Skip to main content

IP Intelligence

IP Intelligence provides you with additional information about any IP address you see in ngrok. It includes Autonomous System information, Geolocation data, as well as information fetched from 3rd parties that list IP address for blocklists or allowlists.

See the full list of IP Categories available here.

These variables can be used in Traffic Policy expressions, or they can be used to enrich your traffic via dynamic injection into headers or responses.

Client IP Intelligence

The following variables are available under the conn.client_ip namespace:

NameTypeDescription
conn.client_ip.categorieslistThe list of categories that classify the conn.client_ip. Check out our full list of categories.
conn.client_ip.is_on_blocklistbooleanThis is true if the conn.client_ip is listed on a blocklist. For more information about which blocklists are included here, please check out our list of categories.
conn.client_ip.is_tor_nodebooleanThis is true if the conn.client_ip is listed as a Tor exit node.

conn.client_ip.categories

The list of categories that classify the conn.client_ip. Check out our full list of categories.

# snippet
---
expressions:
- "!('proxy.anonymous.tor' in conn.client_ip.categories)"

conn.client_ip.is_on_blocklist

This is true if the conn.client_ip is listed on a blocklist. For more information about which blocklists are included here, please check out our list of categories.

# snippet
---
expressions:
- conn.client_ip.is_on_blocklist == true

conn.client_ip.is_tor_node

This is true if the conn.client_ip is listed as a Tor exit node.

# snippet
---
expressions:
- conn.client_ip.is_tor_node == true

Client IP Autonomous System

The following variables are available under the conn.client_ip namespace:

NameTypeDescription
conn.client_ip.as.numberintegerThe Autonomous System Number of the conn.client_ip.
conn.client_ip.as.organizationstringThe Autonomous System Organization name of the conn.client_ip.

conn.client_ip.as.number

The Autonomous System Number of the conn.client_ip.

# snippet
---
expressions:
- conn.client_ip.as.number == 12345

conn.client_ip.as.organization

The Autonomous System Organization name of the conn.client_ip.

# snippet
---
expressions:
- conn.client_ip.as.organization == 'COMCAST-7922'

Client IP Geo Location

This is the location where the IP address is located, which may be different from where the IP address is registered. For more details, see the MaxMind documentation.

NameTypeDescription
conn.client_ip.geo.location.citystringThe name of the city, in EN, where the conn.client_ip is likely to originate.
conn.client_ip.geo.location.continentstringThe name of the continent, in EN, where the conn.client_ip is likely to originate.
conn.client_ip.geo.location.countrystringThe name of the country, in EN, where the conn.client_ip is likely to originate.
conn.client_ip.geo.location.country_codestringThe two-letter ISO country code where the conn.client_ip is likely to originate.
conn.client_ip.geo.location.is_eubooleanDetermines if the conn.client_ip is located in the EU. Helpful for GDPR compliance.
conn.client_ip.geo.location.latitudestringThe approximate latitude where the conn.client_ip is likely to originate.
conn.client_ip.geo.location.longitudestringThe approximate longitude where the conn.client_ip is likely to originate.
conn.client_ip.geo.location.metro_codestringThe metro code where the conn.client_ip is likely to originate.
conn.client_ip.geo.location.postal_codestringThe postal code where the conn.client_ip is likely to originate.
conn.client_ip.geo.location.radiusstringThe radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate.
conn.client_ip.geo.location.subdivisionstringThe name of the subdivision, in EN, where the conn.client_ip is likely to originate.
conn.client_ip.geo.location.timezonestringThe name of the timezone where the conn.client_ip is likely to originate.

conn.client_ip.geo.location.city

The name of the city, in EN, where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- conn.client_ip.geo.location.city == 'Strongsville'

conn.client_ip.geo.location.continent

The name of the continent, in EN, where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- conn.client_ip.geo.location.continent == 'North America'

conn.client_ip.geo.location.country

The name of the country, in EN, where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- conn.client_ip.geo.location.country == 'United States'

conn.client_ip.geo.location.country_code

The two-letter ISO country code where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- conn.client_ip.geo.location.country_code != 'US'

conn.client_ip.geo.location.is_eu

Determines if the conn.client_ip is in the EU. Helpful for GDPR compliance.

