diff --git a/analyzers/Crowdsec/Crowdsec_analyzer.json b/analyzers/Crowdsec/Crowdsec_analyzer.json index ed30a2028..6ba099173 100644 --- a/analyzers/Crowdsec/Crowdsec_analyzer.json +++ b/analyzers/Crowdsec/Crowdsec_analyzer.json @@ -1,6 +1,6 @@ { "name": "Crowdsec_Analyzer", - "version": "1.0", + "version": "1.1", "author": "CERT-ARKEA", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", @@ -17,6 +17,69 @@ "type": "string", "multi": false, "required": true + }, + { + "name": "taxonomy_reputation", + "description": "Create taxonomy for reputation", + "type": "boolean", + "multi": false, + "defaultValue": true + }, + { + "name": "taxonomy_as_name", + "description": "Create taxonomy for AS name", + "type": "boolean", + "multi": false, + "defaultValue": false + }, + { + "name": "taxonomy_ip_range_score", + "description": "Create taxonomy for IP range score", + "type": "boolean", + "multi": false, + "defaultValue": false + }, + { + "name": "taxonomy_last_seen", + "description": "Create taxonomy for last seen date", + "type": "boolean", + "multi": false, + "defaultValue": false + }, + { + "name": "taxonomy_attack_details", + "description": "Create taxonomy for attack details", + "type": "boolean", + "multi": false, + "defaultValue": false + }, + { + "name": "taxonomy_behaviors", + "description": "Create taxonomy for behaviors", + "type": "boolean", + "multi": false, + "defaultValue": true + }, + { + "name": "taxonomy_mitre_techniques", + "description": "Create taxonomy for mitre techniques", + "type": "boolean", + "multi": false, + "defaultValue": false + }, + { + "name": "taxonomy_cves", + "description": "Create taxonomy for cves", + "type": "boolean", + "multi": false, + "defaultValue": true + }, + { + "name": "taxonomy_not_found", + "description": "Create taxonomy for not found IP", + "type": "boolean", + "multi": false, + "defaultValue": true } ], "registration_required": true, @@ -30,11 +93,11 @@ "screenshots": [ { "path": "assets/crowdsec-report-long.png", - "caption": "" + "caption": "CrowdSec analyzer: long report" }, { "path": "assets/crowdsec-analyzer-result-example.png", - "caption": "" + "caption": "CrowdSec analyzer: short report" } ] } diff --git a/analyzers/Crowdsec/README.md b/analyzers/Crowdsec/README.md index f79a28d7e..be4883912 100644 --- a/analyzers/Crowdsec/README.md +++ b/analyzers/Crowdsec/README.md @@ -2,6 +2,8 @@ Check [CrowdSec](https://www.crowdsec.net/) Threat Intelligence about an ip address. +For further information, please consult the [official documentation](https://doc.crowdsec.net/u/cti_api/integration_thehive/). + Running the analyzer will expose the result as taxonomies in the short report displayed in the ip observable. ![short result example](./assets/crowdsec-analyzer-result-example.png) @@ -10,87 +12,371 @@ The raw report contains the whole json response from CrowdSec. e.g.: -```javascript +```json { - "ip_range_score": 0, - "ip": "223.171.256.256", - "ip_range": "223.171.0.0/16", - "as_name": "LGTELECOM", - "as_num": 17853, + "ip": "192.42.116.218", + "reputation": "malicious", + "ip_range": "192.42.116.0/22", + "background_noise": "high", + "confidence": "high", + "background_noise_score": 10, + "ip_range_score": 5, + "as_name": "SURF B.V.", + "as_num": 1101, + "ip_range_24": "192.42.116.0/24", + "ip_range_24_reputation": "malicious", + "ip_range_24_score": 5, "location": { - "country": "KR", + "country": "NL", "city": null, - "latitude": 42, - "longitude": 42 + "latitude": 52.3824, + "longitude": 4.8995 }, - "reverse_dns": null, + "reverse_dns": "44.tor-exit.nothingtohide.nl", "behaviors": [ { - "name": "pop3/imap:bruteforce", - "label": "POP3/IMAP Bruteforce", - "description": "IP has been reported for performing a POP3/IMAP brute force attack." + "name": "tcp:scan", + "label": "TCP Scan", + "description": "IP has been reported for performing TCP port scanning.", + "references": [], + "$$hashKey": "object:984" + }, + { + "name": "http:bruteforce", + "label": "HTTP Bruteforce", + "description": "IP has been reported for performing a HTTP brute force attack (either generic HTTP probing or applicative related brute force).", + "references": [], + "$$hashKey": "object:985" + }, + { + "name": "http:exploit", + "label": "HTTP Exploit", + "description": "IP has been reported for attempting to exploit a vulnerability in a web application.", + "references": [], + "$$hashKey": "object:986" + }, + { + "name": "http:scan", + "label": "HTTP Scan", + "description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery.", + "references": [], + "$$hashKey": "object:987" + }, + { + "name": "http:spam", + "label": "Web form spam", + "description": "IP has been reported trying to perform spam via web forms/forums.", + "references": [], + "$$hashKey": "object:988" + }, + { + "name": "generic:exploit", + "label": "Exploitation attempt", + "description": "IP has been reported trying to exploit known vulnerability/CVE on unspecified protocols.", + "references": [], + "$$hashKey": "object:989" + }, + { + "name": "ssh:bruteforce", + "label": "SSH Bruteforce", + "description": "IP has been reported for performing brute force on ssh services.", + "references": [], + "$$hashKey": "object:990" } ], "history": { - "first_seen": "2022-09-26T03:45:00+00:00", - "last_seen": "2022-10-11T08:15:00+00:00", - "full_age": 16, - "days_age": 15 + "first_seen": "2022-12-26T01:15:00+00:00", + "last_seen": "2024-07-31T10:00:00+00:00", + "full_age": 585, + "days_age": 584 }, "classifications": { "false_positives": [], - "classifications": [] + "classifications": [ + { + "name": "proxy:tor", + "label": "TOR exit node", + "description": "IP is being flagged as a TOR exit node.", + "references": [], + "$$hashKey": "object:1021" + }, + { + "name": "crowdsec:ai_vpn_proxy", + "label": "VPN or Proxy", + "description": "IP is identified as a VPN or a Proxy by CrowdSec AI Detection Algorithm.", + "references": [], + "$$hashKey": "object:1022" + }, + { + "name": "community-blocklist", + "label": "CrowdSec Community Blocklist", + "description": "IP belongs to the CrowdSec Community Blocklist", + "$$hashKey": "object:1023" + } + ] }, "attack_details": [ { - "name": "crowdsecurity/postfix-spam", - "label": "Postfix Bruteforce", - "description": "Detect spammers/postfix brute force", - "references": [] + "name": "firewallservices/pf-scan-multi_ports", + "label": "PF Scan Multi Ports", + "description": "ban IPs that are scanning us", + "references": [], + "$$hashKey": "object:1027" + }, + { + "name": "crowdsecurity/http-path-traversal-probing", + "label": "HTTP Path Traversal Exploit", + "description": "Detect path traversal attempt", + "references": [], + "$$hashKey": "object:1028" + }, + { + "name": "crowdsecurity/grafana-cve-2021-43798", + "label": "CVE-2021-43798", + "description": "Detect cve-2021-43798 exploitation attemps", + "references": [], + "$$hashKey": "object:1029" + }, + { + "name": "crowdsecurity/http-admin-interface-probing", + "label": "HTTP Admin Interface Probing", + "description": "Detect generic HTTP admin interface probing", + "references": [], + "$$hashKey": "object:1030" + }, + { + "name": "crowdsecurity/http-open-proxy", + "label": "HTTP Open Proxy Probing", + "description": "Detect scan for open proxy", + "references": [], + "$$hashKey": "object:1031" + }, + { + "name": "crowdsecurity/http-cve-probing", + "label": "HTTP CVE Probing", + "description": "Detect generic HTTP cve probing", + "references": [], + "$$hashKey": "object:1032" + }, + { + "name": "LePresidente/http-generic-403-bf", + "label": "HTTP Bruteforce", + "description": "Detect generic 403 Forbidden (Authorization) error brute force", + "references": [], + "$$hashKey": "object:1033" + }, + { + "name": "crowdsecurity/http-sqli-probbing-detection", + "label": "SQL Injection Attempt", + "description": "A scenario that detects SQL injection probing with minimal false