Python script to detect TOR IPs in access_log files, geolocate detected IPs and build a .KML map to be viewed on Google Maps.

parsetormap.py

#! /usr/bin/env python
# -*- coding: utf-8 -*-
#
# Based on parsetor.py script to detect TOR IPs in access_log files
# www.securitybydefault.com
#
# Based on hello_world_5_globe_scale.py
# http://code.google.com/p/pykml/source/browse/src/examples/misc/hello_world/hello_world_5_globe_scale.py
#

__author__ = "@ffranz"
__status__ = "Beta"

import sys
import time
import re
import urllib2
import simplejson

from lxml import etree
from pykml.factory import KML_ElementMaker as KML

class KMLGenerator(object):

  def __init__(self,data):

    self.data = data

  def array2kml(self):

    if self.data == None: return None

    # create a document element with a icon label style
    # http://maps.google.com/mapfiles/kml/paddle/blu-blank.png

    kmlobj = KML.kml(
        KML.Document(
            KML.Style(
                KML.IconStyle(
                    KML.scale(1.0),
                    KML.Icon(
                        KML.href("http://maps.google.com/mapfiles/kml/paddle/blu-blank.png"),
                    ),
                    id="blu-style"
                ),
                id="blu-label"
            )
        )
    )

    # add placemarks to the Document element
    for i in range(0,len(self.data)):
        if self.data[i]:
            kmlobj.Document.append(
                    KML.Placemark(
                        KML.name(self.data[i]['ip']),
                        KML.description(self.data[i]['data'].strip()),
                        KML.styleUrl('#blu-label'),
                        KML.Point(
                            KML.extrude(1),
                            KML.altitudeMode('relativeToGround'),
                            KML.coordinates('{lon},{lat},{alt}'.format(
                                    lon=self.data[i]['pos']['lon'],
                                    lat=self.data[i]['pos']['lat'],
                                    alt=0,
                                ),
                            ),
                        ),
                    )
                )
    return etree.tostring(etree.ElementTree(kmlobj),pretty_print=True)

class APIripe(object):

  def __init__(self):

    self._urlgeo="https://stat.ripe.net/data/geoloc/data.json?resource="

  def _getJson(self,data):

    return simplejson.load(urllib2.urlopen(data))

  def getGeo(self,ipAddr):

    return self._getJson(self._urlgeo+str(ipAddr))

class geoLoc(object):

  def __init__(self):
    pass

  def getLoc(self,IPlist):
    locations = list()
    for ip in IPlist:
      try:
        ripe = APIripe()
        location = ripe.getGeo(ip['ip'])
        data = dict()
        data["ip"] = str(ip['ip'])
        data["data"] = str(ip['data'])
        data["pos"] = dict()
        data["pos"]["lon"] = location["data"]["locations"][0]["longitude"]
        data["pos"]["lat"] = location["data"]["locations"][0]["latitude"]
        locations.append(data)
      except Exception, e:
        print e
        pass

    return locations

def riseandwalk(LogFile):

  # Get TOR exit-addresses
  url="https://exitlist.torproject.org/exit-addresses"
  page =urllib2.urlopen(url)
  data=page.read()
  arraydata = data.split("\n")
  ips = list()

  for text in arraydata:
    regex = re.findall( r'[0-9]+(?:\.[0-9]+){3}', text )
    strdata = ', '.join(regex)
    if strdata is not None and strdata != '' and strdata not in ips:
      ips.append(strdata)
  
  ipdictlist = list()
  file = open(LogFile, "r")
  for LOG in file.readlines():
    ipdata = dict()
    regex = re.findall( r'^[0-9]+(?:\.[0-9]+){3}', LOG )
    strdata = ', '.join(regex)
    if strdata in ips:
      ipdata['ip'] = strdata
      ipdata['data'] = LOG
      ipdictlist.append(ipdata)
  file.close()

  gll = geoLoc()
  KMLG = KMLGenerator(gll.getLoc(ipdictlist))
  kmlmap = KMLG.array2kml()

  f = open("mapanew.kml","w")
  f.write('<?xml version="1.0" encoding="UTF-8"?>\n'+kmlmap)
  f.close()
  
if __name__ == "__main__":
  sys.exit(riseandwalk(sys.argv[1]))