# snippet
---
expressions:
- conn.client_ip.geo.location.is_eu == true

conn.client_ip.geo.location.latitude

The approximate latitude where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- double(conn.client_ip.geo.location.latitude) >= 45.0

conn.client_ip.geo.location.longitude

The approximate longitude where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- double(conn.client_ip.geo.location.longitude) <= -93.0

conn.client_ip.geo.location.metro_code

The metro code where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- conn.client_ip.geo.location.metro_code != ''

conn.client_ip.geo.location.postal_code

The postal code where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- conn.client_ip.geo.location.postal_code == '94324'

conn.client_ip.geo.location.radius

The radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- conn.client_ip.geo.location.radius <= '5'

conn.client_ip.geo.location.subdivision

The name of the subdivision, in EN, where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- conn.client_ip.geo.location.subdivision == 'California'

conn.client_ip.geo.location.timezone

The name of the timezone where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- conn.client_ip.geo.location.timezone == 'America/New_York'

Client IP Registered Geo Location

This is the location where the IP address is registered, which may be different from where the IP address is located. For more details, see the MaxMind documentation.

NameTypeDescription
conn.client_ip.geo.registered_location.citystringThe name of the city, in EN, where the conn.client_ip is registered.
conn.client_ip.geo.registered_location.continentstringThe name of the continent, in EN, where the conn.client_ip is registered.
conn.client_ip.geo.registered_location.countrystringThe name of the country, in EN, where the conn.client_ip is registered.
conn.client_ip.geo.registered_location.country_codestringThe two-letter ISO country code where the conn.client_ip is registered.
conn.client_ip.geo.registered_location.is_eubooleanDetermines if the conn.client_ip is registered in the EU. Helpful for GDPR compliance.
conn.client_ip.geo.registered_location.metro_codestringThe metro code where the conn.client_ip is registered.
conn.client_ip.geo.registered_location.subdivisionstringThe name of the subdivision, in EN, where the conn.client_ip is registered.
conn.client_ip.geo.registered_location.timezonestringThe name of the timezone where the conn.client_ip is registered.

conn.client_ip.geo.registered_location.city

The name of the city, in EN, where the conn.client_ip is registered.

# snippet
---
expressions:
- conn.client_ip.geo.registered_location.city == 'Strongsville'

conn.client_ip.geo.registered_location.continent

The name of the continent, in EN, where the conn.client_ip is registered.

# snippet
---
expressions:
- conn.client_ip.geo.registered_location.continent == 'North America'

conn.client_ip.geo.registered_location.country

The name of the country, in EN, where the conn.client_ip is registered.

# snippet
---
expressions:
- conn.client_ip.geo.registered_location.country == 'United States'

conn.client_ip.geo.registered_location.country_code

The two-letter ISO country code where the conn.client_ip is registered.

# snippet
---
expressions:
- conn.client_ip.geo.registered_location.country_code != 'US'

conn.client_ip.geo.registered_location.is_eu

Determines if the conn.client_ip is in the EU. Helpful for GDPR compliance.

# snippet
---
expressions:
- conn.client_ip.geo.registered_location.is_eu == true

conn.client_ip.geo.registered_location.subdivision

The name of the subdivision, in EN, where the conn.client_ip is registered.

# snippet
---
expressions:
- conn.client_ip.geo.registered_location.subdivision == 'California'

conn.client_ip.geo.registered_location.metro_code

The metro code where the conn.client_ip is registered.

# snippet
---
expressions:
- conn.client_ip.geo.registered_location.metro_code != ''

conn.client_ip.geo.registered_location.timezone

The name of the timezone where the conn.client_ip is registered.

