#!/bin/bash # -------------- # Name: hostile-host-check # Purpose: Check an IP address against DShield's hostile host database to # determine if others are seeing hostile activity from a host at that # IP address. # Usage: hostile-host-check ip_address # Example: # $ ./hostile-host-check 207.46.193.254 # Name: wwwtk2test2.microsoft.com # GeoIP Country Edition: US, United States # DShield First Reported: 2009-07-30 # DShield Most Recent Report: 2009-12-29 # DShield URL: http://www.dshield.org/ipdetails.html?ip=207.46.193.254 # Created: January 8, 2010 # Last updated: August 9, 2016 # Version: 1.0a # --------------- # Determine the Fully Qualified Domain Name (FQDN), if any, # associated with the given IP address DetermineFQDN() { fqdn=`host $ip` # # At this point, the value for fqdn will be in one of the 2 forms shown below: # # 25.219.133.198.in-addr.arpa domain name pointer www.cisco.com. # Host 1.0.168.192.in-addr.arpa not found: 3(NXDOMAIN) # # Strip out everything up to and including .arpa # See http://tldp.org/LDP/abs/html/string-manipulation.html fqdn=${fqdn#*arpa} # If a name was not found, strip away ": 3(NXDOMAIN)" remove=':*NXDOMAIN)' fqdn=${fqdn%$remove} # If a name was found, strip away " domain name pointer " then remove the # period from the end of the name. remove=' domain name pointer ' fqdn=${fqdn#$remove} fqdn=${fqdn%.} } # --------------- # DShield Check DShield_Check() { outfile="dshield_tmp.html" url='http://www.dshield.org/ipinfo.html?ip='${ip} # The same line contains the date a report was first submitted and the # date of the most recent report noentries='