Skip to main content
Version: v1.4.0

Getting Started

Getting an API Key

When logged on the console, you can create an API Key from the "CTI API" section :

create api key

Accessing the API

You can query the API about a given IP from the command line:

curl -H "x-api-key: YOUR_API_KEY" https://cti.api.crowdsec.net/v2/smoke/185.7.214.104 | jq .

And the default output looks something like this:

{
  "ip_range_score": 5,
  "ip": "185.7.214.104",
  "ip_range": "185.7.214.0/24",
  "as_name": "Chang Way Technologies Co. Limited",
  "as_num": 57523,
  "location": {
    "country": "RU",
    "city": null,
    "latitude": 55.7386,
    "longitude": 37.6068
  },
  "reverse_dns": null,
  "behaviors": [
    {
      "name": "http:exploit",
      "label": "HTTP Exploit",
      "description": "IP has been reported for attempting to exploit a vulnerability in a web application."
    },
    {
      "name": "http:scan",
      "label": "HTTP Scan",
      "description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery."
    }
  ],
  "history": {
    "first_seen": "2022-06-14T21:30:00+00:00",
    "last_seen": "2022-07-22T11:45:00+00:00",
    "full_age": 39,
    "days_age": 38
  },
  "classifications": {
    "false_positives": [],
    "classifications": [
      {
        "name": "community-blocklist",
        "label": "CrowdSec Community Blocklist",
        "description": "IP belong to the CrowdSec Community Blocklist"
      }
    ]
  },
  "attack_details": [
    {
      "name": "crowdsecurity/http-cve-2021-41773",
      "label": "Apache CVE-2021-41773",
      "description": "Detect Apache CVE-2021-41773 exploitation attemtps",
      "references": [
        "https://nvd.nist.gov/vuln/detail/CVE-2021-41773"
      ]
    },
    {
      "name": "crowdsecurity/thinkphp-cve-2018-20062",
      "label": "ThinkPHP CVE-2018-20062",
      "description": "Detect ThinkPHP CVE-2018-20062 exploitation attemps",
      "references": []
    },
    {
      "name": "crowdsecurity/modsecurity",
      "label": "ModSecurity CRS",
      "description": "Detect web exploitation via modsecurity",
      "references": []
    },
    {
      "name": "crowdsecurity/http-probing",
      "label": "HTTP Scanner",
      "description": "Detect site scanning/probing from a single ip",
      "references": []
    }
  ],
  "target_countries": {
    "FR": 35,
    "US": 19,
    "DE": 18,
    "NL": 6,
    "GB": 5,
    "CA": 4,
    "AU": 2,
    "RU": 2,
    "SE": 2,
    "CH": 1
  },
  "scores": {
    "overall": {
      "aggressiveness": 5,
      "threat": 5,
      "trust": 5,
      "anomaly": 1,
      "total": 5
    },
    "last_day": {
      "aggressiveness": 5,
      "threat": 5,
      "trust": 5,
      "anomaly": 1,
      "total": 5
    },
    "last_week": {
      "aggressiveness": 5,
      "threat": 5,
      "trust": 5,
      "anomaly": 1,
      "total": 5
    },
    "last_month": {
      "aggressiveness": 5,
      "threat": 5,
      "trust": 5,
      "anomaly": 1,
      "total": 5
    }
  },
  "references": []
}