github.com/crowdsecurity/crowdsec@v1.6.1/pkg/cticlient/tests/fire-page1.json (about) 1 { 2 "_links": { 3 "first": { 4 "href": "https://cti.api.crowdsec.net/v2/fire" 5 }, 6 "self": { 7 "href": "https://cti.api.crowdsec.net/v2/fire?page=1&limit=3" 8 }, 9 "next": { 10 "href": "https://cti.api.crowdsec.net/v2/fire?page=2&limit=3" 11 } 12 }, 13 "items": [ 14 { 15 "ip_range_score": 5, 16 "ip": "1.2.3.4", 17 "ip_range": "1.2.3.0/24", 18 "as_name": "AFFINITY-FTL", 19 "as_num": 3064, 20 "location": { 21 "country": "US", 22 "city": null, 23 "latitude": 37.751, 24 "longitude": -97.822 25 }, 26 "reverse_dns": "lsxx.com", 27 "behaviors": [ 28 { 29 "name": "http:bruteforce", 30 "label": "HTTP Bruteforce", 31 "description": "IP has been reported for performing a HTTP brute force attack (either generic http probing or applicative related brute force)." 32 }, 33 { 34 "name": "http:scan", 35 "label": "HTTP Scan", 36 "description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery." 37 } 38 ], 39 "history": { 40 "first_seen": "2022-09-18T14:00:00+00:00", 41 "last_seen": "2022-11-26T12:00:00+00:00", 42 "full_age": 77, 43 "days_age": 69 44 }, 45 "classifications": { 46 "false_positives": [], 47 "classifications": [] 48 }, 49 "attack_details": [ 50 { 51 "name": "crowdsecurity/http-wordpress_user-enum", 52 "label": "WordPress Bruteforce", 53 "description": "Detect wordpress brute force", 54 "references": [] 55 }, 56 { 57 "name": "crowdsecurity/http-probing", 58 "label": "HTTP Scanner", 59 "description": "Detect site scanning/probing from a single ip", 60 "references": [] 61 }, 62 { 63 "name": "crowdsecurity/http-bf-wordpress_bf_xmlrpc", 64 "label": "WordPress XMLRPC Bruteforce", 65 "description": "Detect wordpress brute force on xmlrpc", 66 "references": [] 67 }, 68 { 69 "name": "crowdsecurity/http-bad-user-agent", 70 "label": "Known Bad User-Agent", 71 "description": "Detect bad user-agents", 72 "references": [] 73 } 74 ], 75 "state": "validated", 76 "expiration": "2022-12-11T14:15:47.553000", 77 "target_countries": { 78 "US": 43, 79 "DE": 20, 80 "NL": 8, 81 "GB": 7, 82 "FR": 6, 83 "PL": 3, 84 "SG": 2, 85 "CA": 2, 86 "DK": 2, 87 "ZA": 1 88 }, 89 "background_noise_score": 5, 90 "scores": { 91 "overall": { 92 "aggressiveness": 5, 93 "threat": 0, 94 "trust": 5, 95 "anomaly": 0, 96 "total": 3 97 }, 98 "last_day": { 99 "aggressiveness": 0, 100 "threat": 0, 101 "trust": 0, 102 "anomaly": 0, 103 "total": 0 104 }, 105 "last_week": { 106 "aggressiveness": 0, 107 "threat": 0, 108 "trust": 0, 109 "anomaly": 0, 110 "total": 0 111 }, 112 "last_month": { 113 "aggressiveness": 0, 114 "threat": 0, 115 "trust": 0, 116 "anomaly": 0, 117 "total": 0 118 } 119 }, 120 "references": [] 121 }, 122 { 123 "ip_range_score": 5, 124 "ip": "2.3.4.5", 125 "ip_range": "2.3.0./16", 126 "as_name": "Linode, LLC", 127 "as_num": 63949, 128 "location": { 129 "country": "DE", 130 "city": "Frankfurt am Main", 131 "latitude": 50.1188, 132 "longitude": 8.6843 133 }, 134 "reverse_dns": "172xxent.com", 135 "behaviors": [ 136 { 137 "name": "http:exploit", 138 "label": "HTTP Exploit", 139 "description": "IP has been reported for attempting to exploit a vulnerability in a web application." 140 }, 141 { 142 "name": "http:scan", 143 "label": "HTTP Scan", 144 "description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery." 145 }, 146 { 147 "name": "http:crawl", 148 "label": "HTTP Crawl", 149 "description": "IP has been reported for performing aggressive crawling of web applications." 