Bug#1055284: followup on use case
More notes on my use case... harpoon serves this poorly, as I explain
upstream here:
https://github.com/Te-k/harpoon/issues/190#issuecomment-1798667942
Basically, harpoon has a good `intel` command to lookup the reputation
of a single IP address on multiple plugins. But that's it: it works only
a on a *single* IP address, not *multiple*.
Also, it doesn't seem like it works very reliably on all backends. For
example, even though the `vt` command works, it doesn't seem to hookup
with the `intel` command.
Effectively, what harpoon fundamentally is is a wrapper around many
backend services. The most interesting I have found are:
* asn and the asncount command in harpoontools: ASN to name mappings
from https://ftp.ripe.net/ripe/asnames/asn.txt,
ftp://archive.routeviews.org/datapath/YYYYMM/ribs/XXXX
http://archive.routeviews.org/bgpdata/%d.%02d/RIBS (from pyasn
package)
* dns: simple reverse/forward DNS checks, not in intel either
* ipinfo.io: provides ASN lookups, VPN/Tor/Proxy checks
* pulsedive.com: tor, blocklists, cryptomining, threat reports
* threatminer.org: unclear
* tor: check tor exit lists, pulls
https://check.torproject.org/torbulkexitlist on each call (!)
* urlhaus.abuse.ch: more malware oriented, https://threatfox.abuse.ch
more interesting but not implemented
* virustotal (vt command): domain, IP reputation, history, API, free to
use but rate limited unless a premium account is requested (note that
there's a separate RFP for the vt-cli commandline, #1034826)
Then there's a bunch more interesting resources that are not implemented
yet but that are still interesting:
* criminalip.io: abuse records, botnet, Tor, VPN, Proxy, Hosting, CDN,
mobile, scanner checks, requires plan to do more
https://github.com/Te-k/harpoon/issues/184
* crowdsec.net: federated collaborative IP reporting, free daily data
source https://github.com/Te-k/harpoon/issues/199
* project honeypot: lists IPs that fell into a honeypot,
https://github.com/Te-k/harpoon/issues/64
* proxycheck.io: simple API, Tor, Proxy, "type" (business, wireless,
residential, etc), VPN check,
https://github.com/Te-k/harpoon/issues/110
More services I found in my search that could be useful to tap for extra
confirmations:
* abuseipdb.com: abuse reports
* dronebl.org: abuse reports of "infected machines", RBL
* check.spamhaus.org: classic spammer database, RBL
Alright, that's what I got so far!
a.
--
The destiny of Earthseed is to take root among the stars.
- Octavia Butler
Reply to: