ATD文档中心 logo ATD文档中心

ATD文档中心

内网自定义处理接口文档

通用说明

接口以POST方式调用,body格式为json。

1. request body数据样例

[{
    "timestamp": 1589990781,
    "location": "10.10.17.2",
    "action": "",
    "event": {
        "name": "Misc攻击",
        "type": "bro",
        "reason": "Misc攻击",
        "description": "ET CHAT IRC PING command",
        "policy": 0,
        "level": 3,
        "rule": "alert tcp any 6666:7000 -> any any (msg:\"ET CHAT IRC PING command\"; flow:from_server,established; content:\"PING|20|\"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002027; classtype:misc-activity; sid:2002027; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)",
        "content": {
            "destIP": "10.47.7.152",
            "destPort": 50981,
            "illegalIP": "10.10.17.2",
            "proto": "TCP",
            "srcIP": "10.10.17.2",
            "srcPort": 6667
        },
        "suspicious_text": [
            "PING "
        ]
    },
    "time_local": "2020-05-21T00:06:21+0800",
    "ip_credit": "{\"is_legal\": \"yes\", \"is_local\": \"yes\", \"latest\": [], \"trend\": [[1587312000, 0, null], [1587398400, 0, null]], \"score\": null, \"ip\": \"10.10.17.2\", \"addr\": [], \"search_engine\": {\"name\": \"\", \"status\": \"\"}, \"credit\": {\"is_local\": \"yes\"}, \"services\": [], \"tag_list\": [], \"ports\": [], \"type\": {}, \"export_score\": \"60\", \"cache_at\": 1589958140}",
    "ip_tag": [
        "local"
    ],
    "src_ip_credit": "{\"is_legal\": \"yes\", \"is_local\": \"yes\", \"latest\": [], \"trend\": [[1587312000, 0, null], [1587398400, 0, null]], \"score\": null, \"ip\": \"10.10.17.2\", \"addr\": [], \"search_engine\": {\"name\": \"\", \"status\": \"\"}, \"credit\": {\"is_local\": \"yes\"}, \"services\": [], \"tag_list\": [], \"ports\": [], \"type\": {}, \"export_score\": \"60\", \"cache_at\": 1589958140}",
    "src_ip_tag": [
        "local"
    ],
    "dst_ip_credit": "{\"is_legal\": \"yes\", \"is_local\": \"yes\", \"latest\": [], \"trend\": [[1587312000, 0, null], [1587398400, 0, null]], \"score\": null, \"ip\": \"10.47.7.152\", \"addr\": [], \"search_engine\": {\"name\": \"\", \"status\": \"\"}, \"credit\": {\"is_local\": \"yes\"}, \"services\": [], \"tag_list\": [], \"ports\": [], \"type\": {}, \"export_score\": \"60\", \"cache_at\": 1589958140}",
    "dst_ip_tag": [
        "local"
    ],
    "direction": "PRIVATE_PRIVATE"
}]

字段解释:

