IP Intelligence
IP Intelligence provides you with additional information about any IP address you see in ngrok. It includes Autonomous System information, Geolocation data, as well as information fetched from 3rd parties that list IP address for blocklists or allowlists.
These variables can be used in Traffic Policy expressions, or they can be used to enrich your traffic via dynamic injection into headers or responses.
Client IP Intelligence
The following variables are available under the conn.client_ip namespace:
| Name | Type | Description |
|---|---|---|
conn.client_ip.categories | list | The list of categories that classify the conn.client_ip. Check out our full list of categories. |
conn.client_ip.is_on_blocklist | boolean | This is true if the conn.client_ip is listed on a blocklist. For more information about which blocklists are included here, please check out our list of categories. |
conn.client_ip.is_tor_node | boolean | This is true if the conn.client_ip is listed as a Tor exit node. |
conn.client_ip.categories
The list of categories that classify the conn.client_ip. Check out our full list of categories.
- YAML
- JSON
# snippet
---
expressions:
- "!('proxy.anonymous.tor' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('proxy.anonymous.tor' in conn.client_ip.categories)"
]
}
conn.client_ip.is_on_blocklist
This is true if the conn.client_ip is listed on a blocklist. For more information about which blocklists are included here, please check out our list of categories.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.is_on_blocklist == true
// snippet
{
"expressions": [
"conn.client_ip.is_on_blocklist == true"
]
}
conn.client_ip.is_tor_node
This is true if the conn.client_ip is listed as a Tor exit node.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.is_tor_node == true
// snippet
{
"expressions": [
"conn.client_ip.is_tor_node == true"
]
}
Client IP Autonomous System
The following variables are available under the conn.client_ip namespace:
| Name | Type | Description |
|---|---|---|
conn.client_ip.as.number | integer | The Autonomous System Number of the conn.client_ip. |
conn.client_ip.as.organization | string | The Autonomous System Organization name of the conn.client_ip. |
conn.client_ip.as.number
The Autonomous System Number of the conn.client_ip.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.as.number == 12345
// snippet
{
"expressions": [
"conn.client_ip.as.number == 12345"
]
}
conn.client_ip.as.organization
The Autonomous System Organization name of the conn.client_ip.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.as.organization == 'COMCAST-7922'
// snippet
{
"expressions": [
"conn.client_ip.as.organization == 'COMCAST-7922'"
]
}
Client IP Geo Location
This is the location where the IP address is located, which may be different from where the IP address is registered. For more details, see the MaxMind documentation.
| Name | Type | Description |
|---|---|---|
conn.client_ip.geo.location.city | string | The name of the city, in EN, where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.continent | string | The name of the continent, in EN, where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.country | string | The name of the country, in EN, where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.country_code | string | The two-letter ISO country code where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.is_eu | boolean | Determines if the conn.client_ip is located in the EU. Helpful for GDPR compliance. |
conn.client_ip.geo.location.latitude | string | The approximate latitude where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.longitude | string | The approximate longitude where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.metro_code | string | The metro code where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.postal_code | string | The postal code where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.radius | string | The radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.subdivision | string | The name of the subdivision, in EN, where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.timezone | string | The name of the timezone where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.city
The name of the city, in EN, where the conn.client_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.city == 'Strongsville'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.city == 'Strongsville'"
]
}
conn.client_ip.geo.location.continent
The name of the continent, in EN, where the conn.client_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.continent == 'North America'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.continent == 'North America'"
]
}
conn.client_ip.geo.location.country
The name of the country, in EN, where the conn.client_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.country == 'United States'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.country == 'United States'"
]
}
conn.client_ip.geo.location.country_code
The two-letter ISO country code where the conn.client_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.country_code != 'US'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.country_code != 'US'"
]
}
conn.client_ip.geo.location.is_eu
Determines if the conn.client_ip is in the EU. Helpful for GDPR compliance.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.is_eu == true
// snippet
{
"expressions": [
"conn.client_ip.geo.location.is_eu == true"
]
}
conn.client_ip.geo.location.latitude
The approximate latitude where the conn.client_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- double(conn.client_ip.geo.location.latitude) >= 45.0
// snippet
{
"expressions": [
"double(conn.client_ip.geo.location.latitude) >= 45.0"
]
}
conn.client_ip.geo.location.longitude
The approximate longitude where the conn.client_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- double(conn.client_ip.geo.location.longitude) <= -93.0
// snippet
{
"expressions": [
"double(conn.client_ip.geo.location.longitude) <= -93.0"
]
}
conn.client_ip.geo.location.metro_code
The metro code where the conn.client_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.metro_code != ''
// snippet
{
"expressions": [
"conn.client_ip.geo.location.metro_code != ''"
]
}
conn.client_ip.geo.location.postal_code
The postal code where the conn.client_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.postal_code == '94324'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.postal_code == '94324'"
]
}
conn.client_ip.geo.location.radius
The radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.radius <= '5'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.radius <= '5'"
]
}
conn.client_ip.geo.location.subdivision
The name of the subdivision, in EN, where the conn.client_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.subdivision == 'California'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.subdivision == 'California'"
]
}
conn.client_ip.geo.location.timezone
The name of the timezone where the conn.client_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.timezone == 'America/New_York'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.timezone == 'America/New_York'"
]
}
Client IP Registered Geo Location
This is the location where the IP address is registered, which may be different from where the IP address is located. For more details, see the MaxMind documentation.
| Name | Type | Description |
|---|---|---|
conn.client_ip.geo.registered_location.city | string | The name of the city, in EN, where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.continent | string | The name of the continent, in EN, where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.country | string | The name of the country, in EN, where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.country_code | string | The two-letter ISO country code where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.is_eu | boolean | Determines if the conn.client_ip is registered in the EU. Helpful for GDPR compliance. |
conn.client_ip.geo.registered_location.metro_code | string | The metro code where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.subdivision | string | The name of the subdivision, in EN, where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.timezone | string | The name of the timezone where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.city
The name of the city, in EN, where the conn.client_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.city == 'Strongsville'
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.city == 'Strongsville'"
]
}
conn.client_ip.geo.registered_location.continent
The name of the continent, in EN, where the conn.client_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.continent == 'North America'
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.continent == 'North America'"
]
}
conn.client_ip.geo.registered_location.country
The name of the country, in EN, where the conn.client_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.country == 'United States'
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.country == 'United States'"
]
}
conn.client_ip.geo.registered_location.country_code
The two-letter ISO country code where the conn.client_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.country_code != 'US'
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.country_code != 'US'"
]
}
conn.client_ip.geo.registered_location.is_eu
Determines if the conn.client_ip is in the EU. Helpful for GDPR compliance.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.is_eu == true
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.is_eu == true"
]
}
conn.client_ip.geo.registered_location.subdivision
The name of the subdivision, in EN, where the conn.client_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.subdivision == 'California'
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.subdivision == 'California'"
]
}
conn.client_ip.geo.registered_location.metro_code
The metro code where the conn.client_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.metro_code != ''
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.metro_code != ''"
]
}
conn.client_ip.geo.registered_location.timezone
The name of the timezone where the conn.client_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.timezone == 'America/New_York'
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.timezone == 'America/New_York'"
]
}
Server IP Intelligence
The following variables are available under the conn.server_ip namespace:
| Name | Type | Description |
|---|---|---|
conn.server_ip.categories | list | The list of categories that classify the conn.server_ip. Check out our full list of categories. |
conn.server_ip.is_on_blocklist | boolean | This is true if the conn.server_ip is listed on a blocklist. For more information about which blocklists are included here, please check out our list of categories. |
conn.server_ip.is_tor_node | boolean | This is true if the conn.server_ip is listed as a Tor exit node. |
conn.server_ip.categories
The list of categories that classify the conn.server_ip. Check out our full list of categories.