# snippet
---
expressions:
- conn.client_ip.geo.registered_location.timezone == 'America/New_York'

Server IP Intelligence

The following variables are available under the conn.server_ip namespace:

NameTypeDescription
conn.server_ip.categorieslistThe list of categories that classify the conn.server_ip. Check out our full list of categories.
conn.server_ip.is_on_blocklistbooleanThis is true if the conn.server_ip is listed on a blocklist. For more information about which blocklists are included here, please check out our list of categories.
conn.server_ip.is_tor_nodebooleanThis is true if the conn.server_ip is listed as a Tor exit node.

conn.server_ip.categories

The list of categories that classify the conn.server_ip. Check out our full list of categories.

# snippet
---
expressions:
- "!('proxy.anonymous.tor' in conn.server_ip.categories)"

conn.server_ip.is_on_blocklist

This is true if the conn.server_ip is listed on a blocklist. For more information about which blocklists are included here, please check out our list of categories.

# snippet
---
expressions:
- conn.server_ip.is_on_blocklist == true

conn.server_ip.is_tor_node

This is true if the conn.server_ip is listed as a Tor exit node.

# snippet
---
expressions:
- conn.server_ip.is_tor_node == true

Server IP Autonomous System

NameTypeDescription
conn.server_ip.as.numberintegerThe Autonomous System Number of the conn.server_ip.
conn.server_ip.as.organizationstringThe Autonomous System Organization name of the conn.server_ip.

conn.server_ip.as.number

The Autonomous System Number of the conn.server_ip.

# snippet
---
expressions:
- conn.server_ip.as.number == 12345

conn.server_ip.as.organization

The Autonomous System Organization name of the conn.server_ip.

# snippet
---
expressions:
- conn.server_ip.as.organization == 'COMCAST-7922'

Server IP Location Geo

This is the location where the server IP address is located, which may be different from where the IP address is registered. For more details, see the MaxMind documentation.

NameTypeDescription
conn.server_ip.geo.location.citystringThe name of the city, in EN, where the conn.server_ip is likely to originate.
conn.server_ip.geo.location.continentstringThe name of the continent, in EN, where the conn.server_ip is likely to originate.
conn.server_ip.geo.location.countrystringThe name of the country, in EN, where the conn.server_ip is likely to originate.
conn.server_ip.geo.location.country_codestringThe two-letter ISO country code where the conn.server_ip is likely to originate.
conn.server_ip.geo.location.is_eubooleanDetermines if the conn.server_ip is located in the EU. Helpful for GDPR compliance.
conn.server_ip.geo.location.latitudestringThe approximate latitude where the conn.server_ip is likely to originate.
conn.server_ip.geo.location.longitudestringThe approximate longitude where the conn.server_ip is likely to originate.
conn.server_ip.geo.location.metro_codestringThe metro code where the conn.server_ip is likely to originate.
conn.server_ip.geo.location.postal_codestringThe postal code where the conn.server_ip is likely to originate.
conn.server_ip.geo.location.radiusstringThe radius in kilometers around the latitude and longitude where the conn.server_ip is likely to originate.
conn.server_ip.geo.location.subdivisionstringThe name of the subdivision, in EN, where the conn.server_ip is likely to originate.
conn.server_ip.geo.location.timezonestringThe name of the timezone where the conn.server_ip is likely to originate.

conn.server_ip.geo.location.city

The name of the city, in EN, where the conn.server_ip is likely to originate.

# snippet
---
expressions:
- conn.server_ip.geo.location.city == 'Strongsville'

conn.server_ip.geo.location.continent

The name of the continent, in EN, where the conn.server_ip is likely to originate.

# snippet
---
expressions:
- conn.server_ip.geo.location.continent == 'North America'

conn.server_ip.geo.location.country

The name of the country, in EN, where the conn.server_ip is likely to originate.

# snippet
---
expressions:
- conn.server_ip.geo.location.country == 'United States'

conn.server_ip.geo.location.country_code

The two-letter ISO country code where the conn.server_ip is likely to originate.

# snippet
---
expressions:
- conn.server_ip.geo.location.country_code != 'US'

conn.server_ip.geo.location.is_eu

Determines if the conn.server_ip location is in the EU. Helpful for GDPR compliance.

