Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] malicious-ip script

From: Toni Ruottu <toni.ruottu () iki fi>
Date: Mon, 4 Jul 2011 09:59:20 +0300
I like the idea. However, typically we would want multiple scripts
rather than one. This script should probably be split into one for
each database. That way the user can choose to run just the ones he
prefers. The names should be of form ip-malicious-<database name>. So
for Zeustracker you might want to use ip-malicious-zeustracker. The
user can then choose to run all ip scripts by stating ip-* on the
command line. The user can also choose all ip based maliciousness
checks by stating ip-malicious-*. We just had a similar case with
ip-geolocation-*.

On Mon, Jul 4, 2011 at 2:40 AM, Hani Benhabiles <kroosec () gmail com> wrote:

Hello list,

Attached is a script that searches for the host ip address on known
malicious ip addresses databases like ZeusTracker. It's inspired by ArcOSI
tool. [1]

Example of use:
---
-- @usage
-- nmap --script=malicious-ip.nse <target>
--
-- @output
-- PORT   STATE SERVICE
-- 80/tcp open  http
--|_malicious-ip: IP indexed as malicious

In debug mode, it tells in which databases the IP address is found.
NSE: x.x.x.x found in
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist

I'm thinking about adding domain searching either in the same script or in a
separate one. Comments are much welcome.

#Hani

[1] http://code.google.com/p/arcosi/

--
M. Hani Benhabiles
Twitter: @kroosec

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: