennedy. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

The full text of the license can be found in the LICENSE file included with this module.