From bba44825540c3bc7f3c3fa47bb00f70c61f96588 Mon Sep 17 00:00:00 2001
From: Bearded_InfoSec <48711508+BeardedInfoSec@users.noreply.github.com>
Date: Tue, 9 Apr 2024 16:20:44 -0500
Subject: [PATCH] added: function to sort public and private IPv4

This function takes in both public and private IPv4 addresses and returns the public IPs. This prevents sending internal IPv4 address for enrichment
---
 .../Public_Private_IP_Filter.json             | 29 ++++++++++
 custom_functions/Public_Private_IP_Filter.py  | 55 +++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 custom_functions/Public_Private_IP_Filter.json
 create mode 100644 custom_functions/Public_Private_IP_Filter.py

diff --git a/custom_functions/Public_Private_IP_Filter.json b/custom_functions/Public_Private_IP_Filter.json
new file mode 100644
index 00000000..c61cdda2
--- /dev/null
+++ b/custom_functions/Public_Private_IP_Filter.json
@@ -0,0 +1,29 @@
+{
+    "create_time": "2024-04-09T14:43:24.621003+00:00",
+    "custom_function_id": "d4efa90eac5443293c20f1f659f1c6ed576dd4b9",
+    "description": "",
+    "draft_mode": false,
+    "inputs": [
+        {
+            "contains_type": [
+                "ip"
+            ],
+            "description": "",
+            "input_type": "list",
+            "name": "IPv4",
+            "placeholder": "8.8.8.8"
+        }
+    ],
+    "outputs": [
+        {
+            "contains_type": [
+                "ip"
+            ],
+            "data_path": "public_ip",
+            "description": ""
+        }
+    ],
+    "outputs_type": "item",
+    "platform_version": "6.1.1.211",
+    "python_version": "3"
+}
\ No newline at end of file
diff --git a/custom_functions/Public_Private_IP_Filter.py b/custom_functions/Public_Private_IP_Filter.py
new file mode 100644
index 00000000..4a77d8d1
--- /dev/null
+++ b/custom_functions/Public_Private_IP_Filter.py
@@ -0,0 +1,55 @@
+def Public_Private_IP_Filter(IPv4=None, **kwargs):
+    """
+    Args:
+        IPv4 (CEF type: ip)
+    
+    Returns a JSON-serializable object that implements the configured data paths:
+        public_ip (CEF type: ip)
+    """
+    ############################ Custom Code Goes Below This Line #################################
+    import json
+    import phantom.rules as phantom
+    
+    # Write your custom code here...
+
+    def is_private_ipv4_address(ip_address):
+        parts = ip_address.split('.')
+        if len(parts) != 4:
+            return False  # Skip invalid addresses
+        try:
+            first = int(parts[0])
+            second = int(parts[1])
+            third = int(parts[2])
+            fourth = int(parts[3])
+        except ValueError:
+            return False  # Skip invalid addresses
+        if ip_address == '127.0.0.1':
+            return False  # Skip loopback address
+        elif first == 10 or (first == 172 and 16 <= second <= 31) or (first == 192 and second == 168):
+            return True  # Private address
+        else:
+            return False  # Public address
+        
+    def sort_ipv4_addresses(addresses):
+        public = []
+        private = []
+        for address in addresses:
+            if is_private_ipv4_address(address):
+                private.append(address)
+            else:
+                public.append(address)
+        public.sort()
+        private.sort()
+        return public, private
+    
+    addresses = IPv4
+    public, private = sort_ipv4_addresses(addresses)
+    public = str(public)
+    public = public.strip('[')
+    public = public.strip(']')
+    public = public.strip("'")
+    
+    outputs = {'public_ip':public, 'private_ip':private}
+    # Return a JSON-serializable object
+    assert json.dumps(outputs)  # Will raise an exception if the :outputs: object is not JSON-serializable
+    return outputs