Help Center/ Cloud Firewall/ API Reference (Ankara Region)/ API/ Log Management/ Querying Attack Logs

Updated on 2024-12-05 GMT+08:00

Online Debugging

CLI Examples

View PDF

Querying Attack Logs

Function

This API is used to query attack logs.

Calling Method

For details, see Calling APIs.

URI

GET /v1/{project_id}/cfw/logs/attack

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
start_time	Yes	Long	Start time, a timestamp in milliseconds, such as 1718936272648
end_time	Yes	Long	End time, a timestamp in milliseconds, such as 1718936272648
src_ip	No	String	Source IP address
src_port	No	Integer	Source port number Minimum: 0 Maximum: 65535
dst_ip	No	String	Destination IP address
dst_port	No	Integer	Destination port number Minimum: 0 Maximum: 65535
protocol	No	String	Protocol types, including TCP, UDP, ICMP, ICMPV6, etc.
app	No	String	Application protocol
log_id	No	String	Document ID, the first page is empty, the other pages are not empty, and the other pages can take the log_id of the last query record.
next_date	No	Long	The next date is empty when it is the first page, not empty when it is not the first page, and the other pages can take the start_time of the last query record.
offset	No	Integer	Offset, which specifies the start position of the record to be returned. The value must be a number no less than 0. The first page is empty, and the non-first page is not empty.
limit	Yes	Integer	Number of records displayed on each page, in the range 1-1024
fw_instance_id	Yes	String	Firewall instance ID, which is automatically generated after a CFW instance is created. You can obtain the ID by calling the API used for querying a firewall instance. For details, see the API Explorer and Help Center FAQ.
action	No	String	Action. including allow and deny
direction	No	String	Direction. including in2out and out2in
attack_type	No	String	Intrusion event type
attack_rule	No	String	Intrusion event rule, Including CRITICAL,HIGH,MEDIUM,LOW.
level	No	String	Threat level
source	No	String	Source
enterprise_project_id	No	String	Enterprise project id, the id generated by the enterprise project after the user supports the enterprise project.
dst_host	No	String	destination host
log_type	No	String	log_type Enumeration values: internet nat vpc
attack_rule_id	No	String	attack rule id
src_region_name	No	String	source region name
dst_region_name	No	String	destination region name
src_province_name	No	String	source province name
dst_province_name	No	String	dst province name
src_city_name	No	String	source city name
dst_city_name	No	String	dst city name

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
data	data object	Return value of attack log query

**Table 5** data
Parameter	Type	Description
total	Integer	Returned quantity
limit	Integer	Number of records displayed on each page, in the range 1-1024
records	Array of records objects	Record

**Table 6** records
Parameter	Type	Description
direction	String	Direction, which can be inbound or outbound Enumeration values: out2in in2out
action	String	Action
event_time	Long	Event time, a timestamp in milliseconds, such as 1718936272648
attack_type	String	Attack type
attack_rule	String	Attack rule
level	String	Threat level
source	String	Source
packet_length	Long	Packet length
attack_rule_id	String	Attack rule ID
hit_time	Integer	Hit time, a timestamp in milliseconds, such as 1718936272648
log_id	String	Log ID
src_ip	String	Source IP address
src_port	Integer	Source port Minimum: 0 Maximum: 65535
dst_ip	String	Destination IP address
dst_port	Integer	Destination port Minimum: 0 Maximum: 65535
protocol	String	Protocol
packet	String	Attack log packet
app	String	Application protocol
packetMessages	Array of PacketMessage objects	packet message
src_region_id	String	source region id
src_region_name	String	source region name
dst_region_id	String	destination region id
dst_region_name	String	destination region name
src_province_id	String	source province id
src_province_name	String	source province name
src_city_id	String	source city id
src_city_name	String	source city name
dst_province_id	String	dst province id
dst_province_name	String	dst province name
dst_city_id	String	dst city id
dst_city_name	String	dst city name

**Table 7** PacketMessage
Parameter	Type	Description
hex_index	String	hex index
hexs	Array of strings	hexs
utf8_String	String	utf8 string

Status code: 400

**Table 8** Response body parameters
Parameter	Type	Description
error_code	String	Error code Minimum: 8 Maximum: 36
error_msg	String	Description Minimum: 2 Maximum: 512

Example Requests

Query 10 records on the first page of the firewall with the ID 2af58b7c-893c-4453-a984-bdd9b1bd6318 in the project 9d80d070b6d44942af73c9c3d38e0429. The query time range is 1663567058000 to 1664171765000.

