- Base API URL: https://api.grip.inetintel.cc.gatech.edu/dev/
- Current Prototype Web Interface: https://grip.inetintel.cc.gatech.edu
Query for a list of events by time, type, ASNs, prefixes, tags, suspicion level, or event durations. The query returns a list of JSON objects, each containing a matching detected event.
https://api.grip.inetintel.cc.gatech.edu/dev/json/events
Example:
- Default front-page query:
- example query
- Search for 10 suspicious MOAS events during one-day period (January 9 to January 10).
| parameter | default | type | range/format/example | definition |
|---|---|---|---|---|
event_type |
"all" | str | "moas","submoas","defcon","edges","all" | event type |
ts_start |
-inf | str | "YYYY-MM-DDTHH:MM:SS" | UTC timestamp of the start of the event |
ts_end |
+inf | str | "YYYY-MM-DDTHH:MM:SS" | UTC timestamp of the end of the event |
start |
0 | int | 0 – +inf | starting index (used for pagination) |
length |
100 | int | 1 – 1000 | the number of events should return |
asns |
"" | str | e.g. 213,456 |
list of AS numbers formatted as , separated string |
tags |
"" | str | e.g. tag1,tag2 |
list of event tags formatted as , separated string |
pfxs |
"" | str | e.g. 8.8.8.0/24,1.1.1.0/24 |
list of event prefixes formatted as , separated string |
min_susp |
0 | int | 0 – 100 | minimum suspicion levels |
max_susp |
100 | int | 0 – 100 | maximum suspicion levels |
min_duration |
0 | int | 0 – +inf | minimum event duration in seconds |
max_duration |
+inf | int | 0 – +inf | maximum event duration in seconds |
full |
false | bool | true/false | whether to export full events including AS paths |
Retrieve detail information for a specific event by ID.
https://api.grip.inetintel.cc.gatech.edu/dev/json/event/id/
Example: https://api.grip.inetintel.cc.gatech.edu/dev/json/event/id/moas-1649166000-208485_49392
Retrieve detail information for a specific prefix event (part of a event) by ID.
We encode the prefixes by replacing / with -. For example,
185.228.169.0/24 will be encoded as 185.228.169.0-24.
https://api.grip.inetintel.cc.gatech.edu/dev/json/pfx_event/id/ where pfxs are
encoded prefixes in the event separated with _
Example:
-
data: data portion include a list of event objects. Each event object also contains a list of prefix event objects. Details of the prefix events and traceroutes results are excluded in search results. -
recordsFilteredrecordsTotal: usually the same, total number of records from the search. Currently, the system has a upper limit of 10,000 records in searching.
id: event ID- this can be used in event details end-point to retrieve more detailed information
duration: duration of the events in seconds, null if event is still ongoingevent_type: type of the eventview_ts: event time in unix time formatfinished_ts: event finished time, null if still ongoingexternal: data extracted from external sources (e.g. ASRank, and IIJ Hegemony Score)summary: information summarized from the prefix events of this eventases: ASes involved in the eventprefixes: prefixes involved in the eventtr_worthy: whether the event is traceroute worthytags: list of tags from all prefix eventsattackersandvictims: inferred potential attackers and victims of the eventinference_result: inference result for the eventinferenceslist of all inferences extracted from the prefix eventsinference_id: name of the inferencesuspicion_level: suspicion level of the prefix event from this inferenceconfidence: confidence levelexplanation: explanation of this inferencelabels: extra labels of the inference for grouping and searching
primary_inference: the main inference from the list of all inferences, highest confidence and highest suspicionlevel
pfx_events: list of prefix events objects (as-paths excluded iffullparameter is not true)tr_metrics: various counting metrics related to traceroute measurementsevent_metrics: various counting metrics for the event itselfper_tag_cnt: count of number of prefixes that have each tagpfx_event_cnt: number of prefix eventspfx_event_with_tr_cnt: number of prefix events that has traceroute resultsproc_time_driver: time spent on active driverproc_time_inference: time spent on inferenceproc_time_tagger: time spent on taggingtotal_tags_cnt: total number of tags generated for all prefix events, including duplicated tags among them
prefix,sub_pfx,super_pfx: prefixes involved in the eventstags: tags for the current prefix eventtr_worthy: whether the prefix event is traceroute-worhtytr_available: whether the prefix event has corresponding traceroute results. note that not all traceroute worthy events have corresponding results, due to rate-limiting and other various reasons.traceroutes: traceroute measurement resultsdetails: more details about the prefix eventnew_origins: the newcomer origin of the prefixold_origins: the previous origin of the prefixorigins: all origins in the eventas_path: all as paths related to this event, collected from all collectors
inferenceslist of all inferences extracted from the prefix eventsinference_id: name of the inferencesuspicion_level: suspicion level of the prefix event from this inferenceconfidence: confidence levelexplanation: explanation of this inferencelabels: extra labels of the inference for grouping and searching
- https://api.grip.inetintel.cc.gatech.edu/dev/json/blocklist
- https://api.grip.inetintel.cc.gatech.edu/dev/json/asndrop
blocklist: list of AS numbersasndrop: list of AS numbers on Spamhaus ASN-DROP list
https://api.grip.inetintel.cc.gatech.edu/dev/json/tags
-
definitions:definition: definition of the tagcomments: list of comments for the tag
-
tr_worthy: list of tag combinations and whether they are worthy of doing traceroutes-
apply_to: types of events the code applies to, empty means it applies to all types -
explain: reason for the worthiness -
tags: list of tags -
worthy: traceroute-worthiness of the tag combinationyes: the event is worthy of doing a tracerouteno: the event is not worthy of doing a traceroutena: unknown nature
-