Using the Neutrino ip-blocklist API to test general badness of an IP
There are a number of IP Reputation services available for public consumption. A personal favorite was the Packetmail IP Rep service which unexpectedly shut down in September. Looking for an IP reputation API to replace Packetmail in some of my scripts lead me to Neutrino and their many APIs which can be used to query many facets of an IP. While their host-reputation API provides an adequate replacement for Packetmail, what got my attention was another Neutrino API, ip-blocklist, which, in my opinion, can be used as a wet finger estimate of potential badness of any IP.
Once you have signed up for a Neutrino user-id and API Key, you can access the APIs through a web interface or programmatically via the APIs. The free API account is limited by the number of queries per day, but provides enough capability for the casual user who just wants to check out an IP.
According to the ip-blocklist API documentation:
"IP blocklist will detect the following categories of IP addresses:
- Malware and spyware
- Criminal netblocks
- Tor nodes
- Proxies and VPNs
- Spiders
- Bots and botnets
- Spammers
- Exploit scanners"
The people at Neutrino do the aggregation of the various blocklists (including DShield) and provide you an easy way of measuring the general badness of an IP. So the next time you see an IP scanning your webserver you can run it through the Neutrino ip-blocklist API and get an idea of how nasty others think it is.
I threw together a quick python script (included below) to use the Neutrino ip-blocklist API. When the script is run for an IP on Daniel Austin's Tor Node list the resulting output is:
$python ipblocklist.py 1.172.112.36
Neutrino Blocklist Service
IP: 1.172.112.36
On Blocklist: True
Number of Blocklists: 1
Last Seen: 2018-11-12 17:27:10
Proxy: False
Tor: True
VPN: False
Malware: False
Spyware: False
Dshield: False
Hijacked: False
Spider: False
Bot: False
SpamBot: False
ExploitBot: False
List of Blocklists:
[u'tor']
When run for an IP on the DShield Blocklist the resulting output is:
$python ipblocklist.py 196.52.43.0
Neutrino Blocklist Service
IP: 196.52.43.0
On Blocklist: True
Number of Blocklists: 1
Last Seen: 2018-11-11 17:25:16
Proxy: False
Tor: False
VPN: False
Malware: False
Spyware: False
Dshield: True
Hijacked: False
Spider: False
Bot: False
SpamBot: False
ExploitBot: False
List of Blocklists:
[u'dshield']
Sorry, I was unable to find any nastier IPs to show the results, but I think you can see the potential.
---------------------- ipblocklist.py script -------------------------------------
#!/usr/bin/env python
#
import sys, getopt, argparse, requests, json
import urllib, urllib2
import time
def ipblocklist_host(ip):
NEUTRINO_URL = 'https://neutrinoapi.com/ip-blocklist'
NEUTRINO_USERID = '<YOUR-NEUTRINO-USERID>'
NEUTRINO_API_KEY = '<YOUR-NEUTRINO-API-KEY>'
NEUTRINO_PARAMS = {
'user-id': NEUTRINO_USERID,
'api_key': NEUTRINO_API_KEY,
'ip': ip
}
req = urllib2.Request(NEUTRINO_URL, urllib.urlencode(NEUTRINO_PARAMS))
response = urllib2.urlopen(req)
result = json.loads(response.read())
print "\n\nNeutrino Blocklist Service\n"
print "IP: ", result['ip']
print "On Blocklist: ", result['is-listed']
print "Number of Blocklists: ", result['list-count']
print "Last Seen: ", time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(result['last-seen']))
print "Proxy: ", result['is-proxy']
print "Tor: ", result['is-tor']
print "VPN: ", result['is-vpn']
print "Malware: ", result['is-malware']
print "Spyware: ", result['is-spyware']
print "Dshield: ", result['is-dshield']
print "Hijacked: ", result['is-hijacked']
print "Spider: ", result['is-spider']
print "Bot: ", result['is-bot']
print "SpamBot: ", result['is-spam-bot']
print "ExploitBot: ", result['is-exploit-bot']
if result['list-count'] > 0:
print "List of Blocklists: \n", result['blocklists']
return;
def main():
parser = argparse.ArgumentParser()
parser.add_argument('IP', help="IP address")
args=parser.parse_args()
ipblocklist_host(args.IP)
main() # invoke main
P.S. I only use Python for quick and dirty tools for personal use. I am sure this script could be written a whole lot better by someone with actual skill in Python. (-;
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
Comments
www
Nov 17th 2022
4 months ago
EEW
Nov 17th 2022
4 months ago
qwq
Nov 17th 2022
4 months ago
mashood
Nov 17th 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
3 months ago
isc.sans.edu
Nov 23rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
2 months ago
isc.sans.edu
Dec 26th 2022
2 months ago