AbuseIPDB and CSF/Others

Well it seems to be working now! In my api dashboard at abuseipdb I see I have made my first report.
Now figuring out what I have reported. :rolleyes:

Still interested in: " @Brent, what happens if you run the script directly from the command line? "
 
Wanabo said:
Ok fixed the api issue. I left a $ sign!
"Key" => "$YOUR_API_KEY",
I only removed YOUR_API_KEY leaving the $ before my api key.

But still not working.
Code: 
# ./abuseipdb_report.pl
Use of uninitialized value $message in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $ports in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $inout in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $trigger in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value $logs in concatenation (.) or string at ./abuseipdb_report.pl line 16.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/HTTP/Tiny.pm line 988.
{
   "errors" : [
      {
         "source" : {
            "parameter" : "ip"
         },
         "status" : 422,
         "detail" : "The ip field is required."
      }
   ]
}

Edit: Suddenly I had this thought. I'm running the script directly, but it is intended to be called by csf/lfd. Then the values might be passed.
So perhaps just wait and see if ip's are getting reported in my dashboard at abuseipdb.
@Brent, what happens if you run the script directly from the command line?
Click to expand...
It is fed the values from csf.

If you want to run it from the cmd line. You have to put in the cmd with all the values separated by a space or comas.

cmd api key values to report
 
Thanks for all the replies.

Have you found any script enhancements? Default category is 14 --> Port scan. Can this be automated somehow by checking the report for keywords that corresponds with categories?
Found an interesting hint here: AbuseIPDB.py
Check lines 81-107 and 164-174

Not happy that the servername and ip are getting reported. A simple fix would be to remove $logs from the line below, but then some valuable info is not send.
my $comment = $message . "; Ports: " . $ports . "; Direction: " . $inout
. "; Trigger: " . $trigger . "; Logs: " . $logs;

Will dig into this, but you might all ready done that.
 
If you guy want to correct your script with your family language and greatful, you can write your own script with your language

eg. PHP SCRIPT

report_abuse.php // # [ .php ] your type of script
Code: 
#!/usr/bin/php
<?php
#YOUR PHP Code here
 
@jamgames2, thanks for the suggestion but I figured it out in Perl.

Made a tiny modification to the abuseipdb_report.pl script found on https://www.abuseipdb.com/csf to remove the hostname of the server, the reported uri and host. Effectively everything from [hostname "xxx.xxx.xxx.xxx"] to the end is stripped for privacy/security reasons.

Find in the script:
Code: 
my $logs = $ARGV[6];
Add directly under this line:
Code: 
my $logs = $ARGV[6];
$logs =~ s/\[hostname.*/Omitted/g;

Save.

Edit: updated line (tailord for modsecurity 3.3.0):
Code: 
$logs =~ s/\(Value:\s`\d.+'\s\)|\s\[data.*?\]|\s\[hostname.*?\]|\sserver:.*?,|,\shost:.*\s+/ \[redacted\]/g;
 
Last edited:
You must log in or register to reply here.
Back
Top