Comand line use to check IP reputation

Looking for reputation of an IP address is one of the most frequent task of an SOC analyst. There are number of online tools and script that does the task.

However, I always used command line to identify whether a IP address is blacklisted on any blacklist. The reason is number of online tools still show the IP as blacklisted but actual blacklisting parties such as spamhaus has already removed the IP from their blacklist.

Analyst can use either scripts or command line to get the results. nslookup, dig and host can be used to check the IP address against known blacklisting vendors.To check analyst need to know that the information that they are looking should be available by using certain DNS records.

If an analyst is using online tools than he/she can enter actual IP address such as 1.2.3.4. However, for the command line one has to reverse the IP address to be able to match to the blacklists.

samples :

nslookup 4.3.2.1.zen.spamhaus.org
host 4.3.2.1.zen.spamhaus.org
dig -x 4.3.2.1.zen.spamhaus.org

More blacklists to check :
zen.spamhaus.org
xbl.spamhaus.org
pbl.spamhaus.org
spam.abuse.ch
cbl.abuseat.org
virbl.dnsbl.bit.nl
dnsbl.inps.de
ix.dnsbl.manitu.net
dnsbl.sorbs.net
bl.spamcannibal.org
bl.spamcop.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
db.wpbl.info

site to check 1 IP against multiple blacklisting  : http://multirbl.valli.org/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s