Ipscout
Host threat aggregator for network administrators and security analysts.
Install / Use
/learn @jonhadfield/IpscoutREADME
IPScout
IPScout is a command-line tool for security analysts to enrich IP addresses with their origin and threat ratings. All of the host reputation providers require registration but each of them offers a free tier.
<img src="docs/logo.png" alt="logo" width="200"/>
Table of Contents
Features
- Query multiple reputation and hosting providers concurrently
- Cache provider metadata and lookup results
- Manage cached data with
ipscout cache - Show or output configuration with
ipscout config - Rate hosts using
ipscout rate, optionally with AI assistance - Supports Zscaler IP range lookups
Output
format
Results are displayed in a table by default but can also be outputted as JSON format using the --output flag.
style
Table styles include ascii (for basic terminals), cyan, red, yellow, green, blue, and can be specified in the config.yaml file or with the --style flag.
Examples:
Providers
IPScout supports multiple well known sources. You can also provide custom sources with the Annotated and IPURL providers.
Provider data and search results can be cached to reduce API calls and improve performance.
| Provider | Category | Notes | |:----------------------------------------------------------|:----------------:|:---------------------:| | AbuseIPDB | IP Reputation | Registration required | | Annotated | User Provided | - | | Apple iCloud Private Relay | Anonymiser | - | | AWS | Hosting Provider | - | | Azure | Hosting Provider | - | | Azure WAF | WAF | Azure access required | | Bingbot | Web crawler | - | | CriminalIP | IP Reputation | Registration required | | DigitalOcean | Hosting Provider | - | | GCP | Hosting Provider | - | | Google | Hosting Provider | - | | Google Special-case crawlers | Web crawler | - | | Googlebot | Web crawler | - | | Hetzner | Hosting Provider | - | | IPAPI | IP Geolocation | - | | IPQualityScore | IP Reputation | Registration required | | IPURL | User Provided | - | | Linode | Hosting Provider | - | | OVH | Hosting Provider | - | | PTR | DNS | - | | Scaleway | Hosting Provider | - | | Vultr | Hosting Provider | - | | Shodan | IP Reputation | Registration required | | VirusTotal | IP Reputation | Registration required | | Zscaler | Security | - |
Installation
Binaries for macOS, Linux and Windows are available on the releases page.
macOS - Homebrew
$ brew tap jonhadfield/ipscout
$ brew install ipscout
Linux
Install latest release.
curl -sL https://raw.githubusercontent.com/jonhadfield/ipscout/add_install_script/install | sh
other distributions
Download the latest release from the releases page.
Build from source
Go 1.24 or later is required to compile ipscout. Clone the repository and run:
go build ./...
This will create an ipscout binary in the current directory.
Usage
$ ipscout <host>
<host> can be an IP address or a fully qualified domain name.
Additional commands are available:
$ ipscout cache # manage cached results
$ ipscout config # view or output configuration
$ ipscout rate # rate a host using provider data
Configuration
A default configuration is created
on first run and located at: $HOME/.config/ipscout/config.yaml.
Some configuration can be overridden on the command line, see ipscout --help.
---
global:
indent_spaces: 2 # number of spaces to indent output
max_value_chars: 300 # limit the number of characters output in results
max_age: 90d # maximum age of reports to consider
max_reports: 5 # maximum number of reports to display
ports: ["443/tcp"] # filter results by port [tcp,udp,443/tcp,...]
output: table # output format: table or json
style: cyan # output style [ascii, cyan, green, yellow, red, blue]
providers:
# list of providers with their configurations below...
Providers
Providers are configured in the config.yaml file.
A number of providers are enabled by default, but can be disabled by setting enabled: false.
AbuseIPDB
This provider queries the AbuseIPDB API for information on an IP address, with a threat confidence score, and any reports filed for them. A free plan exists for individuals, with a limit of 1000 requests per day.
Environment variable ABUSEIPDB_API_KEY must be set with your API key.
providers:
abuseipdb:
enabled: false
Annotated
The Annotated provider parses one or more user provided files containing prefixes and accomanying annotations.
---
- prefixes: [ "20.20.20.0/24", "20.20.21.0/24" ]
annotations:
- date: 2024/04/19 18:58
author: john doe <john.doe@example.com>
notes:
- My First Annotation
- My Second Annotation
- prefixes: [ "9.9.9.9/32" ]
annotations:
- date: 2024/04/19 19:00
author: jane doe <jane.does@example.com>
notes:
- Another Annotation
A list of files can be specified in the provider's paths section:
providers:
annotated:
enabled: true
paths:
- /path/to/file.yaml
Apple iCloud Private Relay
IP anonymisation service from Apple.
iCloud Private Relay — part of an iCloud+ subscription — helps protect your privacy when you browse the web in Safari.
Amazon Web Services
AWS is a Hosting Provider that publishes network prefixes used by their services.
Azure
Azure is a hosting provider that publishes network prefixes used by their services.
Azure WAF
Azure WAF is a Web Application Firewall used to secure services hosted on Azure. This currently supports Azure Global WAF, used to secure Azure Front Door, and will show custom rules and prefixes matching the provided host. Authentication will be read from the environment.
Bingbot
Bingbot is the web crawler for the Bing search engine. Bing publishes network prefixes used by their crawlers.
CriminalIP
Query the CriminalIP API for information on an IP address/endpoint, with risk ratings, and any abuse reports filed for them. A free plan exists with a small number of free credits.
Set environment variable CRIMINAL_IP_API_URL with your API key.
DigitalOcean
DigitalOcean is a hosting provider that
