Bug#1055284: followup on use case

To: 1055284@bugs.debian.org
Subject: Bug#1055284: followup on use case
From: Antoine Beaupré <anarcat@debian.org>
Date: Tue, 07 Nov 2023 10:20:12 -0500
Message-id: <[🔎] 87zfzp380j.fsf@angela.anarc.at>
Reply-to: Antoine Beaupré <anarcat@debian.org>, 1055284@bugs.debian.org
References: <[🔎] 169902099965.367999.174851461690756858.reportbug@angela.anarc.at>

More notes on my use case... harpoon serves this poorly, as I explain
upstream here:

https://github.com/Te-k/harpoon/issues/190#issuecomment-1798667942

Basically, harpoon has a good `intel` command to lookup the reputation
of a single IP address on multiple plugins. But that's it: it works only
a on a *single* IP address, not *multiple*.

Also, it doesn't seem like it works very reliably on all backends. For
example, even though the `vt` command works, it doesn't seem to hookup
with the `intel` command.

Effectively, what harpoon fundamentally is is a wrapper around many
backend services. The most interesting I have found are:

 * asn and the asncount command in harpoontools: ASN to name mappings
   from https://ftp.ripe.net/ripe/asnames/asn.txt,
   ftp://archive.routeviews.org/datapath/YYYYMM/ribs/XXXX
   http://archive.routeviews.org/bgpdata/%d.%02d/RIBS (from pyasn
   package)

 * dns: simple reverse/forward DNS checks, not in intel either

 * ipinfo.io: provides ASN lookups, VPN/Tor/Proxy checks

 * pulsedive.com: tor, blocklists, cryptomining, threat reports

 * threatminer.org: unclear
 
 * tor: check tor exit lists, pulls
   https://check.torproject.org/torbulkexitlist on each call (!)

 * urlhaus.abuse.ch: more malware oriented, https://threatfox.abuse.ch
   more interesting but not implemented

 * virustotal (vt command): domain, IP reputation, history, API, free to
   use but rate limited unless a premium account is requested (note that
   there's a separate RFP for the vt-cli commandline, #1034826)

Then there's a bunch more interesting resources that are not implemented
yet but that are still interesting:

 * criminalip.io: abuse records, botnet, Tor, VPN, Proxy, Hosting, CDN,
   mobile, scanner checks, requires plan to do more
   https://github.com/Te-k/harpoon/issues/184

 * crowdsec.net: federated collaborative IP reporting, free daily data
   source https://github.com/Te-k/harpoon/issues/199

 * project honeypot: lists IPs that fell into a honeypot,
   https://github.com/Te-k/harpoon/issues/64

 * proxycheck.io: simple API, Tor, Proxy, "type" (business, wireless,
   residential, etc), VPN check,
   https://github.com/Te-k/harpoon/issues/110

More services I found in my search that could be useful to tap for extra
confirmations:

 * abuseipdb.com: abuse reports

 * dronebl.org: abuse reports of "infected machines", RBL

 * check.spamhaus.org: classic spammer database, RBL

Alright, that's what I got so far!

a.

-- 
The destiny of Earthseed is to take root among the stars.
                        - Octavia Butler

Reply to:

References:
- Bug#1055284: RFP: harpoon -- CLI tool for open source and threat intelligence
  - From: Antoine Beaupre <anarcat@debian.org>

Prev by Date: Bug#1055504: ITP: laz-perf -- LAZperf is an alternative LAZ (Compressed LAS pointclouds) decoding implementation.
Next by Date: Processed: block 1054574 with 1055329
Previous by thread: Bug#1055284: preliminary research
Next by thread: Bug#756017: dependencies
Index(es):
- Date
- Thread