4f29ce2ee7
* Add CTI API helpers in expr * Allow profiles to have an `on_error` option to profiles Co-authored-by: Sebastien Blot <sebastien@crowdsec.net>
320 lines
8.4 KiB
JSON
320 lines
8.4 KiB
JSON
{
|
|
"_links": {
|
|
"first": {
|
|
"href": "https://cti.api.crowdsec.net/v2/fire"
|
|
},
|
|
"self": {
|
|
"href": "https://cti.api.crowdsec.net/v2/fire?page=1&limit=3"
|
|
},
|
|
"next": {
|
|
"href": "https://cti.api.crowdsec.net/v2/fire?page=2&limit=3"
|
|
}
|
|
},
|
|
"items": [
|
|
{
|
|
"ip_range_score": 5,
|
|
"ip": "1.2.3.4",
|
|
"ip_range": "1.2.3.0/24",
|
|
"as_name": "AFFINITY-FTL",
|
|
"as_num": 3064,
|
|
"location": {
|
|
"country": "US",
|
|
"city": null,
|
|
"latitude": 37.751,
|
|
"longitude": -97.822
|
|
},
|
|
"reverse_dns": "lsxx.com",
|
|
"behaviors": [
|
|
{
|
|
"name": "http:bruteforce",
|
|
"label": "HTTP Bruteforce",
|
|
"description": "IP has been reported for performing a HTTP brute force attack (either generic http probing or applicative related brute force)."
|
|
},
|
|
{
|
|
"name": "http:scan",
|
|
"label": "HTTP Scan",
|
|
"description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery."
|
|
}
|
|
],
|
|
"history": {
|
|
"first_seen": "2022-09-18T14:00:00+00:00",
|
|
"last_seen": "2022-11-26T12:00:00+00:00",
|
|
"full_age": 77,
|
|
"days_age": 69
|
|
},
|
|
"classifications": {
|
|
"false_positives": [],
|
|
"classifications": []
|
|
},
|
|
"attack_details": [
|
|
{
|
|
"name": "crowdsecurity/http-wordpress_user-enum",
|
|
"label": "WordPress Bruteforce",
|
|
"description": "Detect wordpress brute force",
|
|
"references": []
|
|
},
|
|
{
|
|
"name": "crowdsecurity/http-probing",
|
|
"label": "HTTP Scanner",
|
|
"description": "Detect site scanning/probing from a single ip",
|
|
"references": []
|
|
},
|
|
{
|
|
"name": "crowdsecurity/http-bf-wordpress_bf_xmlrpc",
|
|
"label": "WordPress XMLRPC Bruteforce",
|
|
"description": "Detect wordpress brute force on xmlrpc",
|
|
"references": []
|
|
},
|
|
{
|
|
"name": "crowdsecurity/http-bad-user-agent",
|
|
"label": "Known Bad User-Agent",
|
|
"description": "Detect bad user-agents",
|
|
"references": []
|
|
}
|
|
],
|
|
"state": "validated",
|
|
"expiration": "2022-12-11T14:15:47.553000",
|
|
"target_countries": {
|
|
"US": 43,
|
|
"DE": 20,
|
|
"NL": 8,
|
|
"GB": 7,
|
|
"FR": 6,
|
|
"PL": 3,
|
|
"SG": 2,
|
|
"CA": 2,
|
|
"DK": 2,
|
|
"ZA": 1
|
|
},
|
|
"background_noise_score": 5,
|
|
"scores": {
|
|
"overall": {
|
|
"aggressiveness": 5,
|
|
"threat": 0,
|
|
"trust": 5,
|
|
"anomaly": 0,
|
|
"total": 3
|
|
},
|
|
"last_day": {
|
|
"aggressiveness": 0,
|
|
"threat": 0,
|
|
"trust": 0,
|
|
"anomaly": 0,
|
|
"total": 0
|
|
},
|
|
"last_week": {
|
|
"aggressiveness": 0,
|
|
"threat": 0,
|
|
"trust": 0,
|
|
"anomaly": 0,
|
|
"total": 0
|
|
},
|
|
"last_month": {
|
|
"aggressiveness": 0,
|
|
"threat": 0,
|
|
"trust": 0,
|
|
"anomaly": 0,
|
|
"total": 0
|
|
}
|
|
},
|
|
"references": []
|
|
},
|
|
{
|
|
"ip_range_score": 5,
|
|
"ip": "2.3.4.5",
|
|
"ip_range": "2.3.0./16",
|
|
"as_name": "Linode, LLC",
|
|
"as_num": 63949,
|
|
"location": {
|
|
"country": "DE",
|
|
"city": "Frankfurt am Main",
|
|
"latitude": 50.1188,
|
|
"longitude": 8.6843
|
|
},
|
|
"reverse_dns": "172xxent.com",
|
|
"behaviors": [
|
|
{
|
|
"name": "http:exploit",
|
|
"label": "HTTP Exploit",
|
|
"description": "IP has been reported for attempting to exploit a vulnerability in a web application."
|
|
},
|
|
{
|
|
"name": "http:scan",
|
|
"label": "HTTP Scan",
|
|
"description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery."
|
|
},
|
|
{
|
|
"name": "http:crawl",
|
|
"label": "HTTP Crawl",
|
|
"description": "IP has been reported for performing aggressive crawling of web applications."
|
|
}
|
|
],
|
|
"history": {
|
|
"first_seen": "2022-10-15T16:00:00+00:00",
|
|
"last_seen": "2022-11-18T18:15:00+00:00",
|
|
"full_age": 50,
|
|
"days_age": 35
|
|
},
|
|
"classifications": {
|
|
"false_positives": [],
|
|
"classifications": []
|
|
},
|
|
"attack_details": [
|
|
{
|
|
"name": "crowdsecurity/jira_cve-2021-26086",
|
|
"label": "Atlassian Jira CVE-2021-26086",
|
|
"description": "Detect Atlassian Jira CVE-2021-26086 exploitation attemps",
|
|
"references": []
|
|
},
|
|
{
|
|
"name": "crowdsecurity/http-probing",
|
|
"label": "HTTP Scanner",
|
|
"description": "Detect site scanning/probing from a single ip",
|
|
"references": []
|
|
},
|
|
{
|
|
"name": "crowdsecurity/CVE-2022-40684",
|
|
"label": "CVE-2022-40684",
|
|
"description": "Detect CVE-2022-40684 exploitation attempts (fortinet)",
|
|
"references": [
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684"
|
|
]
|
|
},
|
|
{
|
|
"name": "crowdsecurity/http-crawl-non_statics",
|
|
"label": "HTTP Crawler",
|
|
"description": "Detect aggressive crawl from single ip",
|
|
"references": []
|
|
}
|
|
],
|
|
"state": "validated",
|
|
"expiration": "2022-12-14T16:16:46.507000",
|
|
"target_countries": {
|
|
"US": 36,
|
|
"DE": 19,
|
|
"FR": 17,
|
|
"RU": 8,
|
|
"NL": 5,
|
|
"GB": 4,
|
|
"CA": 2,
|
|
"RO": 2,
|
|
"IT": 1,
|
|
"BR": 1
|
|
},
|
|
"background_noise_score": 9,
|
|
"scores": {
|
|
"overall": {
|
|
"aggressiveness": 5,
|
|
"threat": 2,
|
|
"trust": 5,
|
|
"anomaly": 0,
|
|
"total": 4
|
|
},
|
|
"last_day": {
|
|
"aggressiveness": 0,
|
|
"threat": 0,
|
|
"trust": 0,
|
|
"anomaly": 0,
|
|
"total": 0
|
|
},
|
|
"last_week": {
|
|
"aggressiveness": 0,
|
|
"threat": 0,
|
|
"trust": 0,
|
|
"anomaly": 0,
|
|
"total": 0
|
|
},
|
|
"last_month": {
|
|
"aggressiveness": 2,
|
|
"threat": 2,
|
|
"trust": 0,
|
|
"anomaly": 0,
|
|
"total": 1
|
|
}
|
|
},
|
|
"references": []
|
|
},
|
|
{
|
|
"ip_range_score": 0,
|
|
"ip": "3.2.3.4",
|
|
"ip_range": "3.2.3.0/24",
|
|
"as_name": "TOTxxited",
|
|
"as_num": 23969,
|
|
"location": {
|
|
"country": "TH",
|
|
"city": "Bangkok",
|
|
"latitude": 13.7366,
|
|
"longitude": 100.4995
|
|
},
|
|
"reverse_dns": "nxxxt.net",
|
|
"behaviors": [
|
|
{
|
|
"name": "smb:bruteforce",
|
|
"label": "SMB Bruteforce",
|
|
"description": "IP has been reported for performing brute force on samba services."
|
|
}
|
|
],
|
|
"history": {
|
|
"first_seen": "2022-11-26T05:15:00+00:00",
|
|
"last_seen": "2022-11-26T12:00:00+00:00",
|
|
"full_age": 9,
|
|
"days_age": 1
|
|
},
|
|
"classifications": {
|
|
"false_positives": [],
|
|
"classifications": [
|
|
{
|
|
"name": "profile:insecure_services",
|
|
"label": "Dangerous Services Exposed",
|
|
"description": "IP exposes dangerous services (vnc, telnet, rdp), possibly due to a misconfiguration or because it's a honeypot."
|
|
}
|
|
]
|
|
},
|
|
"attack_details": [
|
|
{
|
|
"name": "crowdsecurity/smb-bf",
|
|
"label": "Samba Bruteforce",
|
|
"description": "Detect smb brute force",
|
|
"references": []
|
|
}
|
|
],
|
|
"state": "validated",
|
|
"expiration": "2022-12-14T16:18:00.671000",
|
|
"target_countries": {
|
|
"GB": 100
|
|
},
|
|
"background_noise_score": 5,
|
|
"scores": {
|
|
"overall": {
|
|
"aggressiveness": 2,
|
|
"threat": 4,
|
|
"trust": 5,
|
|
"anomaly": 1,
|
|
"total": 4
|
|
},
|
|
"last_day": {
|
|
"aggressiveness": 0,
|
|
"threat": 0,
|
|
"trust": 0,
|
|
"anomaly": 1,
|
|
"total": 0
|
|
},
|
|
"last_week": {
|
|
"aggressiveness": 0,
|
|
"threat": 0,
|
|
"trust": 0,
|
|
"anomaly": 1,
|
|
"total": 0
|
|
},
|
|
"last_month": {
|
|
"aggressiveness": 2,
|
|
"threat": 4,
|
|
"trust": 5,
|
|
"anomaly": 1,
|
|
"total": 4
|
|
}
|
|
},
|
|
"references": []
|
|
}
|
|
]
|
|
}
|