Obtaining custom Suricata rule alerts

Kaspersky Research Sandbox provides an API to obtain Suricata alerts triggered by the user's custom rules.

The response structure contains the data received directly from the Suricata scanner. For more details about data structure, refer to Suricata documentation.

Request

Request method: GET

Endpoint: https://<server name>/api/v1/sandbox/tasks/<task ID>/custom-suricata-alerts

Parameters

Obtaining custom Suricata rule alerts parameters

Parameter	Data type	Occurrence	Description
`task_id`	string	Required	Object execution task ID (GUID).

cURL command sample:

$ curl --http1.1 --user <user name> --request GET --header "Content-Type:application/octet-stream" --data-binary '@<path to file>' 'https://<server name>/api/v1/sandbox/tasks/<task ID>/custom-suricata-alerts'

You will be asked to enter your password. The password is not displayed while you type it.

Responses

Endpoint returns alerts triggered by the user's custom Suricata rules.

200 OK

Suricata alerts obtained successfully.

200 OK response parameters

Parameter	Data type	Description
`timestamp`	string	Date and time when an alert was registered.
`event_type`	string	Event type, for example "alert".
`flow_id`	number	Flow ID.
`src_ip`	string	Source IP address.
`src_port`	integer	Source port number.
`dst_ip`	string	Destination IP address.
`dst_port`	integer	Destination port number.
`proto`	string	Protocol used, for example, "UDP".
`app_proto`	string	Application layer protocol, for example "TLS".
`packet_info`	array	Information about a packet: `linktype`—Link type, for example, "1".
`alert`	array	Alert description: `action`—Performed action. `gid`—Group ID. `signature_id`—User-specified numeric rule ID. Each rule in a set has a unique ID. `rev`—User-specified rule version. Custom versions allow you to vary version numbers of the same rule, while retaining the same `signature_id`. `signature`—Detected object name. `category`—Alert category. `severity`—Alert danger level.

200 OK response example:

{

"timestamp": "2022-09-01T12:01:36.936848+0300",

"event_type": "alert",

"flow_id": 1202053786389392,

"src_ip": "10.109.221.118",

"src_port": 56001,

"dest_ip": "224.0.0.252",

"dest_port": 5355,

"proto": "UDP",

"app_proto": "failed",

"packet_info": {

"linktype": 1

"alert": {

"action": "allowed",

"gid": 1,

"signature_id": 1,

"rev": 1,

"signature": "Trojan-Spy.Win32.Solmyr.a",

"category": "",

"severity": 3

"packet": "AQBeAAD8AOBM8826CABFAAAyAHMAAAER8GgKbd124AAA/NrBFOsAHtILnD0AAAABAAAAAAAABHdwYWQAAAEAAQ=="

}

400 Bad Request

Failed to obtain Suricata alerts.

400 Bad Request response parameters

Parameter	Data type	Description
`code`	string	Error ID.
`message`	string	Description of the error.
`meta`	string	Additional information, if available.

Error examples:

Incorrect task_id parameter:

{"code":6,"message":"task not found"}

Incorrect task_id parameter format:

{"code":29,"message":"bad task id"}

401 Unauthorized

Failed to obtain Suricata alerts due to incorrect user credentials.

404 Not Found

Failed to obtain Suricata alerts due to incorrect task ID.

500 Internal Server Error

Failed to obtain Suricata alerts due to an internal server error.

Page top