positives", + "references": [], + "$$hashKey": "object:1034" + }, + { + "name": "crowdsecurity/http-sensitive-files", + "label": "Access to sensitive files over HTTP", + "description": "Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)", + "references": [], + "$$hashKey": "object:1035" + }, + { + "name": "crowdsecurity/http-bad-user-agent", + "label": "Bad User Agent", + "description": "Detect usage of bad User Agent", + "references": [], + "$$hashKey": "object:1036" + }, + { + "name": "crowdsecurity/suricata-major-severity", + "label": "Suricata Severity 1 Event", + "description": "Detect exploit attempts via emerging threat rules", + "references": [], + "$$hashKey": "object:1037" + }, + { + "name": "crowdsecurity/ssh-bf", + "label": "SSH Bruteforce", + "description": "Detect ssh bruteforce", + "references": [], + "$$hashKey": "object:1038" + }, + { + "name": "crowdsecurity/apache_log4j2_cve-2021-44228", + "label": "Log4j CVE-2021-44228", + "description": "Detect cve-2021-44228 exploitation attemps", + "references": [], + "$$hashKey": "object:1039" + }, + { + "name": "crowdsecurity/http-bf-wordpress_bf_xmlrpc", + "label": "WP XMLRPC bruteforce", + "description": "detect wordpress bruteforce on xmlrpc", + "references": [], + "$$hashKey": "object:1040" + }, + { + "name": "crowdsecurity/ssh-slow-bf", + "label": "SSH Slow Bruteforce", + "description": "Detect slow ssh bruteforce", + "references": [], + "$$hashKey": "object:1041" + }, + { + "name": "crowdsecurity/http-bf-wordpress_bf", + "label": "WordPress Bruteforce", + "description": "Detect WordPress bruteforce on admin interface", + "references": [], + "$$hashKey": "object:1042" + }, + { + "name": "crowdsecurity/http-wordpress_wpconfig", + "label": "Access to WordPress wp-config.php", + "description": "Detect WordPress probing: variations around wp-config.php by wpscan", + "references": [], + "$$hashKey": "object:1043" + }, + { + "name": "crowdsecurity/http-xss-probbing", + "label": "XSS Attempt", + "description": "A scenario that detects XSS probing with minimal false positives", + "references": [], + "$$hashKey": "object:1044" + }, + { + "name": "crowdsecurity/modsecurity", + "label": "Modsecurity Alert", + "description": "Web exploitation via modsecurity", + "references": [], + "$$hashKey": "object:1045" + }, + { + "name": "crowdsecurity/http-probing", + "label": "HTTP Probing", + "description": "Detect site scanning/probing from a single ip", + "references": [], + "$$hashKey": "object:1046" } ], "target_countries": { - "DE": 25, - "FR": 25, - "PL": 25, - "SK": 25 + "US": 38, + "DE": 20, + "JP": 10, + "FR": 8, + "GB": 7, + "NL": 5, + "PL": 3, + "CA": 2, + "RU": 2, + "DK": 2 }, + "mitre_techniques": [ + { + "name": "T1595", + "label": "Active Scanning", + "description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting.", + "references": [], + "$$hashKey": "object:1009" + }, + { + "name": "T1018", + "label": "Remote System Discovery", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", + "references": [], + "$$hashKey": "object:1010" + }, + { + "name": "T1046", + "label": "Network Service Discovery", + "description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.", + "references": [], + "$$hashKey": "object:1011" + }, + { + "name": "T1110", + "label": "Brute Force", + "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.", + "references": [], + "$$hashKey": "object:1012" + }, + { + "name": "T1190", + "label": "Exploit Public-Facing Application", + "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.", + "references": [], + "$$hashKey": "object:1013" + }, + { + "name": "T1589", + "label": "Gather Victim Identity Information", + "description": "Adversaries may gather information about the victim's identity that can be used during targeting.", + "references": [], + "$$hashKey": "object:1014" + } + ], + "cves": [ + "CVE-2021-43798", + "CVE-2021-44228" + ], "scores": { "overall": { - "aggressiveness": 0, + "aggressiveness": 5, "threat": 4, - "trust": 0, + "trust": 5, "anomaly": 1, - "total": 1 + "total": 5 }, "last_day": { - "aggressiveness": 0, - "threat": 0, - "trust": 0, + "aggressiveness": 5, + "threat": 4, + "trust": 5, "anomaly": 1, - "total": 0 + "total": 5 }, "last_week": { - "aggressiveness": 0, + "aggressiveness": 5, "threat": 4, - "trust": 0, + "trust": 5, "anomaly": 1, - "total": 1 + "total": 5 }, "last_month": { - "aggressiveness": 0, + "aggressiveness": 5, "threat": 4, - "trust": 0, + "trust": 5, "anomaly": 1, - "total": 1 + "total": 5 } }, - "references": [] + "references": [ + { + "name": "list:crowdsec_high_background_noise", + "label": "CrowdSec High Background Noise List", + "description": "Contains all IPs in our database that are considered as background noise. These IPs are not necessarily malicious, but they are considered as a potential threat. Proactively block these IPs if you want to reduce the noise on your systems.", + "references": [], + "$$hashKey": "object:1077" + }, + { + "name": "list:crowdsec_intelligence_blocklist", + "label": "CrowdSec Intelligence List", + "description": "Contains all IPs in our database that have been identified as actively aggressive, performing a wide variety of attacks. Proactively block these IPs if you don’t want to take any chances with malicious IPs potentially reaching your systems.", + "references": [], + "$$hashKey": "object:1078" + }, + { + "name": "list:firehol_botscout_7d", + "label": "Firehol BotScout list", + "description": "BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. This list is composed of the most recently-caught bots.", + "references": [ + "https://iplists.firehol.org/?ipset=botscout_7d" + ], + "$$hashKey": "object:1079" + } + ] } ``` #### Requirements -Provide a [CrowdSec CTI Api key](https://www.crowdsec.net/product/threat-intelligence#card-four) +Provide a [CrowdSec CTI Api key](https://docs.crowdsec.net/u/cti_api/getting_started/#getting-an-api-key) as a value for the `api_key` parameter. diff --git a/analyzers/Crowdsec/assets/crowdsec-analyzer-result-example.png b/analyzers/Crowdsec/assets/crowdsec-analyzer-result-example.png index 664fe322f..e09efea53 100644 Binary files a/analyzers/Crowdsec/assets/crowdsec-analyzer-result-example.png and b/analyzers/Crowdsec/assets/crowdsec-analyzer-result-example.png differ diff --git a/analyzers/Crowdsec/assets/crowdsec-report-long.png b/analyzers/Crowdsec/assets/crowdsec-report-long.png index 0474c1323..3deed2f1f 100644 Binary files a/analyzers/Crowdsec/assets/crowdsec-report-long.png and b/analyzers/Crowdsec/assets/crowdsec-report-long.png differ diff --git a/analyzers/Crowdsec/crowdsec_analyzer.py b/analyzers/Crowdsec/crowdsec_analyzer.py index 38e237283..97a195e27 100755 --- a/analyzers/Crowdsec/crowdsec_analyzer.py +++ b/analyzers/Crowdsec/crowdsec_analyzer.py @@ -2,16 +2,38 @@ from cortexutils.analyzer import Analyzer from crowdsec_api import Crowdsec -from datetime import datetime class CrowdsecAnalyzer(Analyzer): - def __init__(self): - Analyzer.__init__(self) - self.crowdsec_key = self.get_param("config.api_key", None, "Missing Crowdsec API key") + def __init__(self, job_directory=None): + Analyzer.__init__(self, job_directory) + self.crowdsec_key = self.get_param( + "config.api_key", None, "Missing Crowdsec API key" + ) + self.taxonomy_reputation = self.get_param( + "config.taxonomy_reputation", True, None + ) + self.taxonomy_as_name = self.get_param("config.taxonomy_as_name", False, None) + self.taxonomy_ip_range_score = self.get_param( + "config.taxonomy_ip_range_score", False, None + ) + self.taxonomy_last_seen = self.get_param( + "config.taxonomy_last_seen", False, None + ) + self.taxonomy_attack_details = self.get_param( + "config.taxonomy_attack_details", False, None + ) + self.taxonomy_behaviors = self.get_param( + "config.taxonomy_behaviors", True, None + ) + self.taxonomy_mitre_techniques = self.get_param( + "config.taxonomy_mitre_techniques", False, None + ) + self.taxonomy_cves = self.get_param("config.taxonomy_cves", True, None) + self.taxonomy_not_found = self.get_param( + "config.taxonomy_not_found", True, None + ) self.crowdsec_client = None - self.verbose_taxonomies = self.get_param("config.verbose_taxonomies", False) - self.polling_interval = self.get_param("config.polling_interval", 60) def summary(self, raw): taxonomies = [] @@ -19,38 +41,87 @@ def summary(self, raw): levelinfo = "info" levelorange = "suspicious" levelgreen = "safe" - - if 'as_name' in raw: - taxonomies.append(self.build_taxonomy(levelinfo, namespace, 'ASN', raw['as_name'])) - - if 'ip_range_score' in raw: - taxonomies.append(self.build_taxonomy(levelinfo, namespace, 'Score', raw['ip_range_score'])) - - if 'history' in raw: - taxonomies.append(self.build_taxonomy(levelinfo, namespace, 'LastSeen', raw['history']['last_seen'])) - - if 'attack_details' in raw: - for attack in raw['attack_details'] : - taxonomies.append(self.build_taxonomy(levelorange, namespace, 'Attack', attack['name'])) - - if len(taxonomies) == 0: - taxonomies.append(self.build_taxonomy(levelgreen, namespace, 'Threat', 'Not found')) - - ### uncomment for full taxonomies report - #if raw['attack_details']: - # for attackdetails in raw['attack_details'] : - # taxonomies.append(self.build_taxonomy(levelorange, namespace, 'Attack_details', attackdetails['name'])) + levelred = "malicious" + + if self.taxonomy_reputation and "reputation" in raw: + level = ( + levelred + if raw["reputation"] == "malicious" + else ( + levelorange + if raw["reputation"] == "suspicious" + else levelgreen if raw["reputation"] == "safe" else levelinfo + ) + ) + taxonomies.append( + self.build_taxonomy(level, namespace, "Reputation", raw["reputation"]) + ) + + if self.taxonomy_as_name and "as_name" in raw: + taxonomies.append( + self.build_taxonomy(levelinfo, namespace, "ASN", raw["as_name"]) + ) + + if self.taxonomy_ip_range_score and "ip_range_score" in raw: + taxonomies.append( + self.build_taxonomy( + levelinfo, namespace, "Score", raw["ip_range_score"] + ) + ) + + if self.taxonomy_last_seen and "history" in raw: + taxonomies.append( + self.build_taxonomy( + levelinfo, namespace, "LastSeen", raw["history"]["last_seen"] + ) + ) + + if self.taxonomy_attack_details and "attack_details" in raw: + for attack in raw["attack_details"]: + taxonomies.append( + self.build_taxonomy( + levelorange, namespace, "Attack", attack["name"] + ) + ) + + if self.taxonomy_behaviors and "behaviors" in raw: + for behavior in raw["behaviors"]: + taxonomies.append( + self.build_taxonomy( + levelorange, namespace, "Behavior", behavior["name"] + ) + ) + + if self.taxonomy_mitre_techniques and "mitre_techniques" in raw: + for mitre in raw["mitre_techniques"]: + taxonomies.append( + self.build_taxonomy(levelorange, namespace, "Mitre", mitre["name"]) + ) + + if self.taxonomy_cves and "cves" in raw: + for cve in raw["cves"]: + taxonomies.append( + self.build_taxonomy(levelorange, namespace, "CVE", cve) + ) + + if ( + self.taxonomy_not_found + and "reputation" not in raw + and "attack_details" not in raw + ): + taxonomies.append( + self.build_taxonomy(levelgreen, namespace, "Threat", "Not found") + ) return {"taxonomies": taxonomies} - def run(self): Analyzer.run(self) try: self.crowdsec_client = Crowdsec(self.crowdsec_key) data = self.get_param("data", None, "Data is missing") results = self.crowdsec_client.summary(data, self.data_type) - + self.report(results) except Exception: @@ -59,4 +130,3 @@ def run(self): if __name__ == "__main__": CrowdsecAnalyzer().run() - diff --git a/analyzers/Crowdsec/crowdsec_api.py b/analyzers/Crowdsec/crowdsec_api.py index 2e148a2cd..241da2e6a 100755 --- a/analyzers/Crowdsec/crowdsec_api.py +++ b/analyzers/Crowdsec/crowdsec_api.py @@ -1,6 +1,8 @@ #!