Bulk report format

Bulk report python script for Linux auth log

IPThreat allows two csv formats for bulk reporting bad ips. For both formats, headers are required and must be in the exact order.

• Max payload is 2 megabytes.
• Duplicate submissions will be consolidated.
• If a value contains a comma, you must use double quote (") around the value.
• If a value contains a quote, you must escape the quote with a backslash.
• Backslashes must be escaped with a second backslash.

IPThreat format (IP,Counter,Flags,Notes,SystemAttacked,Timestamp)

• IP (String): The offending ip address. Accepts ipv4 or ipv6 notation.
• Counter (Integer): The number of attacks aggregated. Accepts values of 1-10. If left empty, 1 will be used.
• Flags (Integer or String): Integers can be a bitwise OR. String can be comma separated. Here are the possible values:
  • Dns (1): Abuse/attack of dns (domain name server)
  • Fraud (2): General fraud, whether orders, misuse of payment info, etc
  • DDos (4): Distributed denial of service attack, whether through http requests, large ping attack, etc
  • BruteForce (8): Brute force login attack
  • Proxy (16): IP is a proxy like TOR or other proxy server
  • Spam (32): Email, comment or other type of spam
  • Vpn (64): IP is part of a VPN
  • Hacking (128): General hacking outside of brute force attack (includes vulnerability scans, sql injection, etc.). Use port scan flag instead if it's just probe on ports.
  • BadBot (256): Bad bot that is not honoring robots.txt or just flooding with too many requests, etc
  • Compromised (512): The ip has been taken over by malware or botnet
  • Phishing (1024): The ip is involved in phishing or spoofing
  • Iot (2048): The ip has targetted an iot (Internet of Things) device
  • PortScan (4096): Port scan
• Notes (String): Max chars is 1000. Ok to leave blank. Can contain short log snippet or other useful information. Please remove timestamps and user names and any other user identifiable information.
• SystemAttacked (String): Short acronym (or app name) for attacked system, i.e. RDP, SSH, SMTP, MYSQL, etc. 32 char max.
• Timestamp (String): Timestamp of when the attack took place. Most date formats will be accepted, but for best chance of accuracy, use ISO-8601 YYYY-MM-DDTHH:MM:SSZ format.

IP,Counter,Flags,Notes,SystemAttacked,Timestamp
50.51.51.52,1,Hacking,RDP failed login,RDP,2022-06-10T01:02:03Z
50.51.51.55,2,DDOS,,PHP,2022-06-10T03:02:03Z
50.51.51.65,2,"BruteForce,Compromised",Machine compromised by malware,SSH,2022-06-10T05:02:03Z
50.51.51.72,1,4224,Port scan 22; login failed,SSH,2022-06-10T07:02:03Z
70.71.72.73,5,"Fraud,Phishing",Mass email impersonating cfo,SMTP,2022-06-10T09:03:04Z

Abuse ip db format (IP,Categories,ReportDate,Comment). Learn more about abuse ip db format.