Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: IP reputation apps - does scorelookup.py work?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I've installed IP Reputation in my splunk server, but nothing shows up in all dashboards.
After requesting a key from www.projecthoneypot.org for http:bl and embedding it in scorelookup.py, dashboards still not works.
The script makes lookup by calling python's socket.gethostbyname(host), I ran it manually with passing correct query format defined by www.projecthoneypot.org(
Even I ran nslookup in linux shell like : nslookup
Do I miss anything?
Any help will be very appreciate!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kurt,
i just tried this bad ip lookup: http://www.projecthoneypot.org/ip_199.15.233.175
nslookup %mykey%.175.233.15.199.dnsbl.httpbl.org
Response: Address: 127.1.64.5 - as an example 64 would be the threatscore later in the splunk app displayed.
i even tried
nslookup abcdefghijkl.175.233.15.199.dnsbl.httpbl.org
Response: Address: 127.1.64.5
So that answers even your second question - i have the feeling that currently project honeypot api does not enforce the API key to allow requests... but maybe they do it in the future. however nothing to do with Splunk 😉
with the IP from you i have the same behavior like you. seems like this ip is not blacklisted.
br
Matthias
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kurt,
i just tried this bad ip lookup: http://www.projecthoneypot.org/ip_199.15.233.175
nslookup %mykey%.175.233.15.199.dnsbl.httpbl.org
Response: Address: 127.1.64.5 - as an example 64 would be the threatscore later in the splunk app displayed.
i even tried
nslookup abcdefghijkl.175.233.15.199.dnsbl.httpbl.org
Response: Address: 127.1.64.5
So that answers even your second question - i have the feeling that currently project honeypot api does not enforce the API key to allow requests... but maybe they do it in the future. however nothing to do with Splunk 😉
with the IP from you i have the same behavior like you. seems like this ip is not blacklisted.
br
Matthias
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Matthias,
Thank you for replying. I know how to do now, thanks.
Regards
Kurt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good Morning Kurt,
the dashboards might be empty because you haven't configured/set the eventtype=check_ip. this event type was introduced to ensure the app is not going after all your machine data by default. So you can create a search and save those filter as event type - this will then be displayed on the dashboards. for example you want to exclude all your internal IP's (NOT 172.* etc.) and even you might only want to lookup accepted connections or logins etc.
regarding the nslookup you should review this: "ww*.projecthoneypot.org/httpbl_api.php"
currently you even do not need the api key. 😉
So sending this query:
nslookup abcdefghijkl.2.1.9.127.dnsbl.httpbl.org
should give you back:
Address: 127.3.5.1
you can test it from your laptop. then from your splunk search head. on the bottom of the documentation you even find a lot of other test values.
br
matthias
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good morning Matthias,
Thanks for replying. I still have some questions:
I can get correct results by running "nslookup abcdefghijkl.2.1.9.127.dnsbl.httpbl.org" and "nslookup
.2.1.9.127.dnsbl.httpbl.org, however, fail in "abcdefghijkl.94.31.125.74.dnsbl.httpbl.org" and " .94.31.125.74.dnsbl.httpbl.org" where "94.31.125.74" is the reversed ip of "www.google.com.tw" In scopelookup.py, the "Configuration" says that I need to copy the http:BL key into VAR key, why I don't need the api key currently?
Regards
Kurt
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