# snippet
---
expressions:
- conn.server_ip.geo.location.is_eu == true

conn.server_ip.geo.location.latitude

The approximate latitude where the conn.server_ip is likely to originate.

# snippet
---
expressions:
- double(conn.server_ip.geo.location.latitude) >= 45.0

conn.server_ip.geo.location.longitude

The approximate longitude where the conn.server_ip is likely to originate.

# snippet
---
expressions:
- double(conn.server_ip.geo.location.longitude) <= -93.0

conn.server_ip.geo.location.metro_code

The metro code where the conn.server_ip is likely to originate.

# snippet
---
expressions:
- conn.server_ip.geo.location.metro_code != ''

conn.server_ip.geo.location.postal_code

The postal code where the conn.server_ip is likely to originate.

# snippet
---
expressions:
- conn.server_ip.geo.location.postal_code == '94324'

conn.server_ip.geo.location.radius

The radius in kilometers around the latitude and longitude where the conn.server_ip is likely to originate.

# snippet
---
expressions:
- conn.server_ip.geo.location.radius <= '5'

conn.server_ip.geo.location.subdivision

The name of the subdivision, in EN, where the conn.server_ip is likely to originate.

# snippet
---
expressions:
- conn.server_ip.geo.location.subdivision == 'California'

conn.server_ip.geo.location.timezone

The name of the timezone where the conn.server_ip is likely to originate.

# snippet
---
expressions:
- conn.server_ip.geo.location.timezone == 'America/New_York'

Server IP Registered Location Geo

This is the location where the server IP address is registered, which may be different from where the IP address is located. For more details, see the MaxMind documentation.

NameTypeDescription
conn.server_ip.geo.registered_location.citystringThe name of the city, in EN, where the conn.server_ip is registered.
conn.server_ip.geo.registered_location.continentstringThe name of the continent, in EN, where the conn.server_ip is registered.
conn.server_ip.geo.registered_location.countrystringThe name of the country, in EN, where the conn.server_ip is registered.
conn.server_ip.geo.registered_location.country_codestringThe two-letter ISO country code where the conn.server_ip is registered.
conn.server_ip.geo.registered_location.is_eubooleanDetermines if the conn.server_ip is registered in the EU. Helpful for GDPR compliance.
conn.server_ip.geo.registered_location.metro_codestringThe metro code where the conn.server_ip is registered.
conn.server_ip.geo.registered_location.subdivisionstringThe name of the subdivision, in EN, where the conn.server_ip is registered.
conn.server_ip.geo.registered_location.timezonestringThe name of the timezone where the conn.server_ip is registered.

conn.server_ip.geo.registered_location.city

The name of the city, in EN, where the conn.server_ip is registered.

# snippet
---
expressions:
- conn.server_ip.geo.registered_location.city == 'Strongsville'

conn.server_ip.geo.registered_location.continent

The name of the continent, in EN, where the conn.server_ip is registered.

# snippet
---
expressions:
- conn.server_ip.geo.registered_location.continent == 'North America'

conn.server_ip.geo.registered_location.country

The name of the country, in EN, where the conn.server_ip is registered.

# snippet
---
expressions:
- conn.server_ip.geo.registered_location.country == 'United States'

conn.server_ip.geo.registered_location.country_code

The two-letter ISO country code where the conn.server_ip is registered.

# snippet
---
expressions:
- conn.server_ip.geo.registered_location.country_code != 'US'

conn.server_ip.geo.registered_location.is_eu

Determines if the conn.server_ip is in the EU. Helpful for GDPR compliance.

# snippet
---
expressions:
- conn.server_ip.geo.registered_location.is_eu == true

conn.server_ip.geo.registered_location.subdivision

The name of the subdivision, in EN, where the conn.server_ip is registered.

# snippet
---
expressions:
- conn.server_ip.geo.registered_location.subdivision == 'California'

conn.server_ip.geo.registered_location.metro_code

The metro code where the conn.server_ip is registered.

