Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Using the Neutrino ip-blocklist API to test general badness of an IP - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Using the Neutrino ip-blocklist API to test general badness of an IP

There are a number of IP Reputation services available for public consumption.  A personal favorite was the Packetmail IP Rep service which unexpectedly shut down in September.  Looking for an IP reputation API to replace Packetmail in some of my scripts lead me to Neutrino and their many APIs which can be used to query many facets of an IP.  While their host-reputation API provides an adequate replacement for Packetmail, what got my attention was another Neutrino API, ip-blocklist, which, in my opinion, can be used as a wet finger estimate of potential badness of any IP.  

Once you have signed up for a Neutrino user-id and API Key, you can access the APIs through a web interface or programmatically via the APIs.  The free API account is limited by the number of queries per day, but provides enough capability for the casual user who just wants to check out an IP.  

According to the ip-blocklist API documentation:

"IP blocklist will detect the following categories of IP addresses:

  • Malware and spyware
  • Criminal netblocks
  • Tor nodes
  • Proxies and VPNs
  • Spiders
  • Bots and botnets
  • Spammers
  • Exploit scanners"

The people at Neutrino do the aggregation of the various blocklists (including DShield) and provide you an easy way of measuring the general badness of an IP.  So the next time you see an IP scanning your webserver you can run it through the Neutrino ip-blocklist API and get an idea of how nasty others think it is.

I threw together a quick python script (included below) to use the Neutrino ip-blocklist API. When the script is run for an IP on Daniel Austin's Tor Node list the resulting output is:

$python ipblocklist.py 1.172.112.36

Neutrino Blocklist Service

IP:  1.172.112.36
On Blocklist:  True
Number of Blocklists:  1
Last Seen:  2018-11-12 17:27:10
Proxy:  False
Tor:  True
VPN:  False
Malware:  False
Spyware:  False
Dshield:  False
Hijacked:  False
Spider:  False
Bot:  False
SpamBot:  False
ExploitBot:  False
List of Blocklists:
[u'tor']
 

When run for an IP on the DShield Blocklist the resulting output is:

$python ipblocklist.py 196.52.43.0

Neutrino Blocklist Service

IP:  196.52.43.0
On Blocklist:  True
Number of Blocklists:  1
Last Seen:  2018-11-11 17:25:16
Proxy:  False
Tor:  False
VPN:  False
Malware:  False
Spyware:  False
Dshield:  True
Hijacked:  False
Spider:  False
Bot:  False
SpamBot:  False
ExploitBot:  False
List of Blocklists:
[u'dshield']
 

Sorry, I was unable to find any nastier IPs to show the results, but I think you can see the potential.

---------------------- ipblocklist.py script -------------------------------------

#!/usr/bin/env python
#
import sys, getopt, argparse, requests, json
import urllib, urllib2
import time

def ipblocklist_host(ip):

   NEUTRINO_URL = 'https://neutrinoapi.com/ip-blocklist'
   NEUTRINO_USERID = '<YOUR-NEUTRINO-USERID>'
   NEUTRINO_API_KEY = '<YOUR-NEUTRINO-API-KEY>'

   NEUTRINO_PARAMS = {
      'user-id': NEUTRINO_USERID,
      'api_key': NEUTRINO_API_KEY,
      'ip': ip
   }

   req = urllib2.Request(NEUTRINO_URL, urllib.urlencode(NEUTRINO_PARAMS))
   response = urllib2.urlopen(req)
   result = json.loads(response.read())

   print "\n\nNeutrino Blocklist Service\n"
   print "IP: ", result['ip']
   print "On Blocklist: ", result['is-listed']
   print "Number of Blocklists: ", result['list-count']
   print "Last Seen: ", time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(result['last-seen']))
   print "Proxy: ", result['is-proxy']
   print "Tor: ", result['is-tor']
   print "VPN: ", result['is-vpn']
   print "Malware: ", result['is-malware']
   print "Spyware: ", result['is-spyware']
   print "Dshield: ", result['is-dshield']
   print "Hijacked: ", result['is-hijacked']
   print "Spider: ", result['is-spider']
   print "Bot: ", result['is-bot']
   print "SpamBot: ", result['is-spam-bot']
   print "ExploitBot: ", result['is-exploit-bot']
   if result['list-count'] > 0:
      print "List of Blocklists: \n", result['blocklists']

   return;

def main():

   parser = argparse.ArgumentParser()
   parser.add_argument('IP', help="IP address")
   args=parser.parse_args()

   ipblocklist_host(args.IP)

main()   # invoke main
 

P.S. I only use Python for quick and dirty tools for personal use. I am sure this script could be written a whole lot better by someone with actual skill in Python. (-;

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

288 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!