More notes on my use case... harpoon serves this poorly, as I explain upstream here:
https://github.com/Te-k/harpoon/issues/190#issuecomment-1798667942 Basically, harpoon has a good `intel` command to lookup the reputation of a single IP address on multiple plugins. But that's it: it works only a on a *single* IP address, not *multiple*. Also, it doesn't seem like it works very reliably on all backends. For example, even though the `vt` command works, it doesn't seem to hookup with the `intel` command. Effectively, what harpoon fundamentally is is a wrapper around many backend services. The most interesting I have found are: * asn and the asncount command in harpoontools: ASN to name mappings from https://ftp.ripe.net/ripe/asnames/asn.txt, ftp://archive.routeviews.org/datapath/YYYYMM/ribs/XXXX http://archive.routeviews.org/bgpdata/%d.%02d/RIBS (from pyasn package) * dns: simple reverse/forward DNS checks, not in intel either * ipinfo.io: provides ASN lookups, VPN/Tor/Proxy checks * pulsedive.com: tor, blocklists, cryptomining, threat reports * threatminer.org: unclear * tor: check tor exit lists, pulls https://check.torproject.org/torbulkexitlist on each call (!) * urlhaus.abuse.ch: more malware oriented, https://threatfox.abuse.ch more interesting but not implemented * virustotal (vt command): domain, IP reputation, history, API, free to use but rate limited unless a premium account is requested (note that there's a separate RFP for the vt-cli commandline, #1034826) Then there's a bunch more interesting resources that are not implemented yet but that are still interesting: * criminalip.io: abuse records, botnet, Tor, VPN, Proxy, Hosting, CDN, mobile, scanner checks, requires plan to do more https://github.com/Te-k/harpoon/issues/184 * crowdsec.net: federated collaborative IP reporting, free daily data source https://github.com/Te-k/harpoon/issues/199 * project honeypot: lists IPs that fell into a honeypot, https://github.com/Te-k/harpoon/issues/64 * proxycheck.io: simple API, Tor, Proxy, "type" (business, wireless, residential, etc), VPN check, https://github.com/Te-k/harpoon/issues/110 More services I found in my search that could be useful to tap for extra confirmations: * abuseipdb.com: abuse reports * dronebl.org: abuse reports of "infected machines", RBL * check.spamhaus.org: classic spammer database, RBL Alright, that's what I got so far! a. -- The destiny of Earthseed is to take root among the stars. - Octavia Butler