- YAML
- JSON
# snippet
---
expressions:
- "!('proxy.anonymous.tor' in conn.server_ip.categories)"
// snippet
{
"expressions": [
"!('proxy.anonymous.tor' in conn.server_ip.categories)"
]
}
conn.server_ip.is_on_blocklist
This is true if the conn.server_ip is listed on a blocklist. For more information about which blocklists are included here, please check out our list of categories.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.is_on_blocklist == true
// snippet
{
"expressions": [
"conn.server_ip.is_on_blocklist == true"
]
}
conn.server_ip.is_tor_node
This is true if the conn.server_ip is listed as a Tor exit node.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.is_tor_node == true
// snippet
{
"expressions": [
"conn.server_ip.is_tor_node == true"
]
}
Server IP Autonomous System
| Name | Type | Description |
|---|---|---|
conn.server_ip.as.number | integer | The Autonomous System Number of the conn.server_ip. |
conn.server_ip.as.organization | string | The Autonomous System Organization name of the conn.server_ip. |
conn.server_ip.as.number
The Autonomous System Number of the conn.server_ip.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.as.number == 12345
// snippet
{
"expressions": [
"conn.server_ip.as.number == 12345"
]
}
conn.server_ip.as.organization
The Autonomous System Organization name of the conn.server_ip.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.as.organization == 'COMCAST-7922'
// snippet
{
"expressions": [
"conn.server_ip.as.organization == 'COMCAST-7922'"
]
}
Server IP Location Geo
This is the location where the server IP address is located, which may be different from where the IP address is registered. For more details, see the MaxMind documentation.
| Name | Type | Description |
|---|---|---|
conn.server_ip.geo.location.city | string | The name of the city, in EN, where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.continent | string | The name of the continent, in EN, where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.country | string | The name of the country, in EN, where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.country_code | string | The two-letter ISO country code where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.is_eu | boolean | Determines if the conn.server_ip is located in the EU. Helpful for GDPR compliance. |
conn.server_ip.geo.location.latitude | string | The approximate latitude where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.longitude | string | The approximate longitude where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.metro_code | string | The metro code where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.postal_code | string | The postal code where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.radius | string | The radius in kilometers around the latitude and longitude where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.subdivision | string | The name of the subdivision, in EN, where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.timezone | string | The name of the timezone where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.city
The name of the city, in EN, where the conn.server_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.city == 'Strongsville'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.city == 'Strongsville'"
]
}
conn.server_ip.geo.location.continent
The name of the continent, in EN, where the conn.server_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.continent == 'North America'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.continent == 'North America'"
]
}
conn.server_ip.geo.location.country
The name of the country, in EN, where the conn.server_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.country == 'United States'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.country == 'United States'"
]
}
conn.server_ip.geo.location.country_code
The two-letter ISO country code where the conn.server_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.country_code != 'US'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.country_code != 'US'"
]
}
conn.server_ip.geo.location.is_eu
Determines if the conn.server_ip location is in the EU. Helpful for GDPR compliance.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.is_eu == true
// snippet
{
"expressions": [
"conn.server_ip.geo.location.is_eu == true"
]
}
conn.server_ip.geo.location.latitude
The approximate latitude where the conn.server_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- double(conn.server_ip.geo.location.latitude) >= 45.0
// snippet
{
"expressions": [
"double(conn.server_ip.geo.location.latitude) >= 45.0"
]
}
conn.server_ip.geo.location.longitude
The approximate longitude where the conn.server_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- double(conn.server_ip.geo.location.longitude) <= -93.0
// snippet
{
"expressions": [
"double(conn.server_ip.geo.location.longitude) <= -93.0"
]
}
conn.server_ip.geo.location.metro_code
The metro code where the conn.server_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.metro_code != ''
// snippet
{
"expressions": [
"conn.server_ip.geo.location.metro_code != ''"
]
}
conn.server_ip.geo.location.postal_code
The postal code where the conn.server_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.postal_code == '94324'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.postal_code == '94324'"
]
}
conn.server_ip.geo.location.radius
The radius in kilometers around the latitude and longitude where the conn.server_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.radius <= '5'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.radius <= '5'"
]
}
conn.server_ip.geo.location.subdivision
The name of the subdivision, in EN, where the conn.server_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.subdivision == 'California'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.subdivision == 'California'"
]
}
conn.server_ip.geo.location.timezone
The name of the timezone where the conn.server_ip is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.timezone == 'America/New_York'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.timezone == 'America/New_York'"
]
}
Server IP Registered Location Geo
This is the location where the server IP address is registered, which may be different from where the IP address is located. For more details, see the MaxMind documentation.
