beenull/crowdsec
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
crowdsec/pkg/cti/cti_openapi.yaml
marco 4ecefdd849 wip
2024-03-07 22:25:54 +01:00

601 lines
19 KiB
YAML
Raw Blame History

openapi: 3.0.1
info:
description: CTI by Crowdsec
version: 2022-02-16T14:00:00
title: CTI v2
contact:
name: Crowdsec team
url: https://github.com/crowdsecurity/crowdsec
email: support@crowdsec.net
externalDocs:
description: CTI Documentation
url: https://docs.crowdsec.net/docs/next/cti_api/intro/
servers:
- url: https://cti.api.crowdsec.net/v2
paths:
/smoke:
get:
description: Search for CTI informations
summary: Search for CTI informations
security:
- api_key: []
parameters:
- name: ips
in: query
required: true
description: List of IPs to query, separated by comma
example: 0.0.0.0,1.1.1.1
schema:
type: string
responses:
"200":
description: 200 response
content:
application/json:
schema:
$ref: "#/components/schemas/SearchCTIResponse"
"400":
description: 400 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
"403":
description: 403 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
"404":
description: 404 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
"429":
description: 429 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
"500":
description: 500 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
"/smoke/{ip}":
get:
description: Get CTI informations about the given IP
summary: CTI information on a given IP
parameters:
- name: ip
in: path
required: true
schema:
type: string
responses:
"200":
description: 200 response
content:
application/json:
schema:
$ref: "#/components/schemas/QueryCTIResponse"
"400":
description: 400 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
"403":
description: 403 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
"404":
description: 404 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
"429":
description: 429 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
"500":
description: 500 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
security:
- api_key: []
/fire:
get:
description: Get fire CTI informations (IPs belonging to the community-blocklist)
summary: Get fire CTI informations (IPs belonging to the community-blocklist)
security:
- api_key: []
parameters:
- name: page
in: query
required: false
description: Number of the page to fetch
example: 1
schema:
type: number
- name: since
in: query
required: false
description: Filter records updated since - duration in h (hours), d(days),
m(minutes) )
example: 3d
schema:
type: string
responses:
"200":
description: 200 response
content:
application/json:
schema:
$ref: "#/components/schemas/FireCTIResponse"
"400":
description: 400 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
"403":
description: 403 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
"404":
description: 404 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
"429":
description: 429 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
"500":
description: 500 response
content:
application/json:
schema:
$ref: "#/components/schemas/ErrorResponse"
components:
securitySchemes:
api_key:
type: apiKey
name: x-api-key
in: header
schemas:
CTIObject:
title: IP CTI Object
type: object
required:
- as_name
- as_num
- behaviors
- location
- history
- ip
- references
- ip_range
- ip_range_score
- classifications
- reverse_dns
- scores
- target_countries
properties:
ip:
type: string
description: Requested IP
example: 1.2.3.4
ip_range:
type: string
description: The range to which the IP belongs
example: 1.2.3.0/24
nullable: true
ip_range_score:
type: number
description: The score of the range (ip_range) the IP belongs to. 0 is
good/unknown, 5 is worse
example: 2
as_name:
type: string
description: The autonomous system name to which the IP belongs
example: ACME
nullable: true
as_num:
type: number
description: The autonomous system number to which the IP belongs
example: 99999
nullable: true
background_noise_score:
type: number
description: The background noise score of the IP ranging from 0 to 10 (highly
noisy)
example: 8
nullable: true
location:
type: object
description: Location information about the IP address
required:
- country
- city
- latitude
- longitude
properties:
country:
type: string
description: The two letters country code of the IP
example: US
nullable: true
city:
type: string
description: The associated City of the IP
example: New York
nullable: true
latitude:
type: number
description: Coordinates of the IP
example: 40.7597
nullable: true
longitude:
type: number
description: Coordinates of the IP
example: 40.7597
nullable: true
reverse_dns:
type: string
description: Reverse dns lookup of the IP
example: acbd.my_domain.net
nullable: true
behaviors:
type: array
description: A list of the attack categories for which the IP was reported
items:
type: object
properties:
name:
type: string
description: The category of the attack, often in the form
"protocol-or-scope:attack_type"
example: http:scan
label:
type: string
description: Human-friendly description of the category
example: HTTP Scan
description:
type: string
description: Human-friendly description of the category
example: IP has been reported for performing actions related to HTTP
vulnerability scanning and discovery
references:
type: array
description: A list of the references for which the IP was see
items:
type: object
properties:
name:
type: string
description: The reference, often in the form "list:list_name"
example: list:my_list
label:
type: string
description: Human-friendly description of the reference
example: My List
description:
type: string
description: Human-friendly description of the reference
example: IP was referenced in My List
history:
type: object
properties:
first_seen:
type: string
description: Date of the first time this IP was reported. Due to "progressive
data degradation", this date might be later than the first time
the IP was actually seen
example: 2021-03-03T23:00:00
last_seen:
type: string
description: Date of the last time this IP was reported
example: 2021-03-03T23:30:00
full_age:
type: number
description: Delta in days between first seen and today
example: 220
days_age:
type: number
description: Delta in days between first and last seen timestamps
example: 189
classifications:
type: object
properties:
false_positives:
type: array
description: A list of false positives tags associated with the IP. Any IP with
`false_positives` tags shouldn't be considered as malicious
items:
type: object
properties:
name:
type: string
description: The name of the false positive, often in the form
"protocol-or-scope:attack_type"
example: seo:crawler
label:
type: string
description: Human-friendly name of the category
example: SEO crawler
description:
type: string
description: Human-friendly description of the category
example: IP belongs to a known SEO crawler and should not be flagged as a
threat.
classifications:
type: array
description: A list of categories associated with the IP. Those data can be
sourced from 3rd parties (i.e. tor exit nodes list)
items:
type: object
properties:
name:
type: string
description: The name of the category, often in the form
"protocol-or-scope:attack_type"
example: community-blocklist
label:
type: string
description: Human-friendly name of the category
example: CrowdSec Community Blocklist
description:
type: string
description: Human-friendly description of the category
example: IP belong to the CrowdSec Community Blocklist
mitre_techniques:
type: array
description: A list of Mitre Enterprise Techniques associated with the IP.
items:
type: object
properties:
name:
type: string
description: The ID of the Mitre technique"
example: T1190
label:
type: string
description: The name of the Mitre technique
example: Exploit Public-Facing Application
description:
type: string
description: Description of the Mitre technique
example: Adversaries may attempt to exploit a weakness in an Internet-facing
host or system to initially access a network.
cves:
type: array
description: A list of CVEs reported for this IP.
items:
type: string
attack_details:
type: array
description: A more exhaustive list of the scenarios for which a given IP was
reported
items:
type: object
properties:
name:
type: string
description: Name of the scenario (see hub.crowdsec.net)
example: crowdsecurity/http-bad-user-agent
label:
type: string
description: Human-friendly descriptions of scenarios
example: Known Bad User-Agent
description:
type: string
description: Human-friendly descriptions of scenarios
example: Detect bad user-agents
references:
type: array
items:
type: string
target_countries:
type: object
description: The top 10 reports repartition by country about the IP, as a
percentage
scores:
type: object
properties:
overall:
type: object
properties:
aggressiveness:
type: number
description: Overall aggressiveness score
threat:
type: number
description: Overall threat score
trust:
type: number
description: Overall trust score
anomaly:
type: number
description: Overall anomaly score
total:
type: number
description: Overall score
last_day:
type: object
properties:
aggressiveness:
type: number
description: Last day aggressiveness score
threat:
type: number
description: Last day threat score
trust:
type: number
description: Last day trust score
anomaly:
type: number
description: Last day anomaly score
total:
type: number
description: Last day score
last_week:
type: object
properties:
aggressiveness:
type: number
description: Last week aggressiveness score
threat:
type: number
description: Last week threat score
trust:
type: number
description: Last week trust score
anomaly:
type: number
description: Last week anomaly score
total:
type: number
description: Last week score
last_month:
type: object
properties:
aggressiveness:
type: number
description: Last month aggressiveness score
threat:
type: number
description: Last month threat score
trust:
type: number
description: Last month trust score
anomaly:
type: number
description: Last month anomaly score
total:
type: number
description: Last month score
FireIPCTIResponse:
title: Fire IP CTI Response
allOf:
- $ref: "#/components/schemas/CTIObject"
- type: object
properties:
state:
type: string
description: "state of the IP in the community blocklist: validated means IP is
currently part of community blocklist, refused means it was part
of the community blocklist, but was manually purged (ie. false
positive)"
enum:
- validated
- refused
example: validated
expiration:
type: string
description: Date at which the IP address expire from the community blocklist
example: 2022-03-04T10:00:00
SearchCTIResponse:
title: Search CTI Response
type: object
required:
- items
- total
- not_found
properties:
total:
type: number
description: IP of the request
not_found:
type: number
items:
type: array
items:
$ref: "#/components/schemas/CTIObject"
QueryCTIResponse:
title: Query IP CTI Response
$ref: "#/components/schemas/CTIObject"
FireCTIResponse:
title: Fire CTI response
type: object
required:
- _links
- items
properties:
_links:
type: object
required:
- self
- next
- first
properties:
self:
type: object
required:
- href
properties:
href:
type: string
description: Url of the current result set
example: https://cti.api.dev.crowdsec.net/v1/fire?page=3&since=4h
prev:
type: object
required:
- href
properties:
href:
type: string
description: Url of the previous page of result set
example: https://cti.api.dev.crowdsec.net/v1/fire?page=2&since=4h
next:
type: object
required:
- href
properties:
href:
type: string
description: Url of the next page of result set
example: https://cti.api.dev.crowdsec.net/v1/fire?page=4&since=4h
first:
type: object
required:
- href
properties:
href:
type: string
nullable: true
description: Url of the first page of result set
example: https://cti.api.dev.crowdsec.net/v1/fire?since=4
items:
type: array
items:
$ref: "#/components/schemas/FireIPCTIResponse"
ErrorResponse:
type: object
required:
- message
properties:
message:
type: string
description: Error message
errors:
type: string
description: More details on individual errors
title: Error response
description: Error response return by the API
Reference in a new issue View git blame Copy permalink