API Documentation

When queried using common command-line tools, the website will return a json object that can be parsed using a tool such as jq:

$ curl -s https://opsec.live | jq '.passive.tls.ja3_hash'
"1e64af0e20d9a09d61bf7b9d5de76bc7"
Result Fields
.ip string
The IP address that made the request to the service.
.port string
The source port use to connect to the service.
.ptr string
The pointer record (PTR) associated with the requesting IP address.
.user_agent string
Content of the User-Agent HTTP header provided with the request.
.geo object
Geolocation of the IP address based on the GeoLite2 database provided by MaxMind, available from maxmind.com.
.geo.city string
The city of the requesting IP. Defaults to an empty string if it can't be determined.
.geo.state string
The state of the requesting IP. Defaults to an empty string if it can't be determined.
.geo.country string
The country of the requesting IP. Defaults to an empty string if it can't be determined.
.geo.iso_code string
The ISO 3166-1 alpha-2 of the associated country. Defaults to an empty string if it can't be determined.
.asn object
The autonomous system (AS) the requesting IP is announced from.
.asn.asn string
The ASN associated with the autonomous system.
.asn.netblock string
The IP block that the ASN is announcing and that the source IP is part of in CIDR notation.
.geo.owner string
The named owner of the netblock.
.detections.ip object
Categorization as applied to .ip. Detection categories are outlined in the Detection Categories section below. Detections are represented by a boolean value.
.detections.netblock object
Categorization as applied to .asn.netblock. Detection categories are outlined in the Detection Categories section below. Detections are represented by a boolean value.
.passive.http object
Fingerprinting and tampering detection as applied to the HTTP request. Passive HTTP fingerprinting relies on verifying which headers are present and in which order. RFC 2616 Hypertext Transfer Protocol -- HTTP/1.1 does not enforce a specific header order, so browsers and tools will implement them in different ways.
.passive.http.sig string
The passive HTTP signature calculated.
.passive.http.tampering string
One of:
  • Detected if .passive.http.sig doesn't match the expected browser specified in .user_agent
  • Not Detected if no tampering was detected.
  • Unsure if there wasn't enough information to determine tampering.
.passive.tls object
Fingerprinting and tampering detection as applied to the TLS Client Hello of the request. Passive TLS fingerprints are calculated using the JA3 method.
.passive.tls.sig string
The full JA3 signature for the Client Hello packet.
.passive.tls.ja3_hash string
The md5 hash of .passive.tls.sig
.passive.tcp object
Fingerprinting and tampering detection as applied to the TCP packet. Passive TCP fingerprinting is based on fields within the TCP header that give insight on the network stack that made the request. Seeing as network stacks are highly coupled with operating systems, this is a good way to determine the OS of the client.
.passive.tcp.sig string
The passive TCP signature calculated. The p0f-style signature identifying the incoming TCP connection. A full breakdown of these fields can be found in the p0f documentation.
.passive.tcp.tampering string
One of:
  • Detected if .passive.tcp.sig doesn't match the expected operating system specified in .user_agent
  • Not Detected if no tampering was detected.
  • Unsure if there wasn't enough information to determine tampering.
Detection Categories

These categories are refreshed periodically from open source datasets

Abuse
IPs associated to spam, bots, and scams.
Anonymizer
IPs known to be VPN endpoints, TOR exit nodes, and proxies.
Datacenter
IPs known to be from server and cloud hosting providers.
Malware
IPs associated with malware campaigns and active attacks.
Reputation
Low reputation IPs associated with nefarious and illegal activity.
Spoofing
IPs that should otherwise be unroutable or dead.
Contact for advertising opportunities