# snippet
---
expressions:
- conn.server_ip.geo.registered_location.metro_code != ''

conn.server_ip.geo.registered_location.timezone

The name of the timezone where the conn.server_ip is registered.

# snippet
---
expressions:
- conn.server_ip.geo.registered_location.timezone == 'America/New_York'

IP Categories

The following categories are available to use with the IP Intelligence .categories list.

The categories are hierarchal and can be matched at any level needed. For example, an IP with the category of com.cloudflare.ipv4 also has the categories com and com.cloudflare. This can be helpful if you want to allow all IPs from Cloudflare using com.cloudflare which would have both ipv4 and ipv6 lists.

Here's an example of how to block Tor exit node IPs from accessing your endpoint.

# snippet
---
expressions:
- "!('proxy.anonymous.tor' in conn.client_ip.categories)"

Or you can block all anonymous proxies which would include Tor as well as any other lists with the proxy.anonymous category.

# snippet
---
expressions:
- "!('proxy.anonymous' in conn.client_ip.categories)"

Blocklists

NameDescriptionSources
blocklist.co.greensnowFrom greensnow.co: GreenSnow is a team consisting of the best specialists in computer security, we harvest a large number of IPs from different computers located around the world. GreenSnow is comparable with Spamhaus for attacks of any kind except for spam. Our list is updated automatically and you can withdraw at any time your IP address if it has been listed.Source
blocklist.com.stopforumspam.toxic_ipsFrom stopforumspam.com: The data provided here represents what we believe will only ever ben used to abuse. IP Addresses listed here will be returned in API results as "blacklisted". You would be very unlikely to see valid content from either the IP addresses listed.Source
blocklist.de.blocklist.allFrom BlockList.de: All IP addresses that have attacked one of our customers/servers in the last 48 hours.Source
blocklist.de.blocklist.apacheFrom BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks.Source
blocklist.de.blocklist.botsFrom BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum or Wiki).Source
blocklist.de.blocklist.bruteforceloginFrom BlockList.de: All IPs which attacks Joomlas, Wordpress and other Web-Logins with Brute-Force Logins.Source
blocklist.de.blocklist.ftpFrom BlockList.de: All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP.Source
blocklist.de.blocklist.imapFrom BlockList.de: All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3.Source
blocklist.de.blocklist.mailFrom BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix.Source
blocklist.de.blocklist.sipFrom BlockList.de: All IP addresses that tried to login in a SIP-, VOIP- or Asterisk-Server and are included in the IPs-List from http://www.infiltrated.net/ (Twitter).Source
blocklist.de.blocklist.strongipsFrom BlockList.de: All IPs which are older then 2 month and have more then 5.000 attacks.Source
blocklist.de.blocklist.sshFrom BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH.Source
blocklist.net.emergingthreats.compromised_ipsFrom emergingthreats.net: Emerging Threats Intelligence from Proofpoint provides information on IP addresses and domains that may be compromised.Source
blocklist.org.firehol.abusers_1dFrom firehol.org: An ipset made from blocklists that track abusers in the last 24 hours.Source
blocklist.org.firehol.abusers_30dFrom firehol.org: An ipset made from blocklists that track abusers in the last 30 days.Source
blocklist.org.firehol.level_1From firehol.org: The objective is to create a blacklist that can be safe enough to be used on all systems, with a firewall, to block access entirely, from and to its listed IPs. The key prerequisite for this cause, is to have no false positives. All IPs listed should be bad and should be blocked, without exceptions.Source
blocklist.org.firehol.level_2From firehol.org: An ipset made from blocklists that track attacks, during about the last 48 hours.Source
blocklist.org.firehol.level_3From firehol.org: An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days.Source
blocklist.org.spamhaus.drop.ipv4From spamhaus.org: Don't Route Or Peer (DROP) lists the worst of the worst IP traffic. It is an advisory “drop all traffic”, containing IP ranges which are so dangerous to internet users that Spamhaus provides access to anyone who wants to add this layer of protection, free of charge.Source
blocklist.org.spamhaus.drop.ipv6From spamhaus.org: Don't Route Or Peer (DROP) lists the worst of the worst IP traffic. It is an advisory “drop all traffic”, containing IP ranges which are so dangerous to internet users that Spamhaus provides access to anyone who wants to add this layer of protection, free of charge.Source
blocklist.org.team_cymru.fullbogons.ipv4From team-cymru.com: The traditional bogon prefixes, plus prefixes that have been allocated to RIRs but not yet assigned by those RIRs to ISPs, end-users, etc.Source
blocklist.org.team_cymru.fullbogons.ipv6From team-cymru.com: IPv6 "fullbogons", all IPv6 prefixes that have not been allocated to RIRs and that have not been assigned by RIRs to ISPs, end-users, etc.Source

