#!/usr/bin/ruby

# Das Script geht eine default access_log-Datei durch,
# die mit der IP-Adresse anfaengt und schaut ob es darin
# eine der IPs aus den BND IP Ranges findet.
# Die Ranges habe ich von:
# https://secure.wikileaks.org/wiki/T-Systems_BND_network_assignments%2C_13_Nov_2008
#
# Jeena Paradies <spam@jeenaparadies.net>

if ARGV.length < 1
  puts "usage: ruby #{__FILE__} file1 [file2 file3 ...]"
else

r =<<BNDIPRANGES
193.159.228.32 - 193.159.228.39
193.159.238.168 - 193.159.238.175
194.25.184.16 - 194.25.184.23
194.25.42.232 - 194.25.42.239
195.145.128.56 - 195.145.128.63
195.145.163.64 - 195.145.163.127
195.145.182.96 - 195.145.182.111
195.145.31.252 - 195.145.31.255
195.145.57.176 - 195.145.57.191
195.243.157.184 - 195.243.157.191
195.243.248.224 - 195.243.248.231
212.185.184.224 - 212.185.184.231
212.185.191.128 - 212.185.191.135
217.7.155.168 - 217.7.155.175
217.89.74.208 - 217.89.74.223
62.153.59.192 - 62.153.59.223
62.153.65.32 - 62.153.65.39
62.153.80.208 - 62.153.80.215
62.153.87.0 - 62.153.87.15
62.154.211.152 - 62.154.211.159
62.154.226.64 - 62.154.226.127
62.156.187.232 - 62.156.187.239
62.157.136.64 - 62.157.136.95
62.157.144.0 - 62.157.144.63
62.157.193.128 - 62.157.193.223
62.157.194.32 - 62.157.194.39
62.159.19.208 - 62.159.19.215
62.159.104.160 - 62.159.104.175
62.159.209.144 - 62.159.209.151
62.159.209.152 - 62.159.209.159
62.159.21.152 - 62.159.21.159
62.159.60.144 - 62.159.60.151
62.159.63.72 - 62.159.63.79
62.225.139.248 - 62.225.139.255
62.225.74.128 - 62.225.74.135
80.146.198.88 - 80.146.198.95
62.159.104.160 - 62.159.104.175
BNDIPRANGES

  def ip2int(ip)
    ip.split(/\./).map { |i|
      "0" * (3 - i.length) << i
    }.join("").to_i
  end

  ranges = []
  found = []

  r.each do |line|
    ip1, ip2 = line.split(/-/)
    ranges << { :min => ip2int(ip1.strip), :max => ip2int(ip2.strip) }
  end

  ARGV.each do |log_path|
    IO.foreach(log_path) do |line|
      ips = line.split(/ /)[0].strip
      ip = ip2int ips
      ranges.each do |range|
        if ip >= range[:min] and ip <= range[:max]
          unless found.include? ips
            found << ips
            break
          end
        end
      end
    end
  end
  
  unless found.length == 0
    puts "Folgende BND IPs wurden gefunden:"
    found.sort!.each do |ip|
      puts ip
    end
  else
    puts "Es wurden keine BND IPs gefunden."
  end

end