| Name | Type | Description |
|---|---|---|
conn.server_ip.geo.registered_location.city | string | The name of the city, in EN, where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.continent | string | The name of the continent, in EN, where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.country | string | The name of the country, in EN, where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.country_code | string | The two-letter ISO country code where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.is_eu | boolean | Determines if the conn.server_ip is registered in the EU. Helpful for GDPR compliance. |
conn.server_ip.geo.registered_location.metro_code | string | The metro code where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.subdivision | string | The name of the subdivision, in EN, where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.timezone | string | The name of the timezone where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.city
The name of the city, in EN, where the conn.server_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.city == 'Strongsville'
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.city == 'Strongsville'"
]
}
conn.server_ip.geo.registered_location.continent
The name of the continent, in EN, where the conn.server_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.continent == 'North America'
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.continent == 'North America'"
]
}
conn.server_ip.geo.registered_location.country
The name of the country, in EN, where the conn.server_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.country == 'United States'
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.country == 'United States'"
]
}
conn.server_ip.geo.registered_location.country_code
The two-letter ISO country code where the conn.server_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.country_code != 'US'
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.country_code != 'US'"
]
}
conn.server_ip.geo.registered_location.is_eu
Determines if the conn.server_ip is in the EU. Helpful for GDPR compliance.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.is_eu == true
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.is_eu == true"
]
}
conn.server_ip.geo.registered_location.subdivision
The name of the subdivision, in EN, where the conn.server_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.subdivision == 'California'
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.subdivision == 'California'"
]
}
conn.server_ip.geo.registered_location.metro_code
The metro code where the conn.server_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.metro_code != ''
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.metro_code != ''"
]
}
conn.server_ip.geo.registered_location.timezone
The name of the timezone where the conn.server_ip is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.timezone == 'America/New_York'
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.timezone == 'America/New_York'"
]
}
IP Categories
The following categories are available to use with the IP Intelligence .categories list.
Here's an example of how to block Tor exit node IPs from accessing your endpoint.
- YAML
- JSON
# snippet
---
expressions:
- "!('proxy.anonymous.tor' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('proxy.anonymous.tor' in conn.client_ip.categories)"
]
}
Blocklists
| Name | Description | Sources |
|---|---|---|
blocklist.blocklist_de | From BlockList.de: All IP addresses that have attacked one of our customers/servers in the last 48 hours. | Source |
blocklist.blocklist_de.ssh | From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH. | Source |
blocklist.blocklist_de.mail | From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix. | Source |
blocklist.blocklist_de.apache | From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks. | Source |
blocklist.blocklist_de.imap | From BlockList.de: All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3. | Source |
blocklist.blocklist_de.ftp | From BlockList.de: All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP. | Source |
blocklist.blocklist_de.sip | From BlockList.de: All IP addresses that tried to login in a SIP-, VOIP- or Asterisk-Server and are included in the IPs-List from http://www.infiltrated.net/ (Twitter). | Source |
blocklist.blocklist_de.bots | From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum or Wiki). | Source |
blocklist.blocklist_de.strongips | From BlockList.de: All IPs which are older then 2 month and have more then 5.000 attacks. | Source |
blocklist.blocklist_de.bruteforcelogin | From BlockList.de: All IPs which attacks Joomlas, Wordpress and other Web-Logins with Brute-Force Logins. | Source |
blocklist.greensnow_co | From greensnow.co: GreenSnow is a team consisting of the best specialists in computer security, we harvest a large number of IPs from different computers located around the world. GreenSnow is comparable with Spamhaus for attacks of any kind except for spam. Our list is updated automatically and you can withdraw at any time your IP address if it has been listed. | Source |
