IP Reputation
Rockfish Probe integrates with threat intelligence services for IP reputation lookups.
Overview
Two approaches are available:
| Feature | ip_reputation | threat_intel |
|---|---|---|
| Provider | Direct AbuseIPDB | External API server |
| Caching | Local in-memory | Server-side |
| Rate limits | Managed locally | Server manages |
| Best for | Single sensor | Multiple sensors |
These features are mutually exclusive.
IP Reputation (Direct AbuseIPDB)
Query AbuseIPDB directly with local caching.
Configuration
ip_reputation:
enabled: true
api_key: "your-abuseipdb-api-key"
cache_ttl_hours: 24
max_age_in_days: 90
s3_upload: true
| Option | Default | Description |
|---|---|---|
enabled | false | Enable IP reputation lookups |
api_key | (required) | AbuseIPDB API key |
output_dir | <parquet_dir>/ip_reputation | Output directory |
cache_ttl_hours | 24 | Cache entry lifetime |
max_age_in_days | 90 | Max age for AbuseIPDB reports |
s3_upload | false | Upload parquet files to S3 |
How It Works
- For each flow, source and destination IPs are queued for lookup
- Lookups run in a background thread
- Results are cached in memory with reference counting
- Cache is exported to Parquet every hour
Rate Limiting
AbuseIPDB free tier: 1000 requests/day.
When rate-limited (HTTP 429):
- API requests pause
- Local cache continues serving
- Resumes at the next hour boundary
- Repeats if still rate-limited
Output Schema
Hourly Parquet exports include:
| Field | Type | Description |
|---|---|---|
ip_address | String | IP address |
abuse_confidence_score | Int32 | Score (0-100) |
country_code | String | Country code |
isp | String | ISP name |
domain | String | Associated domain |
total_reports | Int32 | Total abuse reports |
last_reported_at | Timestamp | Last report time |
is_whitelisted | Boolean | Whitelisted status |
reference_count | Int64 | Times seen in flows |
first_seen | Timestamp | First flow occurrence |
last_seen | Timestamp | Last flow occurrence |
Threat Intel (External API)
Use an external threat intelligence server (e.g., rockfish_intel) for centralized lookups.
Configuration
threat_intel:
enabled: true
endpoint_url: "http://localhost:8080"
api_token: "your-api-token"
batch_size: 100
timeout_seconds: 10
| Option | Default | Description |
|---|---|---|
enabled | false | Enable threat intel lookups |
endpoint_url | (required) | API server URL |
api_token | (required) | Bearer token |
batch_size | 100 | IPs per request |
timeout_seconds | 10 | Request timeout |
Benefits
- Centralized caching: Share cache across multiple sensors
- Rate limit management: Server handles provider limits
- Multiple providers: Server can aggregate multiple sources
Output
Threat intel Parquet files are written to <parquet_dir>/intel/.
With S3 and Hive partitioning:
s3://bucket/prefix/intel/year=YYYY/month=MM/day=DD/filename.parquet
Setup with rockfish_intel
- Start the intel server with your AbuseIPDB key
- Create a client entry in
clients.yaml - Configure the probe:
threat_intel:
enabled: true
endpoint_url: "http://threatintel-server:8080"
api_token: "client-token-from-clients-yaml"
Choosing Between Options
| Scenario | Recommendation |
|---|---|
| Single sensor, simple setup | ip_reputation |
| Multiple sensors | threat_intel + rockfish_intel |
| Enterprise with custom providers | threat_intel |
| Limited API quota | threat_intel (shared cache) |
Getting an AbuseIPDB API Key
- Create account at abuseipdb.com
- Go to API settings
- Generate API key
Free tier: 1000 checks/day Paid tiers: Higher limits, additional features