{"id":2123,"date":"2013-02-20T07:00:00","date_gmt":"2013-02-20T12:00:00","guid":{"rendered":"http:\/\/rud.is\/b\/?p=2123"},"modified":"2013-02-20T07:00:00","modified_gmt":"2013-02-20T12:00:00","slug":"rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/","title":{"rendered":"R\/netintel : Cross-check APT-1’s IP list with AlienVault Reputation DB (+ some graphs\/analysis)"},"content":{"rendered":"

Here’s a quick example of couple additional ways to use the netintel<\/a> R package I’ve been tinkering with. This could easily be done on the command line with other tools, but if you’re already doing scripting\/analysis with R, this provides a quick way to tell if a list of IPs is in the @AlienVault IP reputation database. Zero revelations here for regular R users, but it might help some folks who are working to make R more of a first class scripting citizen.<\/p>\n

I whipped up the following bit of code to check to see how many IP addresses in the @Mandiant APT-1 FQDN dump were already in the AlienVault database. Reverse resolution of the Mandiant APT-1 FQDN list is a bit dubious at this point so a cross-check with known current data is a good idea. I should also point out that not all the addresses resolved “well” (there are 2046 FQDNs and my quick dig<\/code> only yielded 218 usable IPs).<\/p>\n

library(netintel)\r\n\r\n# get the @AlienVault reputation DB\r\nav.rep = Alien.Vault.Reputation()\r\n\r\n# read in resolved APT-1 FQDNs list\r\napt.1 = read.csv(\"apt-1-ips.csv\")\r\n\r\n# basic set operation\r\nwhats.left = intersect(apt.1$ip,av.rep$IP)\r\n\r\n# how many were in the quickly resolved apt-1 ip list?\r\nlength(apt.1)\r\n[1]218\r\n\r\n# how many are common across the lists?\r\nlength(whats.left)\r\n[1] 44\r\n\r\n# take a quick look at them\r\nwhats.left\r\n[1] \"12.152.124.11\"   \"140.112.19.195\"  \"161.58.182.205\"  \"165.165.38.19\"   \"173.254.28.80\"  \r\n[6] \"184.168.221.45\"  \"184.168.221.54\"  \"184.168.221.56\"  \"184.168.221.58\"  \"184.168.221.68\" \r\n[11] \"192.31.186.141\"  \"192.31.186.149\"  \"194.106.162.203\" \"199.59.166.109\"  \"203.170.198.56\" \r\n[16] \"204.100.63.18\"   \"204.93.130.138\"  \"205.178.189.129\" \"207.173.155.44\"  \"207.225.36.69\"  \r\n[21] \"208.185.233.163\" \"208.69.32.230\"   \"208.73.210.87\"   \"213.63.187.70\"   \"216.55.83.12\"   \r\n[26] \"50.63.202.62\"    \"63.134.215.218\"  \"63.246.147.10\"   \"64.12.75.1\"      \"64.12.79.57\"    \r\n[31] \"64.126.12.3\"     \"64.14.81.30\"     \"64.221.131.174\"  \"66.228.132.20\"   \"66.228.132.53\"  \r\n[36] \"68.165.211.181\"  \"69.43.160.186\"   \"69.43.161.167\"   \"69.43.161.178\"   \"70.90.53.170\"   \r\n[41] \"74.14.204.147\"   \"74.220.199.6\"    \"74.93.92.50\"     \"8.5.1.34\"<\/pre>\n
So, roughly a 20% overlap between (quickly-I’m sure there’s a more comprehensive list) resolved & “clean” APT-1 FQDNs IPs and the AlienVault reputation database.<\/p>\n
For kicks, we can see where all the resolved APT-1 nodes live (BGP\/network-wise) in relation to each other using some of the other library functions:<\/p>\n
library(netintel)\r\nlibrary(igraph)\r\nlibrary(plyr)\r\n\r\napt.1 = read.csv(\"apt-1-ips.csv\")\r\nips = apt.1$ip\r\n\r\n# get BGP origin & peers\r\norigin = BulkOrigin(ips)\r\npeers = BulkPeer(ips)\r\n\r\n# start graphing\r\ng = graph.empty()\r\n\r\n# Make IP vertices; IP endpoints are red\r\ng = g + vertices(ips,size=1,color=\"red\",group=1)\r\n\r\n# Make BGP vertices ; BGP nodes are light blue\r\ng = g + vertices(unique(c(peers$Peer.AS, origin$AS)),size=1.5,color=\"orange\",group=2)\r\n\r\n# no labels\r\nV(g)$label = \"\"\r\n\r\n# Make IP\/BGP edges\r\nip.edges = lapply(ips,function(x) {\r\n  iAS = origin[origin$IP==x,]$AS\r\n  lapply(iAS,function(y){\r\n    c(x,y)\r\n  })\r\n})\r\n\r\n# Make BGP\/peer edges\r\nbgp.edges = lapply(unique(origin$BGP.Prefix),function(x) {\r\n  startAS = unique(origin[origin$BGP.Prefix==x,]$AS)\r\n  lapply(startAS,function(z) {\r\n    pAS = peers[peers$BGP.Prefix==x,]$Peer.AS\r\n    lapply(pAS,function(y) {\r\n      c(z,y)\r\n    })\r\n  })\r\n})\r\n\r\n# get total graph node count\r\nnode.count = table(c(unlist(ip.edges),unlist(bgp.edges)))\r\n\r\n# add edges \r\ng = g + edges(unlist(ip.edges))\r\ng = g + edges(unlist(bgp.edges))\r\n\r\n# base edge weight == 1\r\nE(g)$weight = 1\r\n\r\n# simplify the graph\r\ng = simplify(g, edge.attr.comb=list(weight=\"sum\"))\r\n\r\n# no arrows\r\nE(g)$arrow.size = 0\r\n\r\n# best layout for this\r\nL = layout.fruchterman.reingold(g)\r\n\r\n# plot the graph\r\nplot(g,margin=0)<\/pre>\n
\"apt-1\"<\/center><\/p>\n
If we take out the BGP peer relationships from the graph (i.e. don’t add the bgp.edges<\/code> in the above code) we can see the mal-host clusters even more clearly (the pseudo “Death Star” look is unintentional but appropro):<\/p>\n
\"Rplot01\"<\/center><\/p>\n
We can also determine which ASNs the bigger clusters belong to by checking out the degree. The “top” 5 clusters are:<\/p>\n
\r\n16509 40676 36351 26496 15169 \r\n    7     8     8    13    54 <\/pre>\n
While my library doesn’t support direct ASN detail lookup yet (an oversight), we can take those ASN’s, check them out manually and see the results:<\/p>\n
16509   | US | arin     | 2000-05-04 | AMAZON-02 - Amazon.com, Inc.\r\n40676   | US | arin     | 2008-02-26 | PSYCHZ - Psychz Networks\r\n36351   | US | arin     | 2005-12-12 | SOFTLAYER - SoftLayer Technologies Inc.\r\n26496   | US | arin     | 2002-10-01 | AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC\r\n15169   | US | arin     | 2000-03-30 | GOOGLE - Google Inc.<\/pre>\n
So Google servers are hosting the most mal-nodes from the resolved ASN-1 list, followed by GoDaddy. I actually expected Amazon to be higher up in the list.<\/p>\n
I’ll be adding igraph<\/code> and ASN lookup functions to the netintel<\/code> library soon. Also, if anyone has a better APT-1 IP list, please shoot me a link.<\/p>\n","protected":false},"excerpt":{"rendered":"
Here’s a quick example of couple additional ways to use the netintel R package I’ve been tinkering with. This could easily be done on the command line with other tools, but if you’re already doing scripting\/analysis with R, this provides a quick way to tell if a list of IPs is in the @AlienVault IP […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[24,677,678,673,674,3],"tags":[685,682,683,684],"class_list":["post-2123","post","type-post","status-publish","format-standard","hentry","category-charts-graphs","category-data-analysis-2","category-data-visualization","category-datavis-2","category-dataviz","category-information-security","tag-alienvault","tag-apt-1","tag-mandiant","tag-netintel"],"yoast_head":"\nR\/netintel : Cross-check APT-1's IP list with AlienVault Reputation DB (+ some graphs\/analysis) - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"R\/netintel : Cross-check APT-1's IP list with AlienVault Reputation DB (+ some graphs\/analysis) - rud.is\" \/>\n<meta property=\"og:description\" content=\"Here’s a quick example of couple additional ways to use the netintel R package I’ve been tinkering with. This could easily be done on the command line with other tools, but if you’re already doing scripting\/analysis with R, this provides a quick way to tell if a list of IPs is in the @AlienVault IP […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2013-02-20T12:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/rud.is\/b\/wp-content\/uploads\/2013\/02\/apt-1.png\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2013\\\/02\\\/20\\\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2013\\\/02\\\/20\\\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\\\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"R\\\/netintel : Cross-check APT-1’s IP list with AlienVault Reputation DB (+ some graphs\\\/analysis)\",\"datePublished\":\"2013-02-20T12:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2013\\\/02\\\/20\\\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\\\/\"},\"wordCount\":366,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"image\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2013\\\/02\\\/20\\\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2013\\\/02\\\/apt-1.png\",\"keywords\":[\"alienvault\",\"apt-1\",\"mandiant\",\"netintel\"],\"articleSection\":[\"Charts & Graphs\",\"Data Analysis\",\"Data Visualization\",\"DataVis\",\"DataViz\",\"Information Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2013\\\/02\\\/20\\\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2013\\\/02\\\/20\\\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\\\/\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/2013\\\/02\\\/20\\\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\\\/\",\"name\":\"R\\\/netintel : Cross-check APT-1's IP list with AlienVault Reputation DB (+ some