Imperva Cyber Community

 View Only

New Cloud WAF GitHub Tools, Part Three: Multi-IP-Rep-Retriever

By Doron Tzur posted 10-26-2020 09:00

  
Pic here: https://unsplash.com/photos/MAYEkmn7G6E

Simplify IP reputation intelligence with this time-saving UX enhancement.

Reputation intelligence is key to Imperva’s Cloud WAF technology.

Our ability to gather data on traffic origins and use it to generate insights on user behaviors is a powerful asset. It lets security professionals better understand where traffic is coming from, who is creating it, and what risks may be involved.

The cloud architecture of Imperva’s WAF solution allows us to deliver up-to-date information on traffic originators throughout the world. We are constantly improving our database of cyber entities and qualifying the traffic that comes from them.

This data is called reputation intelligence. The more comprehensive this intelligence is, the more accurately Imperva’s Cloud WAF can eliminate false positives while keeping websites and applications secure.

Imperva’s Reputation Intelligence service allows users to perform IP lookups on specific addresses. It reports everything Imperva knows about any particular IP address based on its activity over the past 14 days.

The service's current web interface allows checking a single IP is easy, so checking dozens of IPs at a time gets tedious and time-consuming. Multi-ip-rep-retriever makes the process much easier to manage at scale.

Watch my in depth webinar on Cloud WAF Reports and a Tool that Simplifies the Usage of the Reputation Intelligence Service

Introducing Multi-IP-Rep-Retriever

Multi-ip-rep-retriever is a nodejs tool that gives users an HTML interface for obtaining reputation data from multiple IPs at once. It uses the Imperva Reputation Intelligence service API to gather reputation data and then presents it directly in the user’s web browser.

Multi-ip-rep-retriever is a local web server that listens to port 4000. After downloading the project files and installing them according to the instructions and running the tool, you can access it directly from your device’s web browser.

Simply direct the browser to 127.0.0.1.4000 (the default port that can be changed). You can now check up to 10 IP addresses at once. Be sure to separate each individual IP with a space or a comma.

The resulting page will show you all of the most relevant data for the IPs you are checking. You can use this tool to quickly check the following fields for each IP in the table:

  • Risk. This column shows the score calculated by Imperva’s reputation intelligence tool for the IP in question. These are color-coded exactly the same way Imperva’s native scores are.
  • Risk Description. The API will draw from Imperva’s Reputation Intelligence application to describe the risk posed by the IP in question.
  • ASN. You can quickly verify which IPs are administered by the same organizations using their ASN code. IPs with the same number share a single defined policy for accessing external networks.
  • Organization Name. This column shows the organization name that the IP associates itself with.
  • Country. Users can quickly see where high-risk traffic is originating from using this column. 
  • City. If Imperva’s Reputation Intelligence tool knows the specific city originating a specific IP’s traffic, it will be listed here.
  • Known to Use. If the IP in question has a unique reputation for using malicious technologies, they will be listed here.
  • Known for. This is where you can find the specific violations that a particular IP address has been caught performing.

This is an intuitive way to quickly compare IP addresses based on their Reputation Intelligence profiles. The tool does not offer the same in-depth graphical data as Imperva’s official tool, but users can click through directly to the official tool’s report – every IP address in the table links to its own report.

If more information is needed, you can press the link of the IP address which will bring you to the Reputation Intelligence service page.

Multi-ip-rep-retriever Features and Modifications

The Reputation Intelligence service has a built-in limitation of individual requests users can make in a certain time period. This is done to guarantee that Imperva’s servers will not be overwhelmed. Once the limit is reached there is a short period of time when requests are rejected.

Fortunately, users do not have to wait very long for the limit counter to reset. A few minutes is all it takes for the tool to allow users to check new IPs.

The Multi-ip-rep-retriever takes this into account by automatically ignoring redundant IP addresses, so if you enter multiple instances of the same address, it will return a single line for that particular IP. The tool GUI also has a built-in limitation (10). Since the tool is open source, users can actually change the 10-address limit if they wish (in the settings.js file).

In fact, technically oriented users can take the bottom-line functionality of any Imperva GitHub tool and use it as a template to build their own customized solution. This is one of the great advantages of having an active community of developers creating open source tools.

Learn More with the Imperva Community
The Imperva Community is a great place to learn more about how to use Imperva cyber security technologies like API SecurityCloud WAF,  Advanced Bot ProtectionDDoS Protection, and more to establish efficient, secure processes for enterprise networks. Rely on the expertise of Imperva partners, customers and technical experts.

Related Content:
New Cloud WAF GitHub Tools, Part One: Account-Level-Dashboard
New Cloud WAF GitHub Tools, Part Two: Site-Protection-Viewer

 


#CloudWAF(formerlyIncapsula)
2 comments
485 views

Permalink

Comments

09-19-2021 06:45

Thanks for pointing this out David. I will make sure this is fixed.

Please let me know of your experience using this tool.

09-15-2021 12:04

Thanks for writing this up!

There is an extra backslash, at the end of the link to https://github.com/imperva/multi-ip-rep-retriever/blob/master/README.md