blocklist.co.greensnow

From greensnow.co: GreenSnow is a team consisting of the best specialists in computer security, we harvest a large number of IPs from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Our list is updated automatically and you can withdraw at any time your IP address if it has been listed.

# snippet
---
expressions:
- "!('blocklist.co.greensnow' in conn.client_ip.categories)"

blocklist.com.stopforumspam.toxic_ips

From stopforumspam.com: The data provided here represents what we believe will only ever ben used to abuse. IP Addresses listed here will be returned in API results as "blacklisted". You would be very unlikely to see valid content from the IP addresses listed.

# snippet
---
expressions:
- "!('blocklist.com.stopforumspam.toxic_ips' in conn.client_ip.categories)"

blocklist.de.blocklist.all

From BlockList.de: All IP addresses that have attacked one of our customers/servers in the last 48 hours.

# snippet
---
expressions:
- "!('blocklist.de.blocklist.all' in conn.client_ip.categories)"

blocklist.de.blocklist.apache

From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks.

# snippet
---
expressions:
- "!('blocklist.de.blocklist.apache' in conn.client_ip.categories)"

blocklist.de.blocklist.bots

From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum or Wiki).

# snippet
---
expressions:
- "!('blocklist.de.blocklist.bots' in conn.client_ip.categories)"

blocklist.de.blocklist.bruteforcelogin

From BlockList.de: All IPs which attacks Joomlas, Wordpress and other Web-Logins with Brute-Force Logins.

# snippet
---
expressions:
- "!('blocklist.de.blocklist.bruteforcelogin' in conn.client_ip.categories)"

blocklist.de.blocklist.ftp

From BlockList.de: All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP.

# snippet
---
expressions:
- "!('blocklist.de.blocklist.ftp' in conn.client_ip.categories)"

blocklist.de.blocklist.imap

From BlockList.de: All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3.

# snippet
---
expressions:
- "!('blocklist.de.blocklist.imap' in conn.client_ip.categories)"

blocklist.de.blocklist.mail

From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix.

# snippet
---
expressions:
- "!('blocklist.de.blocklist.mail' in conn.client_ip.categories)"

blocklist.de.blocklist.sip

From BlockList.de: All IP addresses that tried to login in a SIP-, VOIP- or Asterisk-Server and are included in the IPs-List from http://www.infiltrated.net/ (Twitter).

# snippet
---
expressions:
- "!('blocklist.de.blocklist.sip' in conn.client_ip.categories)"

blocklist.de.blocklist.ssh

From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH.

# snippet
---
expressions:
- "!('blocklist.de.blocklist.ssh' in conn.client_ip.categories)"

blocklist.de.blocklist.strongips

From BlockList.de: All IPs which are older then 2 month and have more then 5.000 attacks.

# snippet
---
expressions:
- "!('blocklist.de.blocklist.strongips' in conn.client_ip.categories)"

blocklist.org.firehol.level_1

From firehol.org: The objective is to create a blacklist that can be safe enough to be used on all systems, with a firewall, to block access entirely, from and to its listed IPs. The key prerequisite for this cause, is to have no false positives. All IPs listed should be bad and should be blocked, without exceptions.