字段名 类型 取值范围 说明
timestamp int - unix 时间戳
location string - 主机IP地址
action string - 处理动作
event object - 威胁事件数据
event.name string - 攻击名称
event.type string - 流量转换方式
event.reason string - 威胁事件的原因
event.description string - 威胁事件的描述
event.policy int - 命中规则的ID
event.level int [1-5] 威胁事件的等级
event.rule string - 威胁事件命中的规则内容
event.content object - 流量的原始内容,字段不等
event.content.destIP string - 目的IP
event.content.destPort int - 目的端口
event.content.illegalIP string - 非法IP
event.content.proto string - 协议
event.content.srcIP string - 源IP
event.content.srcPort int - 原端口
event.suspicious_text array - 规则主要命中内容
time_local string - 格式化后的时间
ip_credit object - IP信⽤等级数据,json格式,需解析,等同于 src_ip_credit和 dst_ip_credit
ip_credit.is_local enum [“yes”,”no”] 是否为内网IP
ip_credit.search_engine object - 搜索引擎IP信息
ip_credit.search_engine.status enum [“yes”,”no”,””] 当前IP是否为健康的搜索引擎爬虫IP,”yes”:健康的搜索引擎IP,”no”:恶意的搜索引擎IP,”“:不是搜索引擎IP
ip_credit.search_engine.name string - 具体的搜索引擎名称
ip_credit.is_near boolean [true,false] 内部临时数据,可忽略
ip_credit.addr array - IP地址信息
ip_credit.addr[0].province string - 省份
ip_credit.addr[0].city string - 城市
ip_credit.addr[0].district string - 地区
ip_credit.addr[0].country string - 国家
ip_credit.addr[0].location object - IP地理位置信息
ip_credit.addr[0].location.latitude float - IP的纬度
ip_credit.addr[0].location.radius float - IP覆盖范围半径,单位:KM
ip_credit.addr[0].location.longitude float - IP的经度
ip_credit.addr[0].idc string - 机房或网络运营商
ip_credit.addr[0].accuracy enum [“洲”,”国家”,”省”,”城市”,”区县”,”街道”] 地理位置的精确度
ip_credit.cache_at int - 内部临时数据,可忽略
ip_credit.export_score string - 内部临时数据,可忽略
ip_credit.ip string - 返回的IP,如果
ip_credit.credit object - IP信用数据
ip_credit.credit.user_count int [1-9] 人数范围标识:’1’:’1’,’2’:’2-5’,’3’:’6-10’,’4’:’11-30’,’5’:’31-50’,’6’:’51-100’,’7’:’101-500’,’8’:’501-2000’,’9’:’2000+’
ip_credit.credit.office float [0-100] 当前IP为办公网的概率
ip_credit.credit.family float [0-100] 当前IP为住宅小区的概率
ip_credit.credit.export_ip float [0-100] 当前IP为人群出口的概率
ip_credit.credit.person float [0-100] 当前IP为真人的概率
ip_credit.credit.dirty float [0-100] 当前IP的污点概率
ip_credit.credit.active float [0-100] 当前IP的活跃度
ip_credit.credit.base_station float [0-100] 当前IP是基站的概率
ip_credit.credit.edu_station float [0-100] 当前IP是教育网的概率
ip_credit.is_virus enum [“yes”,”no”] 传入IP是否有病毒标签
ip_credit.is_abuse enum [“yes”,”no”] 传入IP是否有恶意活动标签
ip_credit.is_spider enum [“yes”,”no”] 传入IP是否有爬虫标签
ip_credit.is_spam enum [“yes”,”no”] 传入IP是否有垃圾邮件标签
ip_credit.is_legal enum [“yes”,”no”] 传入IP是否符合语法标准
ip_credit.is_black enum [“yes”,”no”] 传入IP是否为高危IP
ip_credit.is_data_center enum [“yes”,”no”] 传入IP是否为数据中心IP
ip_credit.is_proxy enum [“yes”,”no”] 传入IP是否为代理IP
ip_credit.is_tor enum [“yes”,”no”] 传入IP是否为洋葱路由IP
ip_credit.is_wangba enum [“yes”,”no”] 传入IP是否为网吧IP
ip_credit.trend array - 威胁趋势
ip_credit.trend[0][0] int - 日期0点时间戳
ip_credit.trend[0][1] int - 记录数量
ip_credit.trend[0][2] enum [“low”,”medium”,”high”,null] 威胁等级
ip_credit.score enum [“low”,”medium”,”high”,null] 威胁等级
ip_credit.type dict - 历史威胁事件名称和计数的key-val对
ip_credit.latest array - 近期威胁事件记录
ip_credit.latest[0].timestamp int - 更新时间戳
ip_credit.latest[0].hits int - 命中次数
ip_credit.latest[0].score enum [“low”,”medium”,”high”,null] 威胁等级
ip_credit.latest[0].type string - 威胁事件名称
ip_credit.latest[0].loc string - 攻击源地理位置
ip_tag array - IP的标签,等同于src_ip_tag和dst_ip_tag
direction enum [“PRIVATE_PRIVATE”,”PRIVATE_PUBLIC”,”PUBLIC_PRIVATE”,”PUBLIC_PUBLIC”] 攻击方向描述

说明:
在系统中,当某IP的人群出口IP概率值(export_ip)大于60时,认为是人群出口IP。

2. response body数据样例

{
  "code": 0,
  "msg": "success",
  "data": []
}

字段解释:

字段名 类型 取值范围 解释
code int - 调⽤结果, 0表示成功,⾮0表示失败
msg string - 提示信息
data array - ⽤于返回结果数据,这⾥填空数组即可

3. 调用示例

说明:
1、在验证时,我们将向您发送如上样例的POST数据包;
2、如果在3秒内返回结果,并且(1)返回的数据为JSON格式;(2)code值为0,则将验证通过。

[root@bs203 ~]# curl http://172.18.1.203:8001/v1/firewall/action -d '
[{
    "timestamp": 1589990781,
    "location": "10.10.17.2",
    "action": "",
    "event": {
        "name": "Misc攻击",
        "type": "bro",
        "reason": "Misc攻击",
        "description": "ET CHAT IRC PING command",
        "policy": 0,
        "level": 3,
        "rule": "alert tcp any 6666:7000 -> any any (msg:\"ET CHAT IRC PING command\"; flow:from_server,established; content:\"PING|20|\"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002027; classtype:misc-activity; sid:2002027; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)",
        "content": {
            "destIP": "10.47.7.152",
            "destPort": 50981,
            "illegalIP": "10.10.17.2",
            "proto": "TCP",
            "srcIP": "10.10.17.2",
            "srcPort": 6667
        },
        "suspicious_text": [
            "PING "
        ]
    },
    "time_local": "2020-05-21T00:06:21+0800",
    "ip_credit": "{\"is_legal\": \"yes\", \"is_local\": \"yes\", \"latest\": [], \"trend\": [[1587312000, 0, null], [1587398400, 0, null]], \"score\": null, \"ip\": \"10.10.17.2\", \"addr\": [], \"search_engine\": {\"name\": \"\", \"status\": \"\"}, \"credit\": {\"is_local\": \"yes\"}, \"services\": [], \"tag_list\": [], \"ports\": [], \"type\": {}, \"export_score\": \"60\", \"cache_at\": 1589958140}",
    "ip_tag": [
        "local"
    ],
    "src_ip_credit": "{\"is_legal\": \"yes\", \"is_local\": \"yes\", \"latest\": [], \"trend\": [[1587312000, 0, null], [1587398400, 0, null]], \"score\": null, \"ip\": \"10.10.17.2\", \"addr\": [], \"search_engine\": {\"name\": \"\", \"status\": \"\"}, \"credit\": {\"is_local\": \"yes\"}, \"services\": [], \"tag_list\": [], \"ports\": [], \"type\": {}, \"export_score\": \"60\", \"cache_at\": 1589958140}",
    "src_ip_tag": [
        "local"
    ],
    "dst_ip_credit": "{\"is_legal\": \"yes\", \"is_local\": \"yes\", \"latest\": [], \"trend\": [[1587312000, 0, null], [1587398400, 0, null]], \"score\": null, \"ip\": \"10.47.7.152\", \"addr\": [], \"search_engine\": {\"name\": \"\", \"status\": \"\"}, \"credit\": {\"is_local\": \"yes\"}, \"services\": [], \"tag_list\": [], \"ports\": [], \"type\": {}, \"export_score\": \"60\", \"cache_at\": 1589958140}",
    "dst_ip_tag": [
        "local"
    ],
    "direction": "PRIVATE_PRIVATE"
}]'

4. 返回样例

{
    "msg": "success", 
    "code": 0, 
    "data": []
}