AIL framework - Analysis Information Leak framework
Clone or download
Failed to load latest commit information.
ansible Update Jul 23, 2018
bin fix: [ModulesInformationV2] fix #244 Sep 19, 2018
configs fix: [config] add virus total API key sample, fix #253 Sep 19, 2018
doc Merge pull request #250 from CIRCL/statistic Sep 12, 2018
docsphinx/source Initial import of AIL framework - Analysis Information Leak framework Aug 6, 2014
files add apiKeys module Apr 26, 2018
logs Travis, print logs Jan 19, 2016
pystemon Install pystemon and start pystemon-feeder in docker Sep 3, 2018
samples/2018/01/01 create first test Apr 11, 2018
tests clean May 4, 2018
var/www fix: [hashDecoded] range_type_json Sep 19, 2018
.dockerignore Added Dockerfile to automate the build of a Docker image based on Ubuntu Aug 27, 2016
.gitignore chg: [statistics] clean scripts Sep 12, 2018
.travis.yml fix travis tests 2 Apr 26, 2018
Dockerfile Fix docekrfile CMD Sep 4, 2018 Very little typo Aug 14, 2018
LICENSE Initial import of AIL framework - Analysis Information Leak framework Aug 6, 2014 Merge branch 'master' into statistic Sep 12, 2018 fix: [doc] IBAN feature added Aug 24, 2018 fix: [] make pystemon optionnal Sep 19, 2018 fix: [Install] add python and package requirements Sep 12, 2018 chg: [doc] Marked unmaintained efforts as such. Jul 23, 2018
pip3_packages_requirement.txt fix: [Install] add python requirements Sep 12, 2018 python 3 upgrade mv old redis db May 9, 2018 Added AIL reset script Aug 23, 2017



AIL framework - Framework for Analysis of Information Leaks

AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams. AIL framework is flexible and can be extended to support other functionalities to mine or process sensitive information (e.g. data leak prevention).


Latest Release GitHub version


  • Modular architecture to handle streams of unstructured or structured information
  • Default support for external ZMQ feeds, such as provided by CIRCL or other providers
  • Multiple feed support
  • Each module can process and reprocess the information already processed by AIL
  • Detecting and extracting URLs including their geographical location (e.g. IP address location)
  • Extracting and validating potential leak of credit cards numbers, credentials, ...
  • Extracting and validating email addresses leaked including DNS MX validation
  • Module for extracting Tor .onion addresses (to be further processed for analysis)
  • Keep tracks of duplicates (and diffing between each duplicate found)
  • Extracting and validating potential hostnames (e.g. to feed Passive DNS systems)
  • A full-text indexer module to index unstructured information
  • Statistics on modules and web
  • Real-time modules manager in terminal
  • Global sentiment analysis for each providers based on nltk vader module
  • Terms, Set of terms and Regex tracking and occurrence
  • Many more modules for extracting phone numbers, credentials and others
  • Alerting to MISP to share found leaks within a threat intelligence platform using MISP standard
  • Detect and decode encoded file (Base64, hex encoded or your own decoding scheme) and store files
  • Detect Amazon AWS and Google API keys
  • Detect Bitcoin address and Bitcoin private keys
  • Detect private keys, certificate, keys (including SSH, OpenVPN)
  • Detect IBAN bank accounts
  • Tagging system with MISP Galaxy and MISP Taxonomies tags
  • UI paste submission
  • Create events on MISP and cases on The Hive
  • Automatic paste export at detection on MISP (events) and The Hive (alerts) on selected tags
  • Extracted and decoded files can be searched by date range, type of file (mime-type) and encoding discovered
  • Graph relationships between decoded file (hashes)


Type these command lines for a fully automated installation and start AIL framework:

git clone
cd AIL-framework
cd var/www/
cd ~/AIL-framework/
. ./AILENV/bin/activate
cd bin/

The default is for Debian and Ubuntu based distributions. For Arch linux based distributions, you can replace it with

There is also a Travis file used for automating the installation that can be used to build and install AIL on other systems.

Installation Notes

In order to use AIL combined with ZFS or unprivileged LXC it's necessary to disable Direct I/O in $AIL_HOME/configs/6382.conf by changing the value of the directive use_direct_io_for_flush_and_compaction to false.

Python 3 Upgrade

To upgrade from an existing AIL installation, you have to launch, this script will delete and create a new virtual environment. The script will upgrade the packages but won't keep your previous data (neverthless the data is copied into a directory called old). If you install from scratch, you don't require to launch the

Docker Quick Start (Ubuntu 16.04 LTS)

  1. Install Docker
sudo su
apt-get install -y curl
curl | /bin/bash
  1. Type these commands to build the Docker image:
git clone
cd AIL-framework
docker build -t ail-framework .
  1. To start AIL on port 7000, type the following command below:
docker run -p 7000:7000 ail-framework
  1. To debug the running container, type the following command and note the container name or identifier:
docker ps

After getting the name or identifier type the following commands:

cd /opt/ail

Install using Ansible

Please check the Ansible readme.

Starting AIL web interface

To start the web interface, you first need to fetch the required JavaScript/CSS files:

cd var/www/

and then you can start the web interface python script:

cd var/www/

Eventually you can browse the status of the AIL framework website at the following URL:



HOWTO are available in

Privacy and GDPR

AIL information leaks analysis and the GDPR in the context of collection, analysis and sharing information leaks document provides an overview how to use AIL in a lawfulness context especially in the scope of General Data Protection Regulation.


Trending charts

Trending-Web Trending-Modules

Extracted encoded files from pastes

Extracted files from pastes Relationships between extracted files from encoded file in unstructured data



Tagging system


MISP and The Hive, automatic events and alerts creation


Paste submission


Sentiment analysis


Terms manager and occurence


Top terms

Term-Top Term-Plot

AIL framework screencast

Command line module manager



    Copyright (C) 2014 Jules Debra
    Copyright (C) 2014-2018 CIRCL - Computer Incident Response Center Luxembourg (c/o smile, security made in Lëtzebuerg, Groupement d'Intérêt Economique)
    Copyright (c) 2014-2018 Raphaël Vinot
    Copyright (c) 2014-2018 Alexandre Dulaunoy
    Copyright (c) 2016-2018 Sami Mokaddem
    Copyright (c) 2018 Thirion Aurélien

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    GNU Affero General Public License for more details.

    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see <>.