# snippet
---
expressions:
- "!('blocklist.org.firehol.level_1' in conn.client_ip.categories)"

blocklist.org.firehol.level_2

From firehol.org: An ipset made from blocklists that track attacks, during about the last 48 hours.

# snippet
---
expressions:
- "!('blocklist.org.firehol.level_2' in conn.client_ip.categories)"

blocklist.org.firehol.level_3

From firehol.org: An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days.

# snippet
---
expressions:
- "!('blocklist.org.firehol.level_3' in conn.client_ip.categories)"

blocklist.org.firehol.abusers_1d

From firehol.org: An ipset made from blocklists that track abusers in the last 24 hours.

# snippet
---
expressions:
- "!('blocklist.org.firehol.abusers_1d' in conn.client_ip.categories)"

blocklist.org.firehol.abusers_30d

From firehol.org: An ipset made from blocklists that track abusers in the last 30 days.

# snippet
---
expressions:
- "!('blocklist.org.firehol.abusers_30d' in conn.client_ip.categories)"

blocklist.org.spamhaus.drop.ipv4

From spamhaus.org: Don't Route Or Peer (DROP) lists the worst of the worst IP traffic. It is an advisory “drop all traffic”, containing IP ranges which are so dangerous to internet users that Spamhaus provides access to anyone who wants to add this layer of protection, free of charge.

# snippet
---
expressions:
- "!('blocklist.org.spamhaus.drop.ipv4' in conn.client_ip.categories)"

blocklist.org.spamhaus.drop.ipv6

From spamhaus.org: Don't Route Or Peer (DROP) lists the worst of the worst IP traffic. It is an advisory “drop all traffic”, containing IP ranges which are so dangerous to internet users that Spamhaus provides access to anyone who wants to add this layer of protection, free of charge.

# snippet
---
expressions:
- "!('blocklist.org.spamhaus.drop.ipv6' in conn.client_ip.categories)"

blocklist.org.team_cymru.fullbogons.ipv4

From team-cymru.com: The traditional bogon prefixes, plus prefixes that have been allocated to RIRs but not yet assigned by those RIRs to ISPs, end-users, etc.

# snippet
---
expressions:
- "!('blocklist.org.team_cymru.fullbogons.ipv4' in conn.client_ip.categories)"

blocklist.org.team_cymru.fullbogons.ipv6

From team-cymru.com: IPv6 "fullbogons", all IPv6 prefixes that have not been allocated to RIRs and that have not been assigned by RIRs to ISPs, end-users, etc.

# snippet
---
expressions:
- "!('blocklist.org.team_cymru.fullbogons.ipv6' in conn.client_ip.categories)"

Proxies / VPNs

NameDescriptionSources
proxy.anonymous.org.fireholFrom firehol.org: An ipset that includes all the anonymizing IPs of the world. (includes: anonymous dm_tor firehol_proxies tor_exits)Source
proxy.anonymous.torThese IPs are actively serving as Tor Exit nodes.Source
proxy.open.org.fireholFrom firehol.org: An ipset made from all sources that track open proxies. It includes IPs reported or detected in the last 30 days.Source

proxy.anonymous.org.firehol

From firehol.org: An ipset that includes all the anonymizing IPs of the world. (includes: anonymous dm_tor firehol_proxies tor_exits)

# snippet
---
expressions:
- "!('proxy.anonymous.org.firehol' in conn.client_ip.categories)"

proxy.anonymous.tor

These IPs are actively serving as Tor Exit nodes.

# snippet
---
expressions:
- "!('proxy.anonymous.tor' in conn.client_ip.categories)"

proxy.open.org.firehol

From firehol.org: An ipset made from all sources that track open proxies. It includes IPs reported or detected in the last 30 days.