blocklist.spamhaus | From spamhaus.org: Don't Route Or Peer (DROP) lists the worst of the worst IP traffic. It is an advisory “drop all traffic”, containing IP ranges which are so dangerous to internet users that Spamhaus provides access to anyone who wants to add this layer of protection, free of charge. | Source |
blocklist.stopforumspam | From stopforumspam.com: The data provided here represents what we believe will only ever ben used to abuse. IP Addresses listed here will be returned in API results as "blacklisted". You would be very unlikely to see valid content from either the IP addresses listed. | Source |
blocklist.firehol_org.level_1 | From firehol.org: The objective is to create a blacklist that can be safe enough to be used on all systems, with a firewall, to block access entirely, from and to its listed IPs. The key prerequisite for this cause, is to have no false positives. All IPs listed should be bad and should be blocked, without exceptions. | Source |
blocklist.firehol_org.level_2 | From firehol.org: An ipset made from blocklists that track attacks, during about the last 48 hours. | Source |
blocklist.firehol_org.level_3 | From firehol.org: An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. | Source |
blocklist.firehol_org.abusers_1d | From firehol.org: An ipset made from blocklists that track abusers in the last 24 hours. | Source |
blocklist.firehol_org.abusers_30d | From firehol.org: An ipset made from blocklists that track abusers in the last 30 days. | Source |
blocklist.blocklist_de
From BlockList.de: All IP addresses that have attacked one of our customers/servers in the last 48 hours.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.blocklist_de' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.blocklist_de' in conn.client_ip.categories)"
]
}
blocklist.blocklist_de.ssh
From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.blocklist_de.ssh' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.blocklist_de.ssh' in conn.client_ip.categories)"
]
}
blocklist.blocklist_de.mail
From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.blocklist_de.mail' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.blocklist_de.mail' in conn.client_ip.categories)"
]
}
blocklist.blocklist_de.apache
From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.blocklist_de.apache' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.blocklist_de.apache' in conn.client_ip.categories)"
]
}
blocklist.blocklist_de.imap
From BlockList.de: All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.blocklist_de.imap' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.blocklist_de.imap' in conn.client_ip.categories)"
]
}
blocklist.blocklist_de.ftp
From BlockList.de: All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.blocklist_de.ftp' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.blocklist_de.ftp' in conn.client_ip.categories)"
]
}
blocklist.blocklist_de.sip
From BlockList.de: All IP addresses that tried to login in a SIP-, VOIP- or Asterisk-Server and are included in the IPs-List from http://www.infiltrated.net/ (Twitter).
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.blocklist_de.sip' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.blocklist_de.sip' in conn.client_ip.categories)"
]
}
blocklist.blocklist_de.bots
From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum or Wiki).
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.blocklist_de.bots' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.blocklist_de.bots' in conn.client_ip.categories)"
]
}
blocklist.blocklist_de.strongips
From BlockList.de: All IPs which are older then 2 month and have more then 5.000 attacks.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.blocklist_de.strongips' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.blocklist_de.strongips' in conn.client_ip.categories)"
]
}
blocklist.blocklist_de.bruteforcelogin
From BlockList.de: All IPs which attacks Joomlas, Wordpress and other Web-Logins with Brute-Force Logins.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.blocklist_de.bruteforcelogin' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.blocklist_de.bruteforcelogin' in conn.client_ip.categories)"
]
}
blocklist.greensnow_co
From greensnow.co: GreenSnow is a team consisting of the best specialists in computer security, we harvest a large number of IPs from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Our list is updated automatically and you can withdraw at any time your IP address if it has been listed.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.greensnow_co' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.greensnow_co' in conn.client_ip.categories)"
]
}
blocklist.spamhaus
From spamhaus.org: Don't Route Or Peer (DROP) lists the worst of the worst IP traffic. It is an advisory “drop all traffic”, containing IP ranges which are so dangerous to internet users that Spamhaus provides access to anyone who wants to add this layer of protection, free of charge.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.spamhaus' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.spamhaus' in conn.client_ip.categories)"
]
}
blocklist.stopforumspam
