Skip to main content
The GestorAbuseIPDB module enriches detected intrusion events with external reputation data: abuse confidence score, risk label, total report count, and country of origin. This data is available in the SOC dashboard under the IP reputation panel.
The current implementation runs in mock/simulation mode. All queries return static simulated values (abuse_score: 15, riesgo: 'RIESGO MEDIO (Simulado)') until the module is connected to the real AbuseIPDB API. See Connecting to the real API below.

Initialization

Import and initialize GestorAbuseIPDB with your AbuseIPDB API key: 
from abuseipdb_module import GestorAbuseIPDB

gestor = GestorAbuseIPDB(api_key="your_abuseipdb_api_key")
The constructor stores the key and logs a truncated version to the console for confirmation:
abuseipdb_module.py
class GestorAbuseIPDB:
    def __init__(self, api_key):
        self.api_key = api_key
        print(f"DEBUG: GestorAbuseIPDB inicializado con llave: {api_key[:5]}...")

Checking IP reputation

verificar_ips(ips, callback_resultado=None, callback_error=None) accepts a list of IP address strings and delivers results through a callback: 
def on_resultado(resultado):
    print(resultado["ip"], resultado["abuse_score"], resultado["riesgo"])

gestor.verificar_ips(["192.168.1.10", "10.0.0.5"], callback_resultado=on_resultado)
For each IP, callback_resultado is called with a result dictionary:
ip
string
required
The queried IP address.
abuse_score
integer
required
AbuseIPDB confidence score from 0 to 100. Higher values indicate a greater likelihood the IP is malicious.
riesgo
string
required
Human-readable risk label derived from the abuse score:
  • RIESGO BAJO — low threat
  • RIESGO MEDIO — moderate threat
  • RIESGO ALTO — high threat
In mock mode the value is suffixed with (Simulado).
total_reports
integer
required
Total number of abuse reports on record for this IP in the AbuseIPDB database.
pais
string
required
Country of origin for the IP address. In mock mode the value is suffixed with (Simulado).

Exporting a reputation report

exportar_reporte(ruta) saves the current reputation data to a file: 
gestor.exportar_reporte("/reports/ip_reputation.txt")
The method returns True on success. In mock mode it writes a simulated report to the given path.

Cleanup

Call limpiar() when the SOC interface closes to release any resources held by the module: 
gestor.limpiar()

Usage in the SOC interface

GestorAbuseIPDB is imported and instantiated in interfasc.py. A Verificar AbuseIPDB button in the dashboard toolbar triggers verificar_ips_abuse(), which extracts external IPs from the warnings panel and event table, then calls verificar_ips(). Results are prepended into the warnings text area in the format: 
AbuseIPDB | 1.2.3.4 | Score: 85% | RIESGO ALTO | Reports: 120 | US
IPs flagged with CRÍTICO risk also trigger a status-bar warning message.

Connecting to the real API

To query live reputation data, replace the mock implementation in verificar_ips with a real HTTP call to the AbuseIPDB v2 endpoint: 
import requests

def verificar_ips(self, ips, callback_resultado=None, callback_error=None):
    headers = {
        "Key": self.api_key,
        "Accept": "application/json",
    }
    for ip in ips:
        try:
            response = requests.get(
                "https://api.abuseipdb.com/api/v2/check",
                headers=headers,
                params={"ipAddress": ip, "maxAgeInDays": 90},
            )
            data = response.json()["data"]
            resultado = {
                "ip": data["ipAddress"],
                "abuse_score": data["abuseConfidenceScore"],
                "riesgo": _score_to_riesgo(data["abuseConfidenceScore"]),
                "total_reports": data["totalReports"],
                "pais": data["countryCode"],
            }
            if callback_resultado:
                callback_resultado(resultado)
        except Exception as e:
            if callback_error:
                callback_error(ip, e)
Get a free API key at abuseipdb.com. The free tier allows up to 1,000 checks per day.

Build docs developers (and LLMs) love

Get started for freeTalk to us