https://{Endpoint}/v1/9d80d070b6d44942af73c9c3d38e0429/cfw/logs/attack?fw_instance_id=2af58b7c-893c-4453-a984-bdd9b1bd6318&start_time=1663567058000&end_time=1664171765000&limit=10

Example Responses

Status code: 200

{
  "data" : {
    "limit" : 10,
    "records" : [ {
      "action" : "deny",
      "app" : "HTTP",
      "attack_rule" : "Tool Nmap Web Server Probe Detected",
      "attack_rule_id" : "336154",
      "attack_type" : "Web Attack",
      "direction" : "out2in",
      "dst_ip" : "100.95.148.49",
      "dst_port" : 8080,
      "event_time" : 1664146216000,
      "level" : "MEDIUM",
      "log_id" : "15591",
      "packet" : "+hZUZMhV+hY/AaHMCABFKABpXPNAADAGof1kVe6QZF+UMcTQH5B0wdaz888+uoAYAOVyNQAAAQEICjrmikVb9JLCR0VUIC9uaWNlJTIwcG9ydHMlMkMvVHJpJTZFaXR5LnR4dCUyZWJhayBIVFRQLzEuMA0KDQo=",
      "packetMessages" : [ {
        "hex_index" : "00000000",
        "hexs" : [ "fa", "16", "54", "64", "c8", "55", "fa", "16", "3f", "01", "a1", "cc", "08", "00", "45", "28" ],
        "utf8_String" : ".\u0016Td.U.\u0016?.....E("
      }, {
        "hex_index" : "00000010",
        "hexs" : [ "00", "69", "5c", "f3", "40", "00", "30", "06", "a1", "fd", "64", "55", "ee", "90", "64", "5f" ],
        "utf8_String" : ".i\\.@.0...dU.d_"
      }, {
        "hex_index" : "00000020",
        "hexs" : [ "94", "31", "c4", "d0", "1f", "90", "74", "c1", "d6", "b3", "f3", "cf", "3e", "ba", "80", "18" ],
        "utf8_String" : ".1..\u001F.t.ֳ..>..."
      }, {
        "hex_index" : "00000030",
        "hexs" : [ "00", "e5", "72", "35", "00", "00", "01", "01", "08", "0a", "3a", "e6", "8a", "45", "5b", "f4" ],
        "utf8_String" : "..r5......:.E[."
      }, {
        "hex_index" : "00000040",
        "hexs" : [ "92", "c2", "47", "45", "54", "20", "2f", "6e", "69", "63", "65", "25", "32", "30", "70", "6f" ],
        "utf8_String" : "..GET /nice%20po"
      }, {
        "hex_index" : "00000050",
        "hexs" : [ "72", "74", "73", "25", "32", "43", "2f", "54", "72", "69", "25", "36", "45", "69", "74", "79" ],
        "utf8_String" : "rts%2C/Tri%6Eity"
      }, {
        "hex_index" : "00000060",
        "hexs" : [ "2e", "74", "78", "74", "25", "32", "65", "62", "61", "6b", "20", "48", "54", "54", "50", "2f" ],
        "utf8_String" : ".txt%2ebak HTTP/"
      }, {
        "hex_index" : "00000070",
        "hexs" : [ "31", "2e", "30", "0d", "0a", "0d", "0a" ],
        "utf8_String" : "1.0\r.\r."
      } ],
      "packet_length" : 119,
      "protocol" : "TCP",
      "source" : "0",
      "src_ip" : "100.85.238.144",
      "src_port" : 50384,
      "src_province_id" : "source province id",
      "src_province_name" : "source province name",
      "src_city_id" : "source city id",
      "src_city_name" : "source city name",
      "dst_province_id" : "dst province id",
      "dst_province_name" : "dst province name",
      "dst_city_id" : "dst city id",
      "dst_city_name" : "dst city name"
    } ],
    "total" : 1
  }
}

Status code: 400

Bad Request

{
  "error_code" : "00500002",
  "error_msg" : "time range error"
}

Status Codes

Status Code	Description
200	OK
400	Bad Request
401	Unauthorized
403	Forbidden
404	Not Found
500	Internal Server Error

Error Codes

See Error Codes.

Parent topic: Log Management

Previous topic: Querying Access Control Logs

Next topic: Appendix

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot