Tor IP Lookup
The Tor IP Lookup API queries the FullHunt database to check if a specific IP address was identified as a Tor exit node. FullHunt actively monitors and indexes Tor IPs for threat intelligence purposes.
Check Tor IP
Check if a specific IP address is associated with a Tor exit node.
HTTP Request
GET https://fullhunt.io/api/v1/nexus/tor/check-ip
Query Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
| ip | Yes | string | The IP address to check |
Example Request
curl "https://fullhunt.io/api/v1/nexus/tor/check-ip?ip=100.8.8.137" \
-H "X-API-KEY: xxxx-xxxx-xxxx-xxxxxx"
Example Response - Tor IP Found
{
"count": 1,
"data": {
"first_seen": "26-09-2023",
"ip_address": "100.8.8.137"
},
"error": "",
"status": 200
}
Example Response - Not a Tor IP
{
"count": 0,
"data": null,
"error": "",
"status": 200
}
Response Fields
| Field | Type | Description |
|---|---|---|
count | integer | Number of records found (0 or 1) |
data | object/null | Tor IP data if found, null if not found |
error | string | Error message (empty on success) |
status | integer | HTTP status code |
Data Object Fields (when found)
| Field | Type | Description |
|---|---|---|
first_seen | string | Date when IP was first identified as Tor exit node |
ip_address | string | The queried IP address |
Integration Example
import requests
import json
from datetime import datetime
class TorChecker:
def __init__(self, api_key):
self.api_key = api_key
self.headers = {"X-API-KEY": api_key}
self.base_url = "https://fullhunt.io/api/v1/nexus/tor"
def check_ip(self, ip_address):
"""Check if an IP address is a known Tor exit node."""
url = f"{self.base_url}/check-ip"
params = {"ip": ip_address}
response = requests.get(url, headers=self.headers, params=params)
if response.status_code == 200:
data = response.json()
return data
else:
print(f"Error checking IP {ip_address}: {response.status_code}")
return None
def is_tor_ip(self, ip_address):
"""Simple boolean check if IP is a Tor exit node."""
result = self.check_ip(ip_address)
return result and result.get('count', 0) > 0
def get_tor_info(self, ip_address):
"""Get detailed Tor information for an IP address."""
result = self.check_ip(ip_address)
if result and result.get('count', 0) > 0:
return result.get('data')
return None
def batch_check_ips(self, ip_list):
"""Check multiple IP addresses for Tor association."""
results = {}
print(f"🔍 Checking {len(ip_list)} IP addresses for Tor association...")
for i, ip in enumerate(ip_list, 1):
print(f"Progress: {i}/{len(ip_list)} - Checking {ip}")
result = self.check_ip(ip)
if result:
is_tor = result.get('count', 0) > 0
results[ip] = {
'is_tor': is_tor,
'data': result.get('data') if is_tor else None
}
else:
results[ip] = {
'is_tor': False,
'data': None,
'error': 'API request failed'
}
# Rate limiting - small delay between requests
import time
time.sleep(1)
return results
def analyze_log_file(self, log_file_path, ip_column=0):
"""Analyze a log file to identify Tor IPs."""
tor_ips = []
total_ips = set()
print(f"📄 Analyzing log file: {log_file_path}")
try:
with open(log_file_path, 'r') as file:
for line_num, line in enumerate(file, 1):
# Extract IP from log line (assuming space-separated)
parts = line.strip().split()
if len(parts) > ip_column:
ip = parts[ip_column]
# Basic IP validation
if self._is_valid_ip(ip):
total_ips.add(ip)
except FileNotFoundError:
print(f"❌ Log file not found: {log_file_path}")
return None
print(f"Found {len(total_ips)} unique IP addresses in log file")
# Check each unique IP
unique_ips = list(total_ips)
batch_results = self.batch_check_ips(unique_ips)
# Filter for Tor IPs
for ip, result in batch_results.items():
if result['is_tor']:
tor_data = result['data']
tor_ips.append({
'ip': ip,
'first_seen': tor_data.get('first_seen') if tor_data else None
})
print(f"\n🎯 Analysis Results:")
print(f" Total unique IPs: {len(total_ips)}")
print(f" Tor exit nodes: {len(tor_ips)}")
print(f" Tor percentage: {(len(tor_ips)/len(total_ips)*100):.2f}%")
if tor_ips:
print(f"\n🚨 Tor IPs found:")
for tor_ip in tor_ips[:10]: # Show first 10
print(f" • {tor_ip['ip']} (First seen: {tor_ip['first_seen']})")
return {
'total_ips': len(total_ips),
'tor_ips': tor_ips,
'tor_percentage': (len(tor_ips)/len(total_ips)*100) if total_ips else 0
}
def _is_valid_ip(self, ip):
"""Basic IP address validation."""
import ipaddress
try:
ipaddress.ip_address(ip)
return True
except ValueError:
return False
# Usage Examples
api_key = "your-api-key-here"
tor_checker = TorChecker(api_key)
# Single IP check
ip_to_check = "100.8.8.137"
result = tor_checker.check_ip(ip_to_check)
print(f"IP {ip_to_check} Tor check result:", result)
# Simple boolean check
is_tor = tor_checker.is_tor_ip(ip_to_check)
print(f"Is {ip_to_check} a Tor IP? {is_tor}")
# Get detailed Tor info
tor_info = tor_checker.get_tor_info(ip_to_check)
if tor_info:
print(f"Tor info for {ip_to_check}: First seen {tor_info['first_seen']}")
# Batch checking
suspicious_ips = ["100.8.8.137", "192.168.1.1", "8.8.8.8"]
batch_results = tor_checker.batch_check_ips(suspicious_ips)
for ip, result in batch_results.items():
status = "Tor exit node" if result['is_tor'] else "Not Tor"
print(f"{ip}: {status}")
# Log file analysis
# log_analysis = tor_checker.analyze_log_file("/var/log/access.log", ip_column=0)
Real-time Monitoring Integration
import requests
import time
import json
from datetime import datetime
import threading
import queue
class TorMonitor:
def __init__(self, api_key, alert_webhook=None):
self.tor_checker = TorChecker(api_key)
self.alert_webhook = alert_webhook
self.monitoring = False
self.known_tor_ips = set()
def monitor_ip_list(self, ip_list, check_interval=300):
"""Monitor a list of IPs for Tor activity."""
print(f"🛡️ Starting Tor monitoring for {len(ip_list)} IPs")
print(f" Check interval: {check_interval} seconds")
self.monitoring = True
while self.monitoring:
print(f"\n🔍 Running Tor check at {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}")
new_tor_ips = []
for ip in ip_list:
if self.tor_checker.is_tor_ip(ip):
if ip not in self.known_tor_ips:
# New Tor IP detected
new_tor_ips.append(ip)
self.known_tor_ips.add(ip)
print(f"🚨 NEW TOR IP DETECTED: {ip}")
# Get additional info
tor_info = self.tor_checker.get_tor_info(ip)
if tor_info:
print(f" First seen as Tor: {tor_info['first_seen']}")
time.sleep(1) # Rate limiting
# Send alerts for new Tor IPs
if new_tor_ips and self.alert_webhook:
self.send_tor_alert(new_tor_ips)
if not new_tor_ips:
print("✅ No new Tor IPs detected")
# Wait for next check
time.sleep(check_interval)
def send_tor_alert(self, tor_ips):
"""Send webhook alert for newly detected Tor IPs."""
alert_data = {
"timestamp": datetime.now().isoformat(),
"alert_type": "new_tor_ips",
"message": f"Detected {len(tor_ips)} new Tor exit nodes",
"tor_ips": tor_ips
}
try:
response = requests.post(self.alert_webhook, json=alert_data)
if response.status_code == 200:
print(f"📤 Alert sent for {len(tor_ips)} new Tor IPs")
else:
print(f"❌ Failed to send alert: {response.status_code}")
except Exception as e:
print(f"❌ Alert webhook error: {e}")
def stop_monitoring(self):
"""Stop the monitoring process."""
self.monitoring = False
print("🛑 Tor monitoring stopped")
# Real-time log monitoring
def monitor_live_logs(log_file_path, tor_checker, alert_callback=None):
"""Monitor log file in real-time for Tor IPs."""
print(f"👁️ Starting real-time log monitoring: {log_file_path}")
try:
with open(log_file_path, 'r') as file:
# Go to end of file
file.seek(0, 2)
while True:
line = file.readline()
if line:
# Extract IP from new log line
parts = line.strip().split()
if parts:
ip = parts[0] # Assuming first field is IP
# Check if it's a valid IP and if it's Tor
if tor_checker._is_valid_ip(ip):
if tor_checker.is_tor_ip(ip):
print(f"🚨 LIVE TOR DETECTION: {ip} at {datetime.now()}")
if alert_callback:
alert_callback(ip, line.strip())
else:
# No new line, wait a bit
time.sleep(1)
except FileNotFoundError:
print(f"❌ Log file not found: {log_file_path}")
except KeyboardInterrupt:
print("\n🛑 Live monitoring stopped by user")
# Usage for real-time monitoring
api_key = "your-api-key-here"
webhook_url = "https://your-webhook-endpoint.com/tor-alerts"
# Monitor specific IPs
monitor = TorMonitor(api_key, webhook_url)
suspicious_ips = ["100.8.8.137", "192.168.1.100", "10.0.0.1"]
# Start monitoring in a separate thread
monitoring_thread = threading.Thread(
target=monitor.monitor_ip_list,
args=(suspicious_ips, 300) # Check every 5 minutes
)
monitoring_thread.daemon = True
monitoring_thread.start()
# Live log monitoring example
def tor_alert_callback(ip, log_line):
"""Callback function for Tor IP detections in logs."""
print(f"📋 Log line with Tor IP: {log_line}")
# Send to SIEM, trigger incident response, etc.
# Your custom alert logic here
# Uncomment to start live log monitoring
# monitor_live_logs("/var/log/access.log", tor_checker, tor_alert_callback)
Use Cases
Network Security Monitoring
- Monitor firewall logs for Tor traffic
- Identify potential privacy-seeking users
- Detect possible anonymization attempts
Threat Intelligence
- Correlate malicious activity with Tor usage
- Track threat actor infrastructure
- Investigate suspicious connections
Compliance and Policy Enforcement
- Enforce organizational policies regarding Tor usage
- Monitor for policy violations
- Generate compliance reports
Incident Response
- Quickly identify if suspicious IPs are Tor nodes
- Assess the anonymization level of attacks
- Prioritize investigation based on Tor usage
Best Practices
API Usage
- Caching: Cache results to reduce API calls for repeated checks
- Rate Limiting: Respect API rate limits, especially for batch operations
- Error Handling: Implement proper error handling and retry logic
- Monitoring: Set up monitoring for API quota usage
Security Considerations
- Context Awareness: Consider that Tor usage isn't always malicious
- Privacy Respect: Balance security needs with privacy considerations
- False Positives: Implement processes to handle legitimate Tor usage
- Correlation: Combine Tor data with other threat intelligence
Integration Tips
- SIEM Integration: Feed Tor IP data into security monitoring systems
- Automated Response: Set up automated responses for confirmed Tor traffic
- Alerting: Configure appropriate alert thresholds and escalation
- Documentation: Maintain records of Tor IP detections and responses