# snippet
---
expressions:
- "!('proxy.open.org.firehol' in conn.client_ip.categories)"

Organizations

NameDescriptionSources
com.awsIPs from AWSSource
com.aws.snsIPs from AWS SNS serviceSource
com.aws.us-east-1.snsIPs from AWS SNS service for the us-east-1 regionSource
com.aws.us-east-2.snsIPs from AWS SNS service for the us-east-2 regionSource
com.aws.us-west-1.snsIPs from AWS SNS service for the us-west-1 regionSource
com.aws.us-west-2.snsIPs from AWS SNS service for the us-west-2 regionSource
com.cloudflare.ipv4IPv4s from CloudflareIPv4, IPv6
com.cloudflare.ipv6IPv6s from CloudflareIPv4, IPv6
com.stripe.apiThe full list of IP addresses that api.stripe.com may resolve toSource
com.stripe.armada_gatorThe full list of IP addresses that files.stripe.com, armada.stripe.com, and gator.stripe.com may resolve toSource
com.stripe.webhooksThe full list of IP addresses that webhook notifications may come fromSource
com.vultrIPs for VultrSource
io.censys.scannersThe IPs that Censys bots use to continually scans the entire public IPv4 address space across all possible IP and port combinations using automatic protocol detection.Source
org.firehol.level_4From firehol.org: An ipset made from blocklists that track attacks, but may include a large number of false positives.Source
org.firehol.webserverFrom firehol.org: A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history.Source
org.telegramIPs for Telegram BotsSource

com.aws

IPs from AWS.

# snippet
---
expressions:
- "'com.aws' in conn.client_ip.categories"

com.aws.sns

IPs from AWS SNS service.

# snippet
---
expressions:
- "'com.aws.sns' in conn.client_ip.categories"

com.aws.us-east-1.sns

IPs from AWS SNS service for the us-east-1 region.

# snippet
---
expressions:
- "'com.aws.us-east-1.sns' in conn.client_ip.categories"

com.aws.us-east-2.sns

IPs from AWS SNS service for the us-east-2 region.

# snippet
---
expressions:
- "'com.aws.us-east-2.sns' in conn.client_ip.categories"

com.aws.us-west-1.sns

IPs from AWS SNS service for the us-west-1 region.

# snippet
---
expressions:
- "'com.aws.us-west-1.sns' in conn.client_ip.categories"

com.aws.us-west-2.sns

IPs from AWS SNS service for the us-west-2 region.

# snippet
---
expressions:
- "'com.aws.us-west-2.sns' in conn.client_ip.categories"

com.cloudflare.ipv4

IPv4s from Cloudflare.

# snippet
---
expressions:
- "'com.cloudflare.ipv4' in conn.client_ip.categories"

com.cloudflare.ipv6

IPv6s from Cloudflare.

# snippet
---
expressions:
- "'com.cloudflare.ipv6' in conn.client_ip.categories"

com.stripe.api

The full list of IP addresses that api.stripe.com may resolve to.

# snippet
---
expressions:
- "'com.stripe.api' in conn.client_ip.categories"

com.stripe.armada_gator

The full list of IP addresses that files.stripe.com, armada.stripe.com, and gator.stripe.com may resolve to.

# snippet
---
expressions:
- "'com.stripe.armada_gator' in conn.client_ip.categories"

com.stripe.webhooks

The full list of IP addresses that webhook notifications may come from.

# snippet
---
expressions:
- "'com.stripe.webhooks' in conn.client_ip.categories"

com.vultr

IPs from Vultr.com

# snippet
---
expressions:
- "'com.vultr' in conn.client_ip.categories"

io.censys.scanners

The IPs that Censys bots use to continually scans the entire public IPv4 address space across all possible IP and port combinations using automatic protocol detection.

# snippet
---
expressions:
- "!('io.censys.scanners' in conn.client_ip.categories)"

org.firehol.level_4

From firehol.org: An ipset made from blocklists that track attacks, but may include a large number of false positives.

# snippet
---
expressions:
- "!('org.firehol.level_4' in conn.client_ip.categories)"

org.firehol.webserver

From firehol.org: A web server IP blocklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history.

# snippet
---
expressions:
- "!('org.firehol.webserver' in conn.client_ip.categories)"

org.telegram

IPs for Telegram.org bots

# snippet
---
expressions:
- "'org.telegram' in conn.client_ip.categories"