Querying Attack Logs

Function

This API is used to query attack logs.

Debugging

You can debug this API through automatic authentication in or use the SDK sample code generated by API Explorer.

URI

GET /v1/{project_id}/cfw/logs/attack

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
start_time	Yes	Long	Start time
end_time	Yes	Long	End time
src_ip	No	String	Source IP address
src_port	No	Integer	Source port number Minimum: 0 Maximum: 65535
dst_ip	No	String	Destination IP address
dst_port	No	Integer	Destination port number Minimum: 0 Maximum: 65535
protocol	No	String	Protocol type. The value 6 indicates TCP, 17 indicates UDP, 1 indicates ICMP, 58 indicates ICMPv6, and -1 indicates any protocol. Regarding the addition type, a null value indicates it is automatically added. Enumeration values: 6 17 1 58
app	No	String	Application protocol
log_id	No	String	Log ID. The value is null for the first page and not null for the rest of the pages.
next_date	No	Long	Next date. The value is null for the first page and not null for the rest of the pages.
offset	No	Integer	Offset, which specifies the start position of the record to be returned. The value must be a number no less than 0. The default value is 0.
limit	Yes	Integer	Number of records displayed on each page
fw_instance_id	Yes	String	Firewall instance ID, which is automatically generated after a CFW instance is created. You can obtain the ID by calling the API used for querying a firewall instance. For details, see the API Explorer and Help Center FAQ.
action	No	String	Action. 0: allow; 1: deny Enumeration values: 0 1
direction	No	String	Direction. 0: inbound; 1: outbound Enumeration values: 0 1
attack_type	No	String	Intrusion event type
attack_rule	No	String	Intrusion event rule
level	No	String	Threat level
source	No	String	Source
enterprise_project_id	No	String	Enterprise project id, the id generated by the enterprise project after the user supports the enterprise project.

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
data	data object	Return value of attack log query

**Table 5** data
Parameter	Type	Description
total	Integer	Returned quantity
limit	Integer	Number of records displayed on each page
records	Array of records objects	Record

**Table 6** records
Parameter	Type	Description
direction	String	Direction, which can be inbound or outbound Enumeration values: out2in in2out
action	String	Action
event_time	String	Event time
attack_type	String	Attack type
attack_rule	String	Attack rule
level	String	Threat level
source	String	Source
packet_length	Long	Packet length
attack_rule_id	Integer	Attack rule ID
hit_time	Integer	Hit time
log_id	String	Log ID
src_ip	String	Source IP address
src_port	Integer	Source port Minimum: 0 Maximum: 65535
dst_ip	String	Destination IP address
dst_port	Integer	Destination port Minimum: 0 Maximum: 65535
protocol	String	Protocol
packet	Packet object	Attack log packet
app	String	Application protocol
packetMessages	Array of PacketMessage objects	packet message

**Table 7** Packet
Parameter	Type	Description
hex_index	String	Hexadecimal code
utf8_string	String	UTF-8 string
hexs	Array of strings	Hexadecimal single bytecode array

**Table 8** PacketMessage
Parameter	Type	Description
hex_index	String	hex index
hexs	Array of strings	hexs
utf8_String	String	utf8 string

Status code: 400

**Table 9** Response body parameters
Parameter	Type	Description
error_code	String	Error code Minimum: 8 Maximum: 36
error_msg	String	Description Minimum: 2 Maximum: 512

Example Requests

Query 10 records on the first page of the firewall with the ID 2af58b7c-893c-4453-a984-bdd9b1bd6318 in the project 9d80d070b6d44942af73c9c3d38e0429. The query time range is 1663567058000 to 1664171765000.

https://{Endpoint}/v1/9d80d070b6d44942af73c9c3d38e0429/cfw/logs/access-control?fw_instance_id=2af58b7c-893c-4453-a984-bdd9b1bd6318&start_time=1663567058000&end_time=1664171765000&limit=10

Example Responses

Status code: 200

{
  "data" : {
    "limit" : 10,
    "records" : [ {
      "action" : "deny",
      "app" : "HTTP",
      "attack_rule" : "Tool Nmap Web Server Probe Detected",
      "attack_rule_id" : "336154",
      "attack_type" : "Web Attack",
      "direction" : "out2in",
      "dst_ip" : "100.95.148.49",
      "dst_port" : 8080,
      "event_time" : 1664146216000,
      "level" : "MEDIUM",
      "log_id" : "15591",
      "packet" : "+hZUZMhV+hY/AaHMCABFKABpXPNAADAGof1kVe6QZF+UMcTQH5B0wdaz888+uoAYAOVyNQAAAQEICjrmikVb9JLCR0VUIC9uaWNlJTIwcG9ydHMlMkMvVHJpJTZFaXR5LnR4dCUyZWJhayBIVFRQLzEuMA0KDQo=",
      "packetMessages" : [ {
        "hex_index" : "00000000",
        "hexs" : [ "fa", "16", "54", "64", "c8", "55", "fa", "16", "3f", "01", "a1", "cc", "08", "00", "45", "28" ],
        "utf8_String" : ".\u0016Td.U.\u0016?.....E("
      }, {
        "hex_index" : "00000010",
        "hexs" : [ "00", "69", "5c", "f3", "40", "00", "30", "06", "a1", "fd", "64", "55", "ee", "90", "64", "5f" ],
        "utf8_String" : ".i\\.@.0...dU.d_"
      }, {
        "hex_index" : "00000020",
        "hexs" : [ "94", "31", "c4", "d0", "1f", "90", "74", "c1", "d6", "b3", "f3", "cf", "3e", "ba", "80", "18" ],
        "utf8_String" : ".1..\u001F.t.ֳ..>..."
      }, {
        "hex_index" : "00000030",
        "hexs" : [ "00", "e5", "72", "35", "00", "00", "01", "01", "08", "0a", "3a", "e6", "8a", "45", "5b", "f4" ],
        "utf8_String" : "..r5......:.E[."
      }, {
        "hex_index" : "00000040",
        "hexs" : [ "92", "c2", "47", "45", "54", "20", "2f", "6e", "69", "63", "65", "25", "32", "30", "70", "6f" ],
        "utf8_String" : "..GET /nice%20po"
      }, {
        "hex_index" : "00000050",
        "hexs" : [ "72", "74", "73", "25", "32", "43", "2f", "54", "72", "69", "25", "36", "45", "69", "74", "79" ],
        "utf8_String" : "rts%2C/Tri%6Eity"
      }, {
        "hex_index" : "00000060",
        "hexs" : [ "2e", "74", "78", "74", "25", "32", "65", "62", "61", "6b", "20", "48", "54", "54", "50", "2f" ],
        "utf8_String" : ".txt%2ebak HTTP/"
      }, {
        "hex_index" : "00000070",
        "hexs" : [ "31", "2e", "30", "0d", "0a", "0d", "0a" ],
        "utf8_String" : "1.0\r.\r."
      } ],
      "packet_length" : 119,
      "protocol" : "TCP",
      "source" : "0",
      "src_ip" : "100.85.238.144",
      "src_port" : 50384
    } ],
    "total" : 1
  }
}

Status code: 400

Bad Request

{
  "error_code" : "00500002",
  "error_msg" : "time range error"
}

Status Codes

Status Code	Description
200	OK
400	Bad Request
401	Unauthorized
403	Forbidden
404	Not Found
500	Internal Server Error

Error Codes

See Error Codes.

Parent topic: Log Query Management

Previous topic: Querying Access Control Logs

Next topic: Protection Mode Management

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel