通用说明
接口以POST方式调用,body格式为json。
1. request body数据样例
[{
"timestamp": 1589990781,
"location": "10.10.17.2",
"action": "",
"event": {
"name": "Misc攻击",
"type": "bro",
"reason": "Misc攻击",
"description": "ET CHAT IRC PING command",
"policy": 0,
"level": 3,
"rule": "alert tcp any 6666:7000 -> any any (msg:\"ET CHAT IRC PING command\"; flow:from_server,established; content:\"PING|20|\"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002027; classtype:misc-activity; sid:2002027; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)",
"content": {
"destIP": "10.47.7.152",
"destPort": 50981,
"illegalIP": "10.10.17.2",
"proto": "TCP",
"srcIP": "10.10.17.2",
"srcPort": 6667
},
"suspicious_text": [
"PING "
]
},
"time_local": "2020-05-21T00:06:21+0800",
"ip_credit": "{\"is_legal\": \"yes\", \"is_local\": \"yes\", \"latest\": [], \"trend\": [[1587312000, 0, null], [1587398400, 0, null]], \"score\": null, \"ip\": \"10.10.17.2\", \"addr\": [], \"search_engine\": {\"name\": \"\", \"status\": \"\"}, \"credit\": {\"is_local\": \"yes\"}, \"services\": [], \"tag_list\": [], \"ports\": [], \"type\": {}, \"export_score\": \"60\", \"cache_at\": 1589958140}",
"ip_tag": [
"local"
],
"src_ip_credit": "{\"is_legal\": \"yes\", \"is_local\": \"yes\", \"latest\": [], \"trend\": [[1587312000, 0, null], [1587398400, 0, null]], \"score\": null, \"ip\": \"10.10.17.2\", \"addr\": [], \"search_engine\": {\"name\": \"\", \"status\": \"\"}, \"credit\": {\"is_local\": \"yes\"}, \"services\": [], \"tag_list\": [], \"ports\": [], \"type\": {}, \"export_score\": \"60\", \"cache_at\": 1589958140}",
"src_ip_tag": [
"local"
],
"dst_ip_credit": "{\"is_legal\": \"yes\", \"is_local\": \"yes\", \"latest\": [], \"trend\": [[1587312000, 0, null], [1587398400, 0, null]], \"score\": null, \"ip\": \"10.47.7.152\", \"addr\": [], \"search_engine\": {\"name\": \"\", \"status\": \"\"}, \"credit\": {\"is_local\": \"yes\"}, \"services\": [], \"tag_list\": [], \"ports\": [], \"type\": {}, \"export_score\": \"60\", \"cache_at\": 1589958140}",
"dst_ip_tag": [
"local"
],
"direction": "PRIVATE_PRIVATE"
}]
字段解释:
字段名 | 类型 | 取值范围 | 说明 |
---|---|---|---|
timestamp | int | - | unix 时间戳 |
location | string | - | 主机IP地址 |
action | string | - | 处理动作 |
event | object | - | 威胁事件数据 |
event.name | string | - | 攻击名称 |
event.type | string | - | 流量转换方式 |
event.reason | string | - | 威胁事件的原因 |
event.description | string | - | 威胁事件的描述 |
event.policy | int | - | 命中规则的ID |
event.level | int | [1-5] | 威胁事件的等级 |
event.rule | string | - | 威胁事件命中的规则内容 |
event.content | object | - | 流量的原始内容,字段不等 |
event.content.destIP | string | - | 目的IP |
event.content.destPort | int | - | 目的端口 |
event.content.illegalIP | string | - | 非法IP |
event.content.proto | string | - | 协议 |
event.content.srcIP | string | - | 源IP |
event.content.srcPort | int | - | 原端口 |
event.suspicious_text | array | - | 规则主要命中内容 |
time_local | string | - | 格式化后的时间 |
ip_credit | object | - | IP信⽤等级数据,json格式,需解析,等同于 src_ip_credit和 dst_ip_credit |
ip_credit.is_local | enum | [“yes”,”no”] | 是否为内网IP |
ip_credit.search_engine | object | - | 搜索引擎IP信息 |
ip_credit.search_engine.status | enum | [“yes”,”no”,””] | 当前IP是否为健康的搜索引擎爬虫IP,”yes”:健康的搜索引擎IP,”no”:恶意的搜索引擎IP,”“:不是搜索引擎IP |
ip_credit.search_engine.name | string | - | 具体的搜索引擎名称 |
ip_credit.is_near | boolean | [true,false] | 内部临时数据,可忽略 |
ip_credit.addr | array | - | IP地址信息 |
ip_credit.addr[0].province | string | - | 省份 |
ip_credit.addr[0].city | string | - | 城市 |
ip_credit.addr[0].district | string | - | 地区 |
ip_credit.addr[0].country | string | - | 国家 |
ip_credit.addr[0].location | object | - | IP地理位置信息 |
ip_credit.addr[0].location.latitude | float | - | IP的纬度 |
ip_credit.addr[0].location.radius | float | - | IP覆盖范围半径,单位:KM |
ip_credit.addr[0].location.longitude | float | - | IP的经度 |
ip_credit.addr[0].idc | string | - | 机房或网络运营商 |
ip_credit.addr[0].accuracy | enum | [“洲”,”国家”,”省”,”城市”,”区县”,”街道”] | 地理位置的精确度 |
ip_credit.cache_at | int | - | 内部临时数据,可忽略 |
ip_credit.export_score | string | - | 内部临时数据,可忽略 |
ip_credit.ip | string | - | 返回的IP,如果 |
ip_credit.credit | object | - | IP信用数据 |
ip_credit.credit.user_count | int | [1-9] | 人数范围标识:’1’:’1’,’2’:’2-5’,’3’:’6-10’,’4’:’11-30’,’5’:’31-50’,’6’:’51-100’,’7’:’101-500’,’8’:’501-2000’,’9’:’2000+’ |
ip_credit.credit.office | float | [0-100] | 当前IP为办公网的概率 |
ip_credit.credit.family | float | [0-100] | 当前IP为住宅小区的概率 |
ip_credit.credit.export_ip | float | [0-100] | 当前IP为人群出口的概率 |
ip_credit.credit.person | float | [0-100] | 当前IP为真人的概率 |
ip_credit.credit.dirty | float | [0-100] | 当前IP的污点概率 |
ip_credit.credit.active | float | [0-100] | 当前IP的活跃度 |
ip_credit.credit.base_station | float | [0-100] | 当前IP是基站的概率 |
ip_credit.credit.edu_station | float | [0-100] | 当前IP是教育网的概率 |
ip_credit.is_virus | enum | [“yes”,”no”] | 传入IP是否有病毒标签 |
ip_credit.is_abuse | enum | [“yes”,”no”] | 传入IP是否有恶意活动标签 |
ip_credit.is_spider | enum | [“yes”,”no”] | 传入IP是否有爬虫标签 |
ip_credit.is_spam | enum | [“yes”,”no”] | 传入IP是否有垃圾邮件标签 |
ip_credit.is_legal | enum | [“yes”,”no”] | 传入IP是否符合语法标准 |
ip_credit.is_black | enum | [“yes”,”no”] | 传入IP是否为高危IP |
ip_credit.is_data_center | enum | [“yes”,”no”] | 传入IP是否为数据中心IP |
ip_credit.is_proxy | enum | [“yes”,”no”] | 传入IP是否为代理IP |
ip_credit.is_tor | enum | [“yes”,”no”] | 传入IP是否为洋葱路由IP |
ip_credit.is_wangba | enum | [“yes”,”no”] | 传入IP是否为网吧IP |
ip_credit.trend | array | - | 威胁趋势 |
ip_credit.trend[0][0] | int | - | 日期0点时间戳 |
ip_credit.trend[0][1] | int | - | 记录数量 |
ip_credit.trend[0][2] | enum | [“low”,”medium”,”high”,null] | 威胁等级 |
ip_credit.score | enum | [“low”,”medium”,”high”,null] | 威胁等级 |
ip_credit.type | dict | - | 历史威胁事件名称和计数的key-val对 |
ip_credit.latest | array | - | 近期威胁事件记录 |
ip_credit.latest[0].timestamp | int | - | 更新时间戳 |
ip_credit.latest[0].hits | int | - | 命中次数 |
ip_credit.latest[0].score | enum | [“low”,”medium”,”high”,null] | 威胁等级 |
ip_credit.latest[0].type | string | - | 威胁事件名称 |
ip_credit.latest[0].loc | string | - | 攻击源地理位置 |
ip_tag | array | - | IP的标签,等同于src_ip_tag和dst_ip_tag |
direction | enum | [“PRIVATE_PRIVATE”,”PRIVATE_PUBLIC”,”PUBLIC_PRIVATE”,”PUBLIC_PUBLIC”] | 攻击方向描述 |
说明:
在系统中,当某IP的人群出口IP概率值(export_ip)大于60时,认为是人群出口IP。
2. response body数据样例
{
"code": 0,
"msg": "success",
"data": []
}
字段解释:
字段名 | 类型 | 取值范围 | 解释 |
---|---|---|---|
code | int | - | 调⽤结果, 0表示成功,⾮0表示失败 |
msg | string | - | 提示信息 |
data | array | - | ⽤于返回结果数据,这⾥填空数组即可 |
3. 调用示例
说明:
1、在验证时,我们将向您发送如上样例的POST数据包;
2、如果在3秒内返回结果,并且(1)返回的数据为JSON格式;(2)code值为0,则将验证通过。
[root@bs203 ~]# curl http://172.18.1.203:8001/v1/firewall/action -d '
[{
"timestamp": 1589990781,
"location": "10.10.17.2",
"action": "",
"event": {
"name": "Misc攻击",
"type": "bro",
"reason": "Misc攻击",
"description": "ET CHAT IRC PING command",
"policy": 0,
"level": 3,
"rule": "alert tcp any 6666:7000 -> any any (msg:\"ET CHAT IRC PING command\"; flow:from_server,established; content:\"PING|20|\"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002027; classtype:misc-activity; sid:2002027; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)",
"content": {
"destIP": "10.47.7.152",
"destPort": 50981,
"illegalIP": "10.10.17.2",
"proto": "TCP",
"srcIP": "10.10.17.2",
"srcPort": 6667
},
"suspicious_text": [
"PING "
]
},
"time_local": "2020-05-21T00:06:21+0800",
"ip_credit": "{\"is_legal\": \"yes\", \"is_local\": \"yes\", \"latest\": [], \"trend\": [[1587312000, 0, null], [1587398400, 0, null]], \"score\": null, \"ip\": \"10.10.17.2\", \"addr\": [], \"search_engine\": {\"name\": \"\", \"status\": \"\"}, \"credit\": {\"is_local\": \"yes\"}, \"services\": [], \"tag_list\": [], \"ports\": [], \"type\": {}, \"export_score\": \"60\", \"cache_at\": 1589958140}",
"ip_tag": [
"local"
],
"src_ip_credit": "{\"is_legal\": \"yes\", \"is_local\": \"yes\", \"latest\": [], \"trend\": [[1587312000, 0, null], [1587398400, 0, null]], \"score\": null, \"ip\": \"10.10.17.2\", \"addr\": [], \"search_engine\": {\"name\": \"\", \"status\": \"\"}, \"credit\": {\"is_local\": \"yes\"}, \"services\": [], \"tag_list\": [], \"ports\": [], \"type\": {}, \"export_score\": \"60\", \"cache_at\": 1589958140}",
"src_ip_tag": [
"local"
],
"dst_ip_credit": "{\"is_legal\": \"yes\", \"is_local\": \"yes\", \"latest\": [], \"trend\": [[1587312000, 0, null], [1587398400, 0, null]], \"score\": null, \"ip\": \"10.47.7.152\", \"addr\": [], \"search_engine\": {\"name\": \"\", \"status\": \"\"}, \"credit\": {\"is_local\": \"yes\"}, \"services\": [], \"tag_list\": [], \"ports\": [], \"type\": {}, \"export_score\": \"60\", \"cache_at\": 1589958140}",
"dst_ip_tag": [
"local"
],
"direction": "PRIVATE_PRIVATE"
}]'
4. 返回样例
{
"msg": "success",
"code": 0,
"data": []
}