If there is a boring task when you are investigating a security incident, it’s the process of gathering all information related to the involved IP addresses: What are the IP addresses used, routing information (AS), geo-localisation and abuse information gathering.
Alexandre Dulaunoy wrote a cool piece of Perl code to automate those tasks. His tool called “traceroute-circl” automates everything. The “CIRCL” means “Computer Incident Response Centre Luxembourg” (the Luxembourg CERT). Based on the information returned by the standard traceroute tool, Alexandre’s tool gather extra information as seen in the example below.
For each hop, it displays the AS number and name, the prefix and abuse contact. Check our the example:
$ ./traceroute-circl --ip www.paris.fr
traceroute to www.paris.fr (79.140.93.170), 30 hops max, 60 byte packets
Country:IT Abuse contact:abuse@akamai.com
ASN (RIS):AS6762 SEABONE-NET TELECOM ITALIA SPARKLE S.p.A. ASN INFO:6762 79.140.80.0/20 IT \
ripencc 2007-10-05
1 88.191.120.1 (88.191.120.1) 0.446 ms 0.497 ms 0.573 ms
Country:FR Abuse contact:abuse@proxad.net abuse@support.dedibox.fr
ASN (RIS):AS12322 PROXAD Free SAS ASN INFO:12322 88.160.0.0/11 FR ripencc 2005-10-03
<...>
Another cool option allows to generate a data file to be used with your Google maps API:
Written in Perl, the script requires some specific CPAN modules but it should not be too difficult to install them on recent Linux distributions. This is definitively a tool you need to keep in your personal toolbox if you’re involved in security incidents handling.
traceroute-circl is available here.