This topic has been haunted in my mind for quite a while. As an information security guy, we got tons of reports about end point activities. One of them is the website ip or urls they were accessing. A typical network abnormal behaviour for an infected or compromised end point is huge amount of accessing malicious ip or bad reputation websites.
For many investigations, I can generate an ip list but how to quickly find out the ip reputation is a challenge for me.
That is why I am writing this post today. I am still checking those websites or scripts, hopefully I can get a good understanding then comes out my own script to do this job.
Here are some good online resources:
https://www.bulkblacklist.com/ – Simple IP and Domain Reputation Tracking System – Mostly focus on email reputation. It will use following online services to do a search;
[root@linux-centos-client1 ~]# yum install git
[root@linux-centos-client1 ~]# rm -r -d -f TekDefense-Automater/
[root@linux-centos-client1 ~]# git clone https://github.com/1aN0rmus/TekDefense-Automater.git
Cloning into ‘TekDefense-Automater’…
remote: Enumerating objects: 260, done.
remote: Total 260 (delta 0), reused 0 (delta 0), pack-reused 260
Receiving objects: 100% (260/260), 136.82 KiB | 0 bytes/s, done.
Resolving deltas: 100% (143/143), done.
[root@linux-centos-client1 ~]# ls
[root@linux-centos-client1 ~]# cd TekDefense-Automater/
[root@linux-centos-client1 TekDefense-Automater]# ls
Automater.py inputs.py outputs.py siteinfo.py tekdefense.xml
docs LICENSE README.md sites.xml utilities.py
[root@linux-centos-client1 TekDefense-Automater]# python Automater.py -h
[root@linux-centos-client1 TekDefense-Automater]# python Automater.py test.txt -o test.out -c test.csv -w test.html -d 10