graphs\\\/analysis) - rud.is\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2013\\\/02\\\/20\\\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2013\\\/02\\\/20\\\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2013\\\/02\\\/apt-1.png\",\"datePublished\":\"2013-02-20T12:00:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2013\\\/02\\\/20\\\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2013\\\/02\\\/20\\\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2013\\\/02\\\/20\\\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\\\/#primaryimage\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2013\\\/02\\\/apt-1.png?fit=500%2C503&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2013\\\/02\\\/apt-1.png?fit=500%2C503&ssl=1\",\"width\":500,\"height\":503},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2013\\\/02\\\/20\\\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/rud.is\\\/b\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"R\\\/netintel : Cross-check APT-1’s IP list with AlienVault Reputation DB (+ some graphs\\\/analysis)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/\",\"name\":\"rud.is\",\"description\":\""In God we trust. All others must bring data"\",\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/rud.is\\\/b\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\\\/\\\/rud.is\"],\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/author\\\/hrbrmstr\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"R\/netintel : Cross-check APT-1's IP list with AlienVault Reputation DB (+ some graphs\/analysis) - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/","og_locale":"en_US","og_type":"article","og_title":"R\/netintel : Cross-check APT-1's IP list with AlienVault Reputation DB (+ some graphs\/analysis) - rud.is","og_description":"Here’s a quick example of couple additional ways to use the netintel R package I’ve been tinkering with. This could easily be done on the command line with other tools, but if you’re already doing scripting\/analysis with R, this provides a quick way to tell if a list of IPs is in the @AlienVault IP […]","og_url":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/","og_site_name":"rud.is","article_published_time":"2013-02-20T12:00:00+00:00","og_image":[{"url":"https:\/\/rud.is\/b\/wp-content\/uploads\/2013\/02\/apt-1.png","type":"","width":"","height":""}],"author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"R\/netintel : Cross-check APT-1’s IP list with AlienVault Reputation DB (+ some graphs\/analysis)","datePublished":"2013-02-20T12:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/"},"wordCount":366,"commentCount":1,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"image":{"@id":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/#primaryimage"},"thumbnailUrl":"https:\/\/rud.is\/b\/wp-content\/uploads\/2013\/02\/apt-1.png","keywords":["alienvault","apt-1","mandiant","netintel"],"articleSection":["Charts & Graphs","Data Analysis","Data Visualization","DataVis","DataViz","Information Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/","url":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/","name":"R\/netintel : Cross-check APT-1's IP list with AlienVault Reputation DB (+ some graphs\/analysis) - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"primaryImageOfPage":{"@id":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/#primaryimage"},"image":{"@id":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/#primaryimage"},"thumbnailUrl":"https:\/\/rud.is\/b\/wp-content\/uploads\/2013\/02\/apt-1.png","datePublished":"2013-02-20T12:00:00+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/#primaryimage","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2013\/02\/apt-1.png?fit=500%2C503&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2013\/02\/apt-1.png?fit=500%2C503&ssl=1","width":500,"height":503},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2013\/02\/20\/rnetintel-cross-check-apt-1s-ip-list-with-alienvault-reputation-db-some-graphsanalysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"R\/netintel : Cross-check APT-1’s IP list with AlienVault Reputation DB (+ some graphs\/analysis)"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":""In God we trust. All others must bring data"","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-yf","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":2590,"url":"https:\/\/rud.is\/b\/2013\/08\/21\/zeroaccess-bots-desperately-seeking-freedom-visualization\/","url_meta":{"origin":2123,"position":0},"title":"ZeroAccess Bots Desperately Seeking Freedom (Visualization)","author":"hrbrmstr","date":"2013-08-21","format":false,"excerpt":"I've been doing a bit of graphing (with real, non-honeypot network data) as part of the research for the book I'm writing with @jayjacobs and thought one of the images was worth sharing (especially since it may not make it into the book :-). Click image for larger view This\u2026","rel":"","context":"In "Data Visualization"","block_context":{"text":"Data Visualization","link":"https:\/\/rud.is\/b\/category\/data-visualization\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2933,"url":"https:\/\/rud.is\/b\/2014\/02\/20\/using-twitter-as-a-data-source-for-monitoring-password-dumps\/","url_meta":{"origin":2123,"position":1},"title":"Using Twitter as a Data Source For Monitoring Password Dumps","author":"hrbrmstr","date":"2014-02-20","format":false,"excerpt":"I shot a quick post over at the [Data Driven Security blog](http:\/\/bit.ly\/1hyqJiT) explaining how to separate Twitter data gathering from R code via the Ruby `t` ([github repo](https:\/\/github.com\/sferik\/t)) command. Using `t` frees R code from having to be a Twitter processor and lets the analyst focus on analysis and visualization,\u2026","rel":"","context":"In "Data Analysis"","block_context":{"text":"Data Analysis","link":"https:\/\/rud.is\/b\/category\/data-analysis-2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2552,"url":"https:\/\/rud.is\/b\/2013\/08\/10\/ip-intelligence-lookup-chrome-extension\/","url_meta":{"origin":2123,"position":2},"title":"IP Intelligence Lookup Chrome Extension","author":"hrbrmstr","date":"2013-08-10","format":false,"excerpt":"The topic of \"IP intelligence\" gets a nod in the book that @jayjacobs & I are writing and it was interesting to see just how many sites purport to \"know something\" about an IP address. I shamelessly admit to being a Chrome user and noticed there were no tools that\u2026","rel":"","context":"In "Chrome"","block_context":{"text":"Chrome","link":"https:\/\/rud.is\/b\/category\/chrome\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2068,"url":"https:\/\/rud.is\/b\/2013\/02\/08\/visualizing-malicious-clusters-outliers\/","url_meta":{"origin":2123,"position":3},"title":"Visualizing Malicious Clusters & Outliers","author":"hrbrmstr","date":"2013-02-08","format":false,"excerpt":"So, I've had some quick, consecutive blog posts around this R package I'm working on, and this one is more of an answer to my own, self-identified question of \"so what?\". As I was working on an importer for AlienValut's IP reputation database, I thought it might be interesting to\u2026","rel":"","context":"In "Data Analysis"","block_context":{"text":"Data Analysis","link":"https:\/\/rud.is\/b\/category\/data-analysis-2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3298,"url":"https:\/\/rud.is\/b\/2015\/03\/09\/new-r-package-ipapi-ipdomain-geolocation\/","url_meta":{"origin":2123,"position":4},"title":"New R Package – ipapi (IP\/Domain Geolocation)","author":"hrbrmstr","date":"2015-03-09","format":false,"excerpt":"I noticed that the @rOpenSci folks had an interface to [ip-api.com](http:\/\/ip-api.com\/) on their [ToDo](https:\/\/github.com\/ropensci\/webservices\/wiki\/ToDo) list so I whipped up a small R package to fill said gap. Their IP Geolocation API will take an IPv4, IPv6 or FQDN and kick back a ASN, lat\/lon, address and more. The [ipapi package](https:\/\/github.com\/hrbrmstr\/ipapi)\u2026","rel":"","context":"In "cartography"","block_context":{"text":"cartography","link":"https:\/\/rud.is\/b\/category\/cartography\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2564,"url":"https:\/\/rud.is\/b\/2013\/08\/12\/reverse-ip-address-lookups-with-r-from-simple-to-bulkasynchronous\/","url_meta":{"origin":2123,"position":5},"title":"Reverse IP Address Lookups With R (From Simple To Bulk\/Asynchronous)","author":"hrbrmstr","date":"2013-08-12","format":false,"excerpt":"R lacks some of the more \"utilitarian\" features found in other scripting languages that were\/are more geared\u2014at least initially\u2014towards systems administration. One of the most frustrating missing pieces for security data scientists is the lack of ability to perform basic IP address manipulations, including reverse DNS resolution (even though it\u2026","rel":"","context":"In "Data Analysis"","block_context":{"text":"Data Analysis","link":"https:\/\/rud.is\/b\/category\/data-analysis-2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/2123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=2123"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/2123\/revisions"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=2123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=2123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=2123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}