/usr/bin/env python3 -from requests.compat import urljoin +import json + import requests +from requests.compat import urljoin class Crowdsec: @@ -10,7 +12,7 @@ class Crowdsec: """ def __init__(self, key: str): - """Intializes the API object + """Initializes the API object :param key: The Crowdsec API key :type key: str """ @@ -23,10 +25,10 @@ def _request(self, path: str): :type path: str """ headers = { - "x-api-key": self.api_key , - "accept": "application/json", - "User-Agent": "crowdsec-cortex/v1.0.0", - } + "x-api-key": self.api_key, + "accept": "application/json", + "User-Agent": "crowdsec-cortex/v1.1.0", + } url = urljoin(self.base_url, path) response = requests.get(url, headers=headers) @@ -34,15 +36,14 @@ def _request(self, path: str): raise APIRateLimiting(response.text) try: response_data = response.json() - except: + except json.JSONDecodeError: raise APIError("Couldn't parse response JSON") return response_data def summary(self, data: str, datatype: str): - """Return a summary of all information we have for the given IPv{4,6} address. - """ - if datatype == 'ip': + """Return a summary of all information we have for the given IPv{4,6} address.""" + if datatype == "ip": url_path = "/v2/smoke/{ip}".format(ip=data) return self._request(path=url_path) @@ -65,4 +66,3 @@ def __init__(self, value): def __str__(self): return self.value - diff --git a/thehive-templates/Crowdsec_1_0/long.html b/thehive-templates/Crowdsec_1_0/long.html deleted file mode 100644 index 13617c06c..000000000 --- a/thehive-templates/Crowdsec_1_0/long.html +++ /dev/null @@ -1,111 +0,0 @@ - - -
-
- {{(artifact.data || artifact.attachment.name) | fang}} -
-
- {{content.message || 'Error while retrieving information'}} -
-
- -
-
-
- CrowdSec record for "{{artifact.data}}" -
- view more on app.crowdsec.net -
-
-
-
Reverse DNS
-
{{content.reverse_dns}}
-
-
-
Range
-
{{content.ip_range}}
-
-
-
Autonomous System
-
{{content.as_name}}
-
-
-
Location
-
{{content.location.city}} {{content.location.country}}
-
-
-
-
First seen
-
{{content.history.first_seen}}
-
-
-
Last seen
-
{{content.history.last_seen}}
-
-
-
-
Known For
-
- - {{b.label}} - -
-
-
-
- -
-
- Attacks details -
- -
-
Classification
-
- - {{c.label}} - -
-
-
-
False Positive
-
- - {{fp.label}} - -
-
-
-
-
Attacks
-
- - {{a.label}} - -
-
- -
-

Aggressiveness (0 to 5) -

- - - - - - - - - - - - - -
OverallLast dayLast weekLast month
{{content.scores.overall.aggressiveness}}{{content.scores.last_day.aggressiveness}}{{content.scores.last_week.aggressiveness}}{{content.scores.last_month.aggressiveness}}
-
-
-
\ No newline at end of file diff --git a/thehive-templates/Crowdsec_1_1/long.html b/thehive-templates/Crowdsec_1_1/long.html new file mode 100644 index 000000000..65403c60f --- /dev/null +++ b/thehive-templates/Crowdsec_1_1/long.html @@ -0,0 +1,199 @@ + + +
+
+ {{(artifact.data || artifact.attachment.name) | fang}} +
+
+ {{content.message || 'Error while retrieving information'}} +
+
+ +
+
+
+ CrowdSec record for "{{artifact.data}}" +
+
+
+ Reputation + {{content.reputation}} + +
+
+

+ View more on app.crowdsec.net +
+
+
+
+
+
Crowd Confidence
+
+ {{content.confidence}} +
+
+
+
+
+
Location
+
{{content.location.city}} {{content.location.country}}
+
+
+
+
+
+
+
First seen
+
{{content.history.first_seen}}
+
+
+
+
+
Last seen
+
{{content.history.last_seen}}
+
+
+
+
+
Known For
+
+ + {{b.label}} + + + {{cve}} + +
+
+
+
MITRE
+
+ + + {{m.label}} + + +
+
+
+
+
+
Reverse DNS
+
{{content.reverse_dns}}
+
+
+
Range
+
{{content.ip_range}}
+
+
+
Autonomous System
+
{{content.as_name}}
+
+
+
+ +
+
+ Attack details +
+
+
Classification
+
+ + {{c.label}} + +
+
+
+
False Positive
+
+ + {{fp.label}} + +
+
+
+
+
Attacks
+
+ + {{a.label}} + +
+
+
+
Top Targeted countries
+
+ + {{country}}: {{percent}}% + +
+
+
+

Aggressiveness (0 to 5)

+ + + + + + + + + + + + + +
OverallLast dayLast weekLast month
{{content.scores.overall.aggressiveness}}{{content.scores.last_day.aggressiveness}}{{content.scores.last_week.aggressiveness}}{{content.scores.last_month.aggressiveness}}
+
+
+ +
+
+ Blocklists containing this IP +
+
+
+
+
+ {{r.label}} +
+
+ {{r.description}} +
+
+
+
+
+ No blocklists found for this IP +
+
+
+ + +