IP Bulk Reporter

Instead of reporting IPs individually, you may compile a CSV of reports. This helps reduce bandwidth on both sides.

The CSV file must be under 8 MB and less than or equal to 10,000 lines, including the headings. These limits may increase in the future as we optimize software and beef up hardware.

CSV Format Strict ordering, Strict headings

  1. IP — A valid IPv4 or IPv6 IP address.
  2. Categories — At least one category ID. Comma separated for multiple categories. See: Report Categories
  3. ReportDate — Date and time of the attack or earliest observance of attack. Any format that strtotime() can process is permitted. However, we recommend a timezoned format such ISO 8601 e.g. 2017-09-08T10:00:37-04:00. A time lacking a timezone will assumed to be in our server timezone (EST).
  4. Comment — A description of the attack. Maximum 1,024 characters (bytes). NOTE: The values of this column are entirely optional. However, you must have the Comment header.

Here is a sample of a valid bulk IP file:

IP,Categories,ReportDate,Comment
89.205.125.160,"18,22",2018-12-18T10:00:37-04:00,"Failed password for invalid user odoo from 89.205.125.160 port 39121 ssh2"
123.183.209.136,"18,22",2018-12-18T11:25:11-04:00,"Did not receive identification string from 123.183.209.136 port 57192"
197.156.104.113,"14,15,18,11,10,21",2018-12-18T16:10:58+04:00,"[SMB remote code execution attempt: port tcp/445]
in blocklist.de:'listed [pop3]'
in SpamCop:'listed'
in sorbs:'listed [web], [spam]'
in Unsubscore:'listed'
*(RWIN=8192)(04:10)"

The Comment must be enclosed in double quotes (") to include commas (,) and new line separators (\n, \r, \r\n). A blacklash (\) is needed to escape the enclosure. It does not escape itself.

Categories must be enclosed if there is more than one.

Max Filesize: 2 MB

Must be signed-in to use bulk reporter.

Collecting the Data

Attacks can easily be harvested from /var/log/secure/ or wherever you store security logs. Take a gander at a sample bash script we provide that can run daily. Run the script with your log file as the first operand and your API key as the second. The -d may be set to perform a dry run, where the generated file will not be uploaded to our server.

e.g.

$ ./parse-logs.sh secure.log $YOUR_API_KEY

By default, you should receive a JSON response listing which reports were accepted and which were rejected. Pipe the output into jq if you'd like to peruse the response.

$ cat output.json | jq

parse-logs.sh

#!/bin/sh

# By default, this is not a dry run.
dryRun=0

# Options, a while loop will allow us to add more options in the future.
while getopts "d" opt; do
	case $opt in
		d) echo "Performing dry run. Results will not submitted to AbuseIPDB"; dryRun=1 ;;
		\?) echo "Invalid option: -$OPTARG" >&2 ;;
	esac
done

# Skip over the processed options.
shift $((OPTIND-1))

# Operand: the file to parse.
secureLogFile=$1
# Operand: the API key of the AbuseIPDB user.
key=$2

# Standard operand checking.
if [ -z $1 ]; then
	echo "Missing input file. Aborting." >&2
	exit 1;
elif [ ! -r $1 ]; then
	echo "File does not exist or is not readable. Aborting." >&2
	exit 1;
elif [ -z $2 ] && [ $dryRun -eq 0 ]; then
	echo "Missing API Key" >&2
	exit 1;
fi


# pcregrep is not preinstalled on many linux distros.
# It's shipped in the "pcre-tools" package for RedHat/Fedora.
if [ ! -x "$(command -v pcregrep)" ]; then
	echo "Command 'pcregrep' required, but is not installed. Aborting." >&2
	exit 1;
fi

# Pick a the Unit Separator (non-printing character) to delimit the fields.
unit_sep=$'\031'

# Find the pattern matches for an invalid user.
pcregrep -o1 -o2 -o3 --om-separator="$unit_sep" -e '([a-zA-Z]+ [0-9]+ [0-9]+:[0-9]+:[0-9]+) .* (Invalid user [a-zA-Z0-9]+ from (([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})) port [0-9]+)' $secureLogFile > matches.txt

# Create CSV headers.
echo "IP,Categories,ReportDate,Comment" > report.csv

# Rearrange the order of the fields for our bulk uploader.
# IP & ReportDate generally don't need to be enclosed, but we'll play it safe.
gawk -F "$unit_sep" 'BEGIN {OFS=","} {print "\""$3"\",\"18,22\",\""$1"\",\""$2"\""}' matches.txt >> report.csv

# Clean up. Comment out if you want to peruse the matches.
rm matches.txt

# Check dry run option.
if [ $dryRun -eq 0 ]; then
	# Report to AbuseIPDB.
	curl https://api.abuseipdb.com/api/v2/bulk-report \
        -F [email protected] \
        -H "Key: $key" \
    	-H "Accept: application/json" \
    	> output.json
fi

exit 0;
** This Document Provided By AbuseIPDB **
Source: https://www.abuseipdb.com/bulk-report