Skip to main content
Version: v1.5.0

Getting Started

Getting an API Key

Subscribe to the CrowdSec Console, if you haven't already!

When logged on the console, you can create an API Key from the "CTI API" section :

create api key

Accessing the API

You can query the API about a given IP from the command line:

curl -H "x-api-key: YOUR_API_KEY" https://cti.api.crowdsec.net/v2/smoke/185.7.214.104 | jq .

And the default output looks something like this:

{
  "ip_range_score": 5,
  "ip": "185.7.214.104",
  "ip_range": "185.7.214.0/24",
  "as_name": "Chang Way Technologies Co. Limited",
  "as_num": 57523,
  "location": {
    "country": "RU",
    "city": null,
    "latitude": 55.7386,
    "longitude": 37.6068
  },
  "reverse_dns": null,
  "behaviors": [
    {
      "name": "http:exploit",
      "label": "HTTP Exploit",
      "description": "IP has been reported for attempting to exploit a vulnerability in a web application."
    },
    {
      "name": "http:scan",
      "label": "HTTP Scan",
      "description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery."
    }
  ],
  "history": {
    "first_seen": "2022-06-14T21:30:00+00:00",
    "last_seen": "2022-07-22T11:45:00+00:00",
    "full_age": 39,
    "days_age": 38
  },
  "classifications": {
    "false_positives": [],
    "classifications": [
      {
        "name": "community-blocklist",
        "label": "CrowdSec Community Blocklist",
        "description": "IP belong to the CrowdSec Community Blocklist"
      }
    ]
  },
  "attack_details": [
    {
      "name": "crowdsecurity/http-cve-2021-41773",
      "label": "Apache CVE-2021-41773",
      "description": "Detect Apache CVE-2021-41773 exploitation attemtps",
      "references": [
        "https://nvd.nist.gov/vuln/detail/CVE-2021-41773"
      ]
    },
    {
      "name": "crowdsecurity/thinkphp-cve-2018-20062",
      "label": "ThinkPHP CVE-2018-20062",
      "description": "Detect ThinkPHP CVE-2018-20062 exploitation attemps",
      "references": []
    },
    {
      "name": "crowdsecurity/modsecurity",
      "label": "ModSecurity CRS",
      "description": "Detect web exploitation via modsecurity",
      "references": []
    },
    {
      "name": "crowdsecurity/http-probing",
      "label": "HTTP Scanner",
      "description": "Detect site scanning/probing from a single ip",
      "references": []
    }
  ],
  "target_countries": {
    "FR": 35,
    "US": 19,
    "DE": 18,
    "NL": 6,
    "GB": 5,
    "CA": 4,
    "AU": 2,
    "RU": 2,
    "SE": 2,
    "CH": 1
  },
  "scores": {
    "overall": {
      "aggressiveness": 5,
      "threat": 5,
      "trust": 5,
      "anomaly": 1,
      "total": 5
    },
    "last_day": {
      "aggressiveness": 5,
      "threat": 5,
      "trust": 5,
      "anomaly": 1,
      "total": 5
    },
    "last_week": {
      "aggressiveness": 5,
      "threat": 5,
      "trust": 5,
      "anomaly": 1,
      "total": 5
    },
    "last_month": {
      "aggressiveness": 5,
      "threat": 5,
      "trust": 5,
      "anomaly": 1,
      "total": 5
    }
  },
  "references": []
}