Difference between revisions of "Malicious IP Intel API"

Latest revision as of 08:55, 6 April 2021

Our security system that spans hundreds of stores world-wide logs IP addresses that attempted to perform some type of malicious and/or suspicious activity. With a subscription to our intel API, this data can be accessed. Below is documentation on the said API. Contact ChrisLands to purchase a subscription to the API.

API Endpoint (GET):

https://devv2.chrislands.com/bot-intel/[activity_type]/[last_id]/[orderby]/[limit]

Optional fields can be filled with a zero ("0").
Set the header API-KEY: <PLACE_KEY_HERE> (be sure to replace <PLACE_KEY_HERE> with the API key)
No payload is needed

Activity-Type: Specify the type of activity associated with the IPs. Use 0, all, or any to retrieve rows of any activity type.
Last-ID: Specify the last ID that was retrieved to obtain only the IDs after the specified ID. 0 indicates all IDs.
Limit: Limit the number of retrieved results. 0 indicates no limit. 1000 is the default and maximum limit.
Order By: Sort the retrieved data by the specified field. Append _asc or _desc to specify the sort direction. Accepted values are activity_type, attempts, id, ip_address, and user_agent. 0 indicates no sorting (sorting by id is the default).

Activity-Type

Possible Values (Case-insensitive):

Fraud-Order: Fraudulent order or card-testing attempt
Hacker-Attempt: Attempt to access restricted files (i.e. /etc/*, PHP config files, etc.)
Malformed-HTTP-Methods: Usage of some type of non-traditional HTTP request method or attempt to use TRACE
Spam: Attempt to send/post spam messages
Suspicious-Bot: Some type of bot activity (malicious or not). Search engine bots and social media bots (for well known search engines and social media platforms) are excluded unless they attempt or perform some odd action. This activity type does include non-malicious bots.
Tor-Activity: Some kind of activity (malicious or not) from the Tor/Darknet/Onion network

More activity-types may become available in the future.

Append -ipv4 or -ipv6 to the activity type to retrieve only IP addresses of that version.

Responses

204 (application/json): []
401 (text/plain): Invalid API Key!
200 (application/json): [{"id":1,"ip_address":"172.94.12.12","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 UBrowser/7.0.185.1002 Safari/537.36","activity_type":"spam","attempts":1}]

The fields in 200 JSON responses include -

id: A unique ID number that is given to the data when added to the database
ip_address: At least one IPv4 or IPv6 address. Some entries have multiple IPs, each separated by a comma. This is typically seen when the entity is accessing the stores through multiple proxies.
user_agent: The most recent user-agent used by the IP address.
activity_type: The most recent type of activity associated with the IP address.
attempts: The number of times this IP has been seen across all and any of our stores.

Examples

Retrieve IPv4 addresses associated with spam, sort by attempts (ascending), and limit to 10 results

curl -X GET 'https://devv2.chrislands.com/bot-intel/spam-ipv4/0/attempts/10' -L -A 'SecurityAppliance' -H 'api-key: <PLACE_KEY_HERE>'

Retrieve IPv6 addresses, start at ID 301, sort by attempts (descending), and limit to 25 results

curl -X GET 'https://devv2.chrislands.com/bot-intel/all-ipv6/300/attempts_desc/25' -L -A 'SecurityAppliance' -H 'API-KEY: <PLACE_KEY_HERE>'

Retrieve all addresses associated with fraudulent orders

curl -X GET 'https://devv2.chrislands.com/bot-intel/Fraud-Order' -L -A 'SecurityAppliance' -H 'API-KEY: <PLACE_KEY_HERE>'

Retrieve 5 entries (no sorting nor last-id specified)

curl -X GET 'https://devv2.chrislands.com/bot-intel/all/0/0/5' -L -A 'SecurityAppliance' -H 'API-KEY: <PLACE_KEY_HERE>'

Sample Output

curl -X GET 'https://devv2.chrislands.com/bot-intel/all/0/0/5' -L -A 'SecurityAppliance' -H 'API-KEY: <PLACE_KEY_HERE>'

Response

[{"id":1,"ip_address":"172.94.12.12","user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 UBrowser\/7.0.185.1002 Safari\/537.36","activity_type":"spam","attempts":1},{"id":2,"ip_address":"109.195.177.136","user_agent":"Mozilla\/5.0 (Windows NT 6.3; ) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/83.0.4103.61 Safari\/537.36","activity_type":"spam","attempts":5},{"id":3,"ip_address":"162.219.176.213","user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3393.4 Safari\/537.36","activity_type":"spam","attempts":1},{"id":4,"ip_address":"93.177.73.35","user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/83.0.4100.3 Safari\/537.36","activity_type":"spam","attempts":6},{"id":5,"ip_address":"196.199.122.24","user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.79 Safari\/537.36","activity_type":"spam","attempts":1}]

Current Data Size

As of April 6th, 2021 at 8:40am CDT, below are the current numbers of the data set. The IP address column is a unique column in our database.

Unique IP addresses: 41,282

SELECT activity_type, SUM(attempts) AS Instances FROM DetectedBots GROUP BY activity_type;

hacker-attempt: 660,563
spam: 4,900
suspicious-bot: 11,306,243

SELECT activity_type, COUNT(ip_address) AS Instances FROM DetectedBots GROUP BY activity_type;

hacker-attempt: 15,921
spam: 1,445
suspicious-bot: 23,916

@@ Line 1: / Line 1: @@
-Our security system that spans hundreds of stores world-wide logs IP addresses that attempted to perform some type of malicious and/or suspicious activity. With a subscription to our intel API, this data can be accessed. Below is documentation on the said API. Contact ChrisLands to purchase a subscription to the API.
+Our security system that spans hundreds of stores world-wide logs IP addresses that attempted to perform some type of malicious and/or suspicious activity. With a subscription to our intel API, this data can be accessed. Below is documentation on the said API. Contact [https://www.chrislands.com/#contact ChrisLands] to purchase a subscription to the API.
 * API Endpoint (GET): <pre style="display:inline;padding:unset;white-space:pre">https://devv2.chrislands.com/bot-intel/[activity_type]/[last_id]/[orderby]/[limit]</pre>
@@ Line 24: / Line 24: @@
 * '''Malformed-HTTP-Methods''': Usage of some type of non-traditional HTTP request method or attempt to use TRACE
 * '''Spam''': Attempt to send/post spam messages
-* '''Suspicious-Bot''': Some type of bot activity (malicious or not). Search engine bots and social media bots are excluded unless they attempt or perform some odd action.
+* '''Suspicious-Bot''': Some type of bot activity (malicious or not). Search engine bots and social media bots (for well known search engines and social media platforms) are excluded unless they attempt or perform some odd action. This activity type does include non-malicious bots.
 * '''Tor-Activity''': Some kind of activity (malicious or not) from the Tor/Darknet/Onion network
@@ Line 62: / Line 62: @@
 <pre>[{"id":1,"ip_address":"172.94.12.12","user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 UBrowser\/7.0.185.1002 Safari\/537.36","activity_type":"spam","attempts":1},{"id":2,"ip_address":"109.195.177.136","user_agent":"Mozilla\/5.0 (Windows NT 6.3; ) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/83.0.4103.61 Safari\/537.36","activity_type":"spam","attempts":5},{"id":3,"ip_address":"162.219.176.213","user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3393.4 Safari\/537.36","activity_type":"spam","attempts":1},{"id":4,"ip_address":"93.177.73.35","user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/83.0.4100.3 Safari\/537.36","activity_type":"spam","attempts":6},{"id":5,"ip_address":"196.199.122.24","user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.79 Safari\/537.36","activity_type":"spam","attempts":1}]</pre>
+== Current Data Size ==
+As of April 6th, 2021 at 8:40am CDT, below are the current numbers of the data set. The IP address column is a unique column in our database.
+'''Unique IP addresses''': 41,282
+<pre style="display:inline;padding:unset;white-space:pre">SELECT activity_type, SUM(attempts) AS Instances FROM DetectedBots GROUP BY activity_type;</pre>
+* '''hacker-attempt''': 660,563
+* '''spam''': 4,900
+* '''suspicious-bot''': 11,306,243
+<br/>
+<pre style="display:inline;padding:unset;white-space:pre">SELECT activity_type, COUNT(ip_address) AS Instances FROM DetectedBots GROUP BY activity_type;</pre>
+* '''hacker-attempt''': 15,921
+* '''spam''': 1,445
+* '''suspicious-bot''': 23,916