Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Using the Neutrino ip-blocklist API to test general badness of an IP

Published: 2018-11-12
Last Updated: 2018-11-12 22:43:45 UTC
by Rick Wanner (Version: 1)
0 comment(s)

There are a number of IP Reputation services available for public consumption.  A personal favorite was the Packetmail IP Rep service which unexpectedly shut down in September.  Looking for an IP reputation API to replace Packetmail in some of my scripts lead me to Neutrino and their many APIs which can be used to query many facets of an IP.  While their host-reputation API provides an adequate replacement for Packetmail, what got my attention was another Neutrino API, ip-blocklist, which, in my opinion, can be used as a wet finger estimate of potential badness of any IP.  

Once you have signed up for a Neutrino user-id and API Key, you can access the APIs through a web interface or programmatically via the APIs.  The free API account is limited by the number of queries per day, but provides enough capability for the casual user who just wants to check out an IP.  

According to the ip-blocklist API documentation:

"IP blocklist will detect the following categories of IP addresses:

  • Malware and spyware
  • Criminal netblocks
  • Tor nodes
  • Proxies and VPNs
  • Spiders
  • Bots and botnets
  • Spammers
  • Exploit scanners"

The people at Neutrino do the aggregation of the various blocklists (including DShield) and provide you an easy way of measuring the general badness of an IP.  So the next time you see an IP scanning your webserver you can run it through the Neutrino ip-blocklist API and get an idea of how nasty others think it is.

I threw together a quick python script (included below) to use the Neutrino ip-blocklist API. When the script is run for an IP on Daniel Austin's Tor Node list the resulting output is:

$python ipblocklist.py 1.172.112.36

Neutrino Blocklist Service

IP:  1.172.112.36
On Blocklist:  True
Number of Blocklists:  1
Last Seen:  2018-11-12 17:27:10
Proxy:  False
Tor:  True
VPN:  False
Malware:  False
Spyware:  False
Dshield:  False
Hijacked:  False
Spider:  False
Bot:  False
SpamBot:  False
ExploitBot:  False
List of Blocklists:
[u'tor']
 

When run for an IP on the DShield Blocklist the resulting output is:

$python ipblocklist.py 196.52.43.0

Neutrino Blocklist Service

IP:  196.52.43.0
On Blocklist:  True
Number of Blocklists:  1
Last Seen:  2018-11-11 17:25:16
Proxy:  False
Tor:  False
VPN:  False
Malware:  False
Spyware:  False
Dshield:  True
Hijacked:  False
Spider:  False
Bot:  False
SpamBot:  False
ExploitBot:  False
List of Blocklists:
[u'dshield']
 

Sorry, I was unable to find any nastier IPs to show the results, but I think you can see the potential.

---------------------- ipblocklist.py script -------------------------------------

#!/usr/bin/env python
#
import sys, getopt, argparse, requests, json
import urllib, urllib2
import time

def ipblocklist_host(ip):

   NEUTRINO_URL = 'https://neutrinoapi.com/ip-blocklist'
   NEUTRINO_USERID = '<YOUR-NEUTRINO-USERID>'
   NEUTRINO_API_KEY = '<YOUR-NEUTRINO-API-KEY>'

   NEUTRINO_PARAMS = {
      'user-id': NEUTRINO_USERID,
      'api_key': NEUTRINO_API_KEY,
      'ip': ip
   }

   req = urllib2.Request(NEUTRINO_URL, urllib.urlencode(NEUTRINO_PARAMS))
   response = urllib2.urlopen(req)
   result = json.loads(response.read())

   print "\n\nNeutrino Blocklist Service\n"
   print "IP: ", result['ip']
   print "On Blocklist: ", result['is-listed']
   print "Number of Blocklists: ", result['list-count']
   print "Last Seen: ", time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(result['last-seen']))
   print "Proxy: ", result['is-proxy']
   print "Tor: ", result['is-tor']
   print "VPN: ", result['is-vpn']
   print "Malware: ", result['is-malware']
   print "Spyware: ", result['is-spyware']
   print "Dshield: ", result['is-dshield']
   print "Hijacked: ", result['is-hijacked']
   print "Spider: ", result['is-spider']
   print "Bot: ", result['is-bot']
   print "SpamBot: ", result['is-spam-bot']
   print "ExploitBot: ", result['is-exploit-bot']
   if result['list-count'] > 0:
      print "List of Blocklists: \n", result['blocklists']

   return;

def main():

   parser = argparse.ArgumentParser()
   parser.add_argument('IP', help="IP address")
   args=parser.parse_args()

   ipblocklist_host(args.IP)

main()   # invoke main
 

P.S. I only use Python for quick and dirty tools for personal use. I am sure this script could be written a whole lot better by someone with actual skill in Python. (-;

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Community contribution: joining forces or multiply solutions?
Nov 11th 2018
1 day ago by Pasquale Stirparo (1 comment)

Video: CyberChef: BASE64/XOR Recipe
Nov 10th 2018
2 days ago by DidierStevens (0 comments)

Playing with T-POT
Nov 9th 2018
4 days ago by Tom (3 comments)

Tunneling scanners (or really anything) over SSH
Nov 7th 2018
5 days ago by Bojan (3 comments)

Malicious Powershell Script Dissection
Nov 6th 2018
6 days ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Mobile Forensics tools - suggestions?
created Oct 8th 2018
1 month ago by Gary (0 replies)

issues with webpy service
created Oct 1st 2018
1 month ago by Alvaro (0 replies)

Pi Honeypot
created Oct 1st 2018
1 month ago by Alvaro (0 replies)

Attempting to report (msg body missing) -- Powershell malware in zip with jpg
created Sep 10th 2018
2 months ago by W60 (0 replies)

SSL Labs vs. SecurityHeaders.io
created Sep 7th 2018
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
10 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)