REST API - csirtgadgets/csirtg GitHub Wiki
Overview
This describes the resources that make up the CSIRTG VERSION 1 API. If you have any problems or requests please log an issue
Swagger
Want to test drive our Swaggerized docs? Please send us feedback!
Example
$ export AUTH="Authorization: Token token=646cc6d029998c702f1a377260e5f6a0"
$ export ACCEPT="Accept: application/vnd.csirtg.v1"
$ curl -H "$ACCEPT" -H "$AUTH" https://csirtg.io/api
$ curl -H "$ACCEPT" -H "$AUTH" https://csirtg.io/api/users/csirtgadgets/feeds/port-scanners?limit=1
{
"name": "port-scanners",
"description": "hosts blocked in firewall logs",
"updated_at": "2015-11-05 13:57:04 UTC",
"created_at": "2015-11-05 13:57:04 UTC",
"license": {
"name": "CC BY-SA 4.0",
"url": "http://creativecommons.org/licenses/by-sa/4.0/"
},
"indicators": [
{
"id": 9121815,
"indicator": "95.208.172.200",
"itype": "ipv4",
"portlist": "23",
"firsttime": "2017-10-06 12:44:03 UTC",
"lasttime": "2017-10-06 12:44:03 UTC",
"created_at": "2017-10-06 12:44:04 UTC",
"updated_at": "2017-10-06 12:44:04 UTC",
"description": "iptable drop logs",
"count": 1,
"asn": 29562,
"asn_desc": "KABEL BW",
"cc": "DE ",
"tags": [
"telnet",
"scanner"
]
}
],
"user": "csirtgadgets"
}
Current Version
*By default, all requests receive the v1 of the API. We encourage you to explicitly request version v1 via the Accept header as new API versions will be released and defaulted to without notice.
Accept: application/vnd.csirtg.v1
Authorization
$ export AUTH="Authorization: Token token=646cc6d029998c702f1a377260e5f6a0"
$ export ACCEPT="Accept: application/vnd.csirtg.v1"
$ curl -H "$ACCEPT" -H "$AUTH" https://csirtg.io/api
Schema
All data is sent and received as JSON.
Blank fields are can be included as 'null' or omitted.
Root Endpoint
The root endpoint for the API is /api.
$ curl https://csirtg.io/api
{
"current_user_url": "https://csirtg.io/api/users/:user",
"user_feeds_url": "https://csirtg.io/api/users/:user/feeds",
"user_feed_url": "https://csirtg.io/api/users/:user/feeds/:feed{?limit}",
"search_url": "https://csirtg.io/api/search{?q,limit}",
"user_feed_indicators_url": "https://csirtg.io/api/users/:user/feeds/:feed/indicators",
"predict_url": "https://csirtg.io/api/predict?{q}"
}
For POST/PUT requests, parameters not included in the URL should be encoded as JSON with a Content-Type of ‘application/json’:
$ curl -XPOST -H "$AUTH" -H "$ACCEPT" -H "Content-Type: application/json" https://csirtg.io/api/users/wes/feeds/zeus/indicators -d '{"indicator": { "indicator": "badsite.com" }, "tags": ["zeus","bot"], "comment": "this will pwn you!" }'
Search
$ curl https://csirtg.io/api/search?q=example.com
[
{
"id": 50242,
"indicatr": "example.com",
"created_at": "2015-02-20 14:13:09 UTC",
"updated_at": "2015-02-20 14:13:09 UTC",
"feed_id": "zeus",
"user_id": "wes",
"tags": [
"zeus",
"bot"
]
}
]
Feeds
List Feeds
$ curl https://csirtg.io/api/users/wes/feeds
[
{
"name": "zeus",
"description": null,
"created_at": "2015-02-20 14:11:48 UTC",
"updated_at": "2015-02-20 14:11:48 UTC",
"license": {
"name": "CC BY-SA 4.0",
"url": "http://creativecommons.org/licenses/by-sa/4.0/"
}
}
]
Get Feed
$ curl https://csirtg.io/api/users/wes/feeds/scanners
{
"name": "port-scanners",
"description": "hosts blocked in firewall logs",
"updated_at": "2015-11-05 13:57:04 UTC",
"created_at": "2015-11-05 13:57:04 UTC",
"license": {
"name": "CC BY-SA 4.0",
"url": "http://creativecommons.org/licenses/by-sa/4.0/"
},
"indicators": [
{
"id": 9121529,
"indicator": "184.105.139.122",
"itype": "ipv4",
"portlist": "80",
"firsttime": "2017-10-06 12:09:51 UTC",
"lasttime": "2017-10-06 12:09:51 UTC",
"created_at": "2017-10-06 12:09:51 UTC",
"updated_at": "2017-10-06 12:09:51 UTC",
"description": "iptable drop logs",
"count": 1,
"asn": 6939,
"asn_desc": "HURRICANE ELECTRIC, INC.",
"cc": "US ",
"tags": [
"http",
"scanner"
]
}
],
"user": "csirtgadgets"
}
Create Feed
$ curl -XPOST -H "$AUTH" -H "$ACCEPT" -H "Content-Type: application/json" https://csirtg.io/api/users/wes/feeds -d '{"feed": { "name": "spyeye", "description": "spyeye bad" } }'
{
"name": "spyeye",
"description": "spyeye bad",
"updated_at": "2017-10-06 12:14:56 UTC",
"created_at": "2017-10-06 12:14:56 UTC",
"license": {
"name": "CC BY-SA 4.0",
"url": "http://creativecommons.org/licenses/by-sa/4.0/"
},
"user": "wes"
}
Indicators
Create
$ curl -XPOST -H "$AUTH" -H "$ACCEPT" -H "Content-Type: application/json" https://csirtg.io/api/users/wes/feeds/spyeye/indicators -d '{ "indicator": { "indicator": "badsite.com", "tags": ["zeus","bot"]}}'
{
"id": 9121580,
"indicator": "badsite.com",
"itype": "fqdn",
"portlist": null,
"count": 1,
"protocol": null,
"firsttime": "2017-10-06 12:19:34 UTC",
"lasttime": "2017-10-06 12:19:34 UTC",
"created_at": "2017-10-06 12:19:34 UTC",
"updated_at": "2017-10-06 12:19:34 UTC",
"description": null,
"portlist_src": null,
"asn": 26496,
"asn_desc": "GODADDY.COM, LLC",
"cc": "US",
"license": {
"name": "CC BY-SA 4.0",
"url": "http://creativecommons.org/licenses/by-sa/4.0/"
},
"comments": [],
"attachments": [],
"tags": [
"bot",
"zeus"
],
"feed": "spyeye",
"user": "wes",
"location": "https://csirtg.io/api/users/wes/feeds/spyeye/indicators/9121580"
}
Predict
The prediction API takes in URLs and uses machine learning to predict if they are suspicious.
$ curl -XGET -H "$AUTH" -H "$ACCEPT" -H "Content-Type: application/json" https://csirtg.io/api/predict?q=http://machinebook.pk/mac/verification.php
{"score":1}