150 } 151 ], 152 "history": { 153 "first_seen": "2022-10-15T16:00:00+00:00", 154 "last_seen": "2022-11-18T18:15:00+00:00", 155 "full_age": 50, 156 "days_age": 35 157 }, 158 "classifications": { 159 "false_positives": [], 160 "classifications": [] 161 }, 162 "attack_details": [ 163 { 164 "name": "crowdsecurity/jira_cve-2021-26086", 165 "label": "Atlassian Jira CVE-2021-26086", 166 "description": "Detect Atlassian Jira CVE-2021-26086 exploitation attemps", 167 "references": [] 168 }, 169 { 170 "name": "crowdsecurity/http-probing", 171 "label": "HTTP Scanner", 172 "description": "Detect site scanning/probing from a single ip", 173 "references": [] 174 }, 175 { 176 "name": "crowdsecurity/CVE-2022-40684", 177 "label": "CVE-2022-40684", 178 "description": "Detect CVE-2022-40684 exploitation attempts (fortinet)", 179 "references": [ 180 "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684" 181 ] 182 }, 183 { 184 "name": "crowdsecurity/http-crawl-non_statics", 185 "label": "HTTP Crawler", 186 "description": "Detect aggressive crawl from single ip", 187 "references": [] 188 } 189 ], 190 "state": "validated", 191 "expiration": "2022-12-14T16:16:46.507000", 192 "target_countries": { 193 "US": 36, 194 "DE": 19, 195 "FR": 17, 196 "RU": 8, 197 "NL": 5, 198 "GB": 4, 199 "CA": 2, 200 "RO": 2, 201 "IT": 1, 202 "BR": 1 203 }, 204 "background_noise_score": 9, 205 "scores": { 206 "overall": { 207 "aggressiveness": 5, 208 "threat": 2, 209 "trust": 5, 210 "anomaly": 0, 211 "total": 4 212 }, 213 "last_day": { 214 "aggressiveness": 0, 215 "threat": 0, 216 "trust": 0, 217 "anomaly": 0, 218 "total": 0 219 }, 220 "last_week": { 221 "aggressiveness": 0, 222 "threat": 0, 223 "trust": 0, 224 "anomaly": 0, 225 "total": 0 226 }, 227 "last_month": { 228 "aggressiveness": 2, 229 "threat": 2, 230 "trust": 0, 231 "anomaly": 0, 232 "total": 1 233 } 234 }, 235 "references": [] 236 }, 237 { 238 "ip_range_score": 0, 239 "ip": "3.2.3.4", 240 "ip_range": "3.2.3.0/24", 241 "as_name": "TOTxxited", 242 "as_num": 23969, 243 "location": { 244 "country": "TH", 245 "city": "Bangkok", 246 "latitude": 13.7366, 247 "longitude": 100.4995 248 }, 249 "reverse_dns": "nxxxt.net", 250 "behaviors": [ 251 { 252 "name": "smb:bruteforce", 253 "label": "SMB Bruteforce", 254 "description": "IP has been reported for performing brute force on samba services." 255 } 256 ], 257 "history": { 258 "first_seen": "2022-11-26T05:15:00+00:00", 259 "last_seen": "2022-11-26T12:00:00+00:00", 260 "full_age": 9, 261 "days_age": 1 262 }, 263 "classifications": { 264 "false_positives": [], 265 "classifications": [ 266 { 267 "name": "profile:insecure_services", 268 "label": "Dangerous Services Exposed", 269 "description": "IP exposes dangerous services (vnc, telnet, rdp), possibly due to a misconfiguration or because it's a honeypot." 270 } 271 ] 272 }, 273 "attack_details": [ 274 { 275 "name": "crowdsecurity/smb-bf", 276 "label": "Samba Bruteforce", 277 "description": "Detect smb brute force", 278 "references": [] 279 } 280 ], 281 "state": "validated", 282 "expiration": "2022-12-14T16:18:00.671000", 283 "target_countries": { 284 "GB": 100 285 }, 286 "background_noise_score": 5, 287 "scores": { 288 "overall": { 289 "aggressiveness": 2, 290 "threat": 4, 291 "trust": 5, 292 "anomaly": 1, 293 "total": 4 294 }, 295 "last_day": { 296 "aggressiveness": 0, 297 "threat": 0, 298 "trust": 0, 299 "anomaly": 1, 300 "total": 0 301 }, 302 "last_week": { 303 "aggressiveness": 0, 304 "threat": 0, 305 "trust": 0, 306 "anomaly": 1, 307 "total": 0 308 }, 309 "last_month": { 310 "aggressiveness": 2, 311 "threat": 4, 312 "trust": 5, 313 "anomaly": 1, 314 "total": 4 315 } 316 }, 317 "references": [] 318 } 319 ] 320 }