From stopforumspam.com: The data provided here represents what we believe will only ever ben used to abuse. IP Addresses listed here will be returned in API results as "blacklisted". You would be very unlikely to see valid content from the IP addresses listed.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.stopforumspam' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.stopforumspam' in conn.client_ip.categories)"
]
}
blocklist.firehol_org.level_1
From firehol.org: The objective is to create a blacklist that can be safe enough to be used on all systems, with a firewall, to block access entirely, from and to its listed IPs. The key prerequisite for this cause, is to have no false positives. All IPs listed should be bad and should be blocked, without exceptions.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.firehol_org.level_1' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.firehol_org.level_1' in conn.client_ip.categories)"
]
}
blocklist.firehol_org.level_2
From firehol.org: An ipset made from blocklists that track attacks, during about the last 48 hours.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.firehol_org.level_2' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.firehol_org.level_2' in conn.client_ip.categories)"
]
}
blocklist.firehol_org.level_3
From firehol.org: An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.firehol_org.level_3' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.firehol_org.level_3' in conn.client_ip.categories)"
]
}
blocklist.firehol_org.abusers_1d
From firehol.org: An ipset made from blocklists that track abusers in the last 24 hours.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.firehol_org.abusers_1d' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.firehol_org.abusers_1d' in conn.client_ip.categories)"
]
}
blocklist.firehol_org.abusers_30d
From firehol.org: An ipset made from blocklists that track abusers in the last 30 days.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.firehol_org.abusers_30d' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.firehol_org.abusers_30d' in conn.client_ip.categories)"
]
}
Proxies / VPNs
| Name | Description | Sources |
|---|---|---|
proxy.anonymous.tor | These IPs are actively serving as Tor Exit nodes. | Source |
proxy.anonymous.firehol_org | From firehol.org: An ipset that includes all the anonymizing IPs of the world. (includes: anonymous dm_tor firehol_proxies tor_exits) | Source |
proxy.open.firehol_org | From firehol.org: An ipset made from all sources that track open proxies. It includes IPs reported or detected in the last 30 days. | Source |
proxy.anonymous.tor
These IPs are actively serving as Tor Exit nodes.
- YAML
- JSON
# snippet
---
expressions:
- "!('proxy.anonymous.tor' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('proxy.anonymous.tor' in conn.client_ip.categories)"
]
}
proxy.anonymous.firehol_org
From firehol.org: An ipset that includes all the anonymizing IPs of the world. (includes: anonymous dm_tor firehol_proxies tor_exits)
- YAML
- JSON
# snippet
---
expressions:
- "!('proxy.anonymous.firehol_org' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('proxy.anonymous.firehol_org' in conn.client_ip.categories)"
]
}
proxy.open.firehol_org
From firehol.org: An ipset made from all sources that track open proxies. It includes IPs reported or detected in the last 30 days.
- YAML
- JSON
# snippet
---
expressions:
- "!('proxy.open.firehol_org' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('proxy.open.firehol_org' in conn.client_ip.categories)"
]
}
Organizations
| Name | Description | Sources |
|---|---|---|
com.cloudflare | IPs from Cloudflare | IPv4, IPv6 |
com.aws | IPs from AWS | Source |
com.aws.sns | IPs from AWS SNS service | Source |
com.aws.us-east-1.sns | IPs from AWS SNS service for the us-east-1 region | Source |
com.aws.us-east-2.sns | IPs from AWS SNS service for the us-east-2 region | Source |
com.aws.us-west-1.sns | IPs from AWS SNS service for the us-west-1 region | Source |
com.aws.us-west-2.sns | IPs from AWS SNS service for the us-west-2 region | Source |
com.stripe.api | The full list of IP addresses that api.stripe.com may resolve to | Source |
com.stripe.armada_gator | The full list of IP addresses that files.stripe.com, armada.stripe.com, and gator.stripe.com may resolve to | Source |
com.stripe.webhooks | The full list of IP addresses that webhook notifications may come from | Source |
com.censys.scanners | The IPs that Censys bots use to continually scans the entire public IPv4 address space across all possible IP and port combinations using automatic protocol detection. | Source |
com.vultr | IPs for Vultr | Source |
org.telegram.core | IPs for Telegram Bots | Source |
org.firehol.level_4 | From firehol.org: An ipset made from blocklists that track attacks, but may include a large number of false positives. | Source |
org.firehol.webserver | From firehol.org: A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. | Source |
com.cloudflare
IPs from Cloudflare.
- YAML
- JSON
# snippet
---
expressions:
- "'com.cloudflare' in conn.client_ip.categories"
// snippet
{
"expressions": [
"'com.cloudflare' in conn.client_ip.categories"
]
}
com.aws
IPs from AWS.
