Malicious IP Intel API

From ChrisLands
Revision as of 13:23, 29 March 2021 by DevynCJohnson (talk | contribs)
Jump to navigation Jump to search

Our security system that spans hundreds of stores world-wide logs IP addresses that attempted to perform some type of malicious and/or suspicious activity. With a subscription to our intel API, this data can be accessed. Below is documentation on the said API. Contact ChrisLands to purchase a subscription to the API.

  • API Endpoint (GET): 
    https://devv2.chrislands.com/bot-intel/[activity_type]/[last_id]/[orderby]/[limit]
  • Optional fields can be filled with a zero ("0").
  • Set the header API-KEY: <PLACE_KEY_HERE> (be sure to replace <PLACE_KEY_HERE> with the API key)
  • No payload is needed


Activity-Type
Specify the type of activity associated with the IPs. Use 0, all, or any to retrieve rows of any activity type.
Last-ID
Specify the last ID that was retrieved to obtain only the IDs after the specified ID. 0 indicates all IDs.
Limit
Limit the number of retrieved results. 0 indicates no limit. 1000 is the default and maximum limit.
Order By
Sort the retrieved data by the specified field. Append _asc or _desc to specify the sort direction. Accepted values are activity_type, attempts, id, ip_address, and user_agent. 0 indicates no sorting (sorting by id is the default).

Activity-Type

Possible Values (Case-insensitive):

  • Fraud-Order: Fraudulent order or card-testing attempt
  • Hacker-Attempt: Attempt to access restricted files (i.e. /etc/*, PHP config files, etc.)
  • Malformed-HTTP-Methods: Usage of some type of non-traditional HTTP request method or attempt to use TRACE
  • Spam: Attempt to send/post spam messages
  • Suspicious-Bot: Some type of bot activity (malicious or not). Search engine bots and social media bots (for well known search engines and social media platforms) are excluded unless they attempt or perform some odd action. This activity type does include non-malicious bots.
  • Tor-Activity: Some kind of activity (malicious or not) from the Tor/Darknet/Onion network

More activity-types may become available in the future.

Append -ipv4 or -ipv6 to the activity type to retrieve only IP addresses of that version.

Responses

  • 204 (application/json): []
  • 401 (text/plain): Invalid API Key!
  • 200 (application/json): [{"id":1,"ip_address":"172.94.12.12","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 UBrowser/7.0.185.1002 Safari/537.36","activity_type":"spam","attempts":1}]

The fields in 200 JSON responses include -

  • id: A unique ID number that is given to the data when added to the database
  • ip_address: At least one IPv4 or IPv6 address. Some entries have multiple IPs, each separated by a comma. This is typically seen when the entity is accessing the stores through multiple proxies.
  • user_agent: The most recent user-agent used by the IP address.
  • activity_type: The most recent type of activity associated with the IP address.
  • attempts: The number of times this IP has been seen across all and any of our stores.

Examples

Retrieve IPv4 addresses associated with spam, sort by attempts (ascending), and limit to 10 results
curl -X GET 'https://devv2.chrislands.com/bot-intel/spam-ipv4/0/attempts/10' -L -A 'SecurityAppliance' -H 'api-key: <PLACE_KEY_HERE>'
Retrieve IPv6 addresses, start at ID 301, sort by attempts (descending), and limit to 25 results
curl -X GET 'https://devv2.chrislands.com/bot-intel/all-ipv6/300/attempts_desc/25' -L -A 'SecurityAppliance' -H 'API-KEY: <PLACE_KEY_HERE>'
Retrieve all addresses associated with fraudulent orders
curl -X GET 'https://devv2.chrislands.com/bot-intel/Fraud-Order' -L -A 'SecurityAppliance' -H 'API-KEY: <PLACE_KEY_HERE>'
Retrieve 5 entries (no sorting nor last-id specified)
curl -X GET 'https://devv2.chrislands.com/bot-intel/all/0/0/5' -L -A 'SecurityAppliance' -H 'API-KEY: <PLACE_KEY_HERE>'

Sample Output

curl -X GET 'https://devv2.chrislands.com/bot-intel/all/0/0/5' -L -A 'SecurityAppliance' -H 'API-KEY: <PLACE_KEY_HERE>'

Response 

[{"id":1,"ip_address":"172.94.12.12","user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 UBrowser\/7.0.185.1002 Safari\/537.36","activity_type":"spam","attempts":1},{"id":2,"ip_address":"109.195.177.136","user_agent":"Mozilla\/5.0 (Windows NT 6.3; ) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/83.0.4103.61 Safari\/537.36","activity_type":"spam","attempts":5},{"id":3,"ip_address":"162.219.176.213","user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3393.4 Safari\/537.36","activity_type":"spam","attempts":1},{"id":4,"ip_address":"93.177.73.35","user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/83.0.4100.3 Safari\/537.36","activity_type":"spam","attempts":6},{"id":5,"ip_address":"196.199.122.24","user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.79 Safari\/537.36","activity_type":"spam","attempts":1}]
Retrieved from "https://wiki.chrislands.com/index.php?title=Malicious_IP_Intel_API&oldid=128"