Here I will demonstrate how one could monitor processes with network connections and check the IP address against a banlist. I have chosen to write this in Go, also known as Golang, simply because I like it. Apply the basic concepts here to any language you want, such as Python.

I will not cover how to setup and install Go if you need help please refer to https://golang.org/.

Begin by creating a directory for your project I have named mine  ProcessNetConnectBanlist.

Next, create a go module with go mod init <project name>.

For me that looks like this go mod init ProcessNetConnectBanlist

Copy and paste the following code to main.go

package main

import (
	"io/ioutil"
	"net/http"
	"fmt"
	"github.com/shirou/gopsutil/process"
	"log"
	"strings"
)

// BDLicensestring represents the licensing for Binary Defense Artillery Threat Intelligence Feed
// this licensing will be removed from the get responce to create the banlist.
const BDLicensestring = `#
#
#
# Binary Defense Systems Artillery Threat Intelligence Feed and Banlist Feed
# https://www.binarydefense.com
#
# Note that this is for public use only.
# The ATIF feed may not be used for commercial resale or in products that are charging fees for such services.
# Use of these feeds for commerical (having others pay for a service) use is strictly prohibited.
#
#
#
`

// BDBanlist groups together the method for getting the banlist and the container for storing the banlist. 
// As well as checks if an ipaddress is in the banlist 
type BDBanlist struct{
	banlist []string
}

// Get method gets and sets banlist
func (b *BDBanlist) Get()  {
	resp, _ := http.Get("https://www.binarydefense.com/banlist.txt")
	defer resp.Body.Close()
	body, _ := ioutil.ReadAll(resp.Body) 
	s := strings.ReplaceAll(string(body), BDLicensestring, "")
	b.banlist = strings.Split(s, "\n")
}

// Contains checks if an ipaddress is in the banlist
func (b *BDBanlist) Contains(ipaddress string) bool{
	for _, banedIP := range b.banlist {
        if banedIP == ipaddress {
            return true
        }
    }
    return false
}

// Process takes a pid and checks this processes network connections for ipaddresses in the banlist
func Process(pid int, banlist *BDBanlist) {
	// create proc
	proc, err := process.Processes()
	if err != nil {
		log.Fatal("oops")
	}
	p := proc[pid]

	// get connections
	connect, err := p.Connections()
	if err != nil {
		fmt.Println("connection error")
	}
	if len(connect) > 0 {
		// loop over connections
		for _, i := range connect{
			if i.Status == "ESTABLISHED"{
				if banlist.Contains(i.Raddr.IP){
					name, _ := p.Name()
					exe, _ := p.Exe()
					fmt.Println("[!] Established connected to banded IP address.")
					fmt.Printf("    PID: %v\n    Name: %v\n    Exe: %v\n", p.Pid, name, exe)			
					fmt.Printf("    Baned IPAddress: %v\n",i.Raddr.IP)
				}
			}
	
		}
	}
}

func main() {
	// infinite loop  
	for{
		// get pids
		pids, err := process.Pids()
		if err != nil {
			log.Fatal("Shit happened!")
		}
		// get BDBanlist
		banlist := BDBanlist{}
		banlist.Get()
		// loop over pids
		for pid := range pids {
			if pid == 0 {
				continue
			}
			// check process for network connection
			Process(pid, &banlist)
		}
	}
}

In this code, I have created an infinite loop that gets the PIDs, process IDs, and loops over each one checking for an established network connection. When it finds one, it will check if the remote IP address is in the ban list. Here the ban list is from Binary Defense and one I recommend, however if you have a ban list you would like to use, it is trivial to replace.

To run this you can do the following.

To compile and run go run main.go

To build a executable binary go build

To build and install an executable binary go install