- YAML
- JSON
# snippet
---
expressions:
- "'com.aws' in conn.client_ip.categories"
// snippet
{
"expressions": [
"'com.aws' in conn.client_ip.categories"
]
}
com.aws.sns
IPs from AWS SNS service.
- YAML
- JSON
# snippet
---
expressions:
- "'com.aws.sns' in conn.client_ip.categories"
// snippet
{
"expressions": [
"'com.aws.sns' in conn.client_ip.categories"
]
}
com.aws.us-east-1.sns
IPs from AWS SNS service for the us-east-1 region.
- YAML
- JSON
# snippet
---
expressions:
- "'com.aws.us-east-1.sns' in conn.client_ip.categories"
// snippet
{
"expressions": [
"'com.aws.us-east-1.sns' in conn.client_ip.categories"
]
}
com.aws.us-east-2.sns
IPs from AWS SNS service for the us-east-2 region.
- YAML
- JSON
# snippet
---
expressions:
- "'com.aws.us-east-2.sns' in conn.client_ip.categories"
// snippet
{
"expressions": [
"'com.aws.us-east-2.sns' in conn.client_ip.categories"
]
}
com.aws.us-west-1.sns
IPs from AWS SNS service for the us-west-1 region.
- YAML
- JSON
# snippet
---
expressions:
- "'com.aws.us-west-1.sns' in conn.client_ip.categories"
// snippet
{
"expressions": [
"'com.aws.us-west-1.sns' in conn.client_ip.categories"
]
}
com.aws.us-west-2.sns
IPs from AWS SNS service for the us-west-2 region.
- YAML
- JSON
# snippet
---
expressions:
- "'com.aws.us-west-2.sns' in conn.client_ip.categories"
// snippet
{
"expressions": [
"'com.aws.us-west-2.sns' in conn.client_ip.categories"
]
}
com.stripe.api
The full list of IP addresses that api.stripe.com may resolve to.
- YAML
- JSON
# snippet
---
expressions:
- "'com.stripe.api' in conn.client_ip.categories"
// snippet
{
"expressions": [
"'com.stripe.api' in conn.client_ip.categories"
]
}
com.stripe.armada_gator
The full list of IP addresses that files.stripe.com, armada.stripe.com, and gator.stripe.com may resolve to.
- YAML
- JSON
# snippet
---
expressions:
- "'com.stripe.armada_gator' in conn.client_ip.categories"
// snippet
{
"expressions": [
"'com.stripe.armada_gator' in conn.client_ip.categories"
]
}
com.stripe.webhooks
The full list of IP addresses that webhook notifications may come from.
- YAML
- JSON
# snippet
---
expressions:
- "'com.stripe.webhooks' in conn.client_ip.categories"
// snippet
{
"expressions": [
"'com.stripe.webhooks' in conn.client_ip.categories"
]
}
com.censys.scanners
The IPs that Censys bots use to continually scans the entire public IPv4 address space across all possible IP and port combinations using automatic protocol detection.
- YAML
- JSON
# snippet
---
expressions:
- "!('com.censys.scanners' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('com.censys.scanners' in conn.client_ip.categories)"
]
}
com.vultr
IPs from Vultr.com
- YAML
- JSON
# snippet
---
expressions:
- "'com.vultr' in conn.client_ip.categories"
// snippet
{
"expressions": [
"'com.vultr' in conn.client_ip.categories"
]
}
org.telegram.core
IPs for Telegram.org bots
- YAML
- JSON
# snippet
---
expressions:
- "'org.telegram.core' in conn.client_ip.categories"
// snippet
{
"expressions": [
"'org.telegram.core' in conn.client_ip.categories"
]
}
org.firehol.level_4
From firehol.org: An ipset made from blocklists that track attacks, but may include a large number of false positives.
- YAML
- JSON
# snippet
---
expressions:
- "!('org.firehol.level_4' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('org.firehol.level_4' in conn.client_ip.categories)"
]
}
org.firehol.webserver
From firehol.org: A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history.
- YAML
- JSON
# snippet
---
expressions:
- "!('blocklist.firehol_org.webserver' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('blocklist.firehol_org.webserver' in conn.client_ip.categories)"
]
}