Updated on 2023-12-06 GMT+08:00

Querying Attack Logs

Function

This API is used to query attack logs.

Debugging

You can debug this API through automatic authentication in or use the SDK sample code generated by API Explorer.

URI

GET /v1/{project_id}/cfw/logs/attack

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID

Table 2 Query Parameters

Parameter

Mandatory

Type

Description

start_time

Yes

Long

Start time

end_time

Yes

Long

End time

src_ip

No

String

Source IP address

src_port

No

Integer

Source port number

Minimum: 0

Maximum: 65535

dst_ip

No

String

Destination IP address

dst_port

No

Integer

Destination port number

Minimum: 0

Maximum: 65535

protocol

No

String

Protocol type. The value 6 indicates TCP, 17 indicates UDP, 1 indicates ICMP, 58 indicates ICMPv6, and -1 indicates any protocol. Regarding the addition type, a null value indicates it is automatically added.

Enumeration values:

  • 6

  • 17

  • 1

  • 58

app

No

String

Application protocol

log_id

No

String

Log ID. The value is null for the first page and not null for the rest of the pages.

next_date

No

Long

Next date. The value is null for the first page and not null for the rest of the pages.

offset

No

Integer

Offset, which specifies the start position of the record to be returned. The value must be a number no less than 0. The default value is 0.

limit

Yes

Integer

Number of records displayed on each page

fw_instance_id

Yes

String

Firewall instance ID, which is automatically generated after a CFW instance is created. You can obtain the ID by calling the API used for querying a firewall instance. For details, see the API Explorer and Help Center FAQ.

action

No

String

Action. 0: allow; 1: deny

Enumeration values:

  • 0

  • 1

direction

No

String

Direction. 0: inbound; 1: outbound

Enumeration values:

  • 0

  • 1

attack_type

No

String

Intrusion event type

attack_rule

No

String

Intrusion event rule

level

No

String

Threat level

source

No

String

Source

enterprise_project_id

No

String

Enterprise project id, the id generated by the enterprise project after the user supports the enterprise project.

Request Parameters

Table 3 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

data

data object

Return value of attack log query

Table 5 data

Parameter

Type

Description

total

Integer

Returned quantity

limit

Integer

Number of records displayed on each page

records

Array of records objects

Record

Table 6 records

Parameter

Type

Description

direction

String

Direction, which can be inbound or outbound

Enumeration values:

  • out2in

  • in2out

action

String

Action

event_time

String

Event time

attack_type

String

Attack type

attack_rule

String

Attack rule

level

String

Threat level

source

String

Source

packet_length

Long

Packet length

attack_rule_id

Integer

Attack rule ID

hit_time

Integer

Hit time

log_id

String

Log ID

src_ip

String

Source IP address

src_port

Integer

Source port

Minimum: 0

Maximum: 65535

dst_ip

String

Destination IP address

dst_port

Integer

Destination port

Minimum: 0

Maximum: 65535

protocol

String

Protocol

packet

Packet object

Attack log packet

app

String

Application protocol

packetMessages

Array of PacketMessage objects

packet message

Table 7 Packet

Parameter

Type

Description

hex_index

String

Hexadecimal code

utf8_string

String

UTF-8 string

hexs

Array of strings

Hexadecimal single bytecode array

Table 8 PacketMessage

Parameter

Type

Description

hex_index

String

hex index

hexs

Array of strings

hexs

utf8_String

String

utf8 string

Status code: 400

Table 9 Response body parameters

Parameter

Type

Description

error_code

String

Error code

Minimum: 8

Maximum: 36

error_msg

String

Description

Minimum: 2

Maximum: 512

Example Requests

Query 10 records on the first page of the firewall with the ID 2af58b7c-893c-4453-a984-bdd9b1bd6318 in the project 9d80d070b6d44942af73c9c3d38e0429. The query time range is 1663567058000 to 1664171765000.

https://{Endpoint}/v1/9d80d070b6d44942af73c9c3d38e0429/cfw/logs/access-control?fw_instance_id=2af58b7c-893c-4453-a984-bdd9b1bd6318&start_time=1663567058000&end_time=1664171765000&limit=10

Example Responses

Status code: 200

OK

{
  "data" : {
    "limit" : 10,
    "records" : [ {
      "action" : "deny",
      "app" : "HTTP",
      "attack_rule" : "Tool Nmap Web Server Probe Detected",
      "attack_rule_id" : "336154",
      "attack_type" : "Web Attack",
      "direction" : "out2in",
      "dst_ip" : "100.95.148.49",
      "dst_port" : 8080,
      "event_time" : 1664146216000,
      "level" : "MEDIUM",
      "log_id" : "15591",
      "packet" : "+hZUZMhV+hY/AaHMCABFKABpXPNAADAGof1kVe6QZF+UMcTQH5B0wdaz888+uoAYAOVyNQAAAQEICjrmikVb9JLCR0VUIC9uaWNlJTIwcG9ydHMlMkMvVHJpJTZFaXR5LnR4dCUyZWJhayBIVFRQLzEuMA0KDQo=",
      "packetMessages" : [ {
        "hex_index" : "00000000",
        "hexs" : [ "fa", "16", "54", "64", "c8", "55", "fa", "16", "3f", "01", "a1", "cc", "08", "00", "45", "28" ],
        "utf8_String" : ".\u0016Td.U.\u0016?.....E("
      }, {
        "hex_index" : "00000010",
        "hexs" : [ "00", "69", "5c", "f3", "40", "00", "30", "06", "a1", "fd", "64", "55", "ee", "90", "64", "5f" ],
        "utf8_String" : ".i\\.@.0...dU.d_"
      }, {
        "hex_index" : "00000020",
        "hexs" : [ "94", "31", "c4", "d0", "1f", "90", "74", "c1", "d6", "b3", "f3", "cf", "3e", "ba", "80", "18" ],
        "utf8_String" : ".1..\u001F.t.ֳ..>..."
      }, {
        "hex_index" : "00000030",
        "hexs" : [ "00", "e5", "72", "35", "00", "00", "01", "01", "08", "0a", "3a", "e6", "8a", "45", "5b", "f4" ],
        "utf8_String" : "..r5......:.E[."
      }, {
        "hex_index" : "00000040",
        "hexs" : [ "92", "c2", "47", "45", "54", "20", "2f", "6e", "69", "63", "65", "25", "32", "30", "70", "6f" ],
        "utf8_String" : "..GET /nice%20po"
      }, {
        "hex_index" : "00000050",
        "hexs" : [ "72", "74", "73", "25", "32", "43", "2f", "54", "72", "69", "25", "36", "45", "69", "74", "79" ],
        "utf8_String" : "rts%2C/Tri%6Eity"
      }, {
        "hex_index" : "00000060",
        "hexs" : [ "2e", "74", "78", "74", "25", "32", "65", "62", "61", "6b", "20", "48", "54", "54", "50", "2f" ],
        "utf8_String" : ".txt%2ebak HTTP/"
      }, {
        "hex_index" : "00000070",
        "hexs" : [ "31", "2e", "30", "0d", "0a", "0d", "0a" ],
        "utf8_String" : "1.0\r.\r."
      } ],
      "packet_length" : 119,
      "protocol" : "TCP",
      "source" : "0",
      "src_ip" : "100.85.238.144",
      "src_port" : 50384
    } ],
    "total" : 1
  }
}

Status code: 400

Bad Request

{
  "error_code" : "00500002",
  "error_msg" : "time range error"
}

Status Codes

Status Code

Description

200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

500

Internal Server Error

Error Codes

See Error Codes.