Scribd
Upload
130 views

How To Use API:: Sensor With L7 Sensor Without L7

The document provides instructions for using an API to manage protection status and view attack information for IPs protected by Voxility. It explains how to put IPs in sensor or always on mode, with or without layer 7 protection, and view lists of attacks, traffic data, and packet samples for troubleshooting. Steps are also included to install an SSL certificate on a Linux server by uploading the certificate and private key files via a curl command to the API URL after whitelisting the server's IP.

Uploaded by

Alexander Sarafov
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
130 views

How To Use API:: Sensor With L7 Sensor Without L7

The document provides instructions for using an API to manage protection status and view attack information for IPs protected by Voxility. It explains how to put IPs in sensor or always on mode, with or without layer 7 protection, and view lists of attacks, traffic data, and packet samples for troubleshooting. Steps are also included to install an SSL certificate on a Linux server by uploading the certificate and private key files via a curl command to the API URL after whitelisting the server's IP.

Uploaded by

Alexander Sarafov
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Api ips.voxility.

com
Voxility can provide to customers an API to change the status of the protection.

The customer should provide an IP or more from which he will access the API.

The IP should be whitelisted in Provisioning

How to use API:

IPs list:
https://ips.voxility.com/list_json.php?ip_src=x.x.x.x/24
if "ip_src" is missing, all the IPs are listed

IPs change (mode sensor, no layer 7), only single ip (/32) is allowed:
https://ips.voxility.com/ips.php?ip=x.x.x.x.x&mode=2&no_l7=0
1 - always on, 2 - sensor
no_l7 : 0/1

to influence layer 7: you can do it in sensor mode/ always on.

Steps to put the IP in Sensor mode with/without L7:


set it to Sensor with L7: https://ips.voxility.com/ips.php?ip=x.x.x.x&mode=2&no_l7=0
set it to Sensor without L7: https://ips.voxility.com/ips.php?ip=x.x.x.x&mode=2&no_l7=1

The protection is designed to work in "sensor" mode, however, the customer can change the status if he think is necessary.

If the status is changes to "Always on", the traffic is always filtered, good for servers that are very sensitive to abrupt load of traffic, but we do
not recommend this status unless is necessary

Steps to put the IP in Always-on mode with/without L7 (not recommended unless is needed):
set it to Always on mode with L7: https://ips.voxility.com/ips.php?ip=x.x.x.x&mode=1&no_l7=0
set it to Always on without L7: https://ips.voxility.com/ips.php?ip=x.x.x.x&mode=1&no_l7=1

Steps to disable layer7 services ONLY for SSL:


set it to Sensor mode without SSL L7: https://ips.voxility.com/ips.php?ip=x.x.x.x&mode=2&no_l7=0&no_ssl_l7=1
set it to Always on without SSL L7 (not recommended unless is needed): https://ips.voxility.com/ips.php?ip=x.x.x.
x&mode=1&no_l7=0&no_ssl_l7=1

The traffic received from internet by Voxility network:


https://ips.voxility.com/get_traffic.php

The output displays:

bandwidth

packets per seconds


attacks - number of attacks, can be several per ip

unique - unique attacked IPs

ips - list with unique attacked IPs

A full list with all ongoing attacks and destination IP's, duration, action, attack type:
https://ips.voxility.com/get_attacks.php

At first glance, the view of this output will be scrambled, you can use the View Page Source option in Firefox, to clear out the output.

A full list with the history of attacks and destination IP's, duration, attack type can be accessed using
the following parameters:
- period_days (maximum number is 30)

- period_mins

- limit

The below example will list attacks within the past 2 days, with a limit of 1000 results.

https://ips.voxility.com/get_attacks.php?period_days=2&limit=1000

The below example will list attacks within the past 120 minutes, with a limit of 100 results.

https://ips.voxility.com/get_attacks.php?period_mins=120&limit=100

History with attacks on destination IP:


https://ips.voxility.com/get_attacks.php?ip_dst=x.x.x.x&period_days=2&limit=1000

The above example will list attacks on destination IP x.x.x.x in the past 2 days, with a limit of 1000 results

A new feature has been added, that allows us to further filter our search: "att_id". (the att_id is unique , but as long as they are ongoing they do
not change)

e.g.: "account" : "VVVV, Customer Name",

"atacks" : [

{ "ip" : "y.y.y.y", "start" : "2016-06-14 06:47:22", "duration" : "00:07:10", "action" : "Filter always ON", "type" : "Abnormally high
rate of UDP incoming packets", "att_id" : "xxxxx"},

{ "ip" : "y.y.y.y", "start" : "2016-06-14 06:47:22", "duration" : "00:07:10", "action" : "Filter always ON", "type" : "Number of source
ip is abnormally high", "att_id" : "xxxxx"},

{ "ip" : "y.y.y.y", "start" : "2016-06-14 06:47:22", "duration" : "00:07:10", "action" : "Filter always ON", "type" : "Number of unique
connections abnormally high", "att_id" : "xxxxx"},

{ "ip" : "y.y.y.y", "start" : "2016-06-14 06:47:06", "duration" : "00:06:17", "action" : "Filter always ON", "type" : "Abnormally high
rate of UDP incoming packets", "att_id" : "xxxxx"},

In addition to the link from above, a new feature has been developed, that allows customers to filter
based on the att_id:
https://ips.voxility.com/get_packet_samples.php?att_id=xxxxx

You need to replace xxxxx with the att_id like in the example below:

https://ips.voxility.com/get_packet_samples.php?att_id=xxxxx

e.g.:"account" : "VVVV, Customer Name",

"samples" : [

{ "epoch" : "1465886964", "microsecond" : "665680", "proto" : "17", "src_ip" : "y.y.y.y", "src_port" : "62876", "dst_ip" : "y.y.y.y",
"dst_port" : "27015", "len_ip" : "39", "len_payload" : "11", "tcp_flags" : "0"},

{ "epoch" : "1465886964", "microsecond" : "665666", "proto" : "17", "src_ip" : "y.y.y.y", "src_port" : "43105", "dst_ip" : "y.y.y.y",
"dst_port" : "27015", "len_ip" : "39", "len_payload" : "11", "tcp_flags" : "0"},

{ "epoch" : "1465886964", "microsecond" : "665662", "proto" : "17", "src_ip" : "y.y.y.y", "src_port" : "31164", "dst_ip" : "y.y.y.y",
"dst_port" : "27015", "len_ip" : "39", "len_payload" : "11", "tcp_flags" : "0"},

{ "epoch" : "1465886964", "microsecond" : "665624", "proto" : "17", "src_ip" : "y.y.y.y", "src_port" : "29849", "dst_ip" : "y.y.y.y",
"dst_port" : "27015", "len_ip" : "39", "len_payload" : "11", "tcp_flags" : "0"},

Install a SSL certificate from a Linux box:


create the file domain.crt and add the domain public certificate:

If you have an intermediate Certificate Authority Bundle: (CABUNDLE) add it below the public certificate. Please note that
"intermediate" certificates may also be needed for some browsers.

Open your certificate file with any text editor and copy its contents. Please make sure you include the tags ‘Begin Certificate’
and ‘End Certificate’.

If you have Intermediate Certificate or CABUNDLE add it the following order:

> domain certificate

> root certificate

> intermediate certificate

Example:

#nano domain.crt

--------BEGIN CERTIFICATE--------

Cryptographic Data

---------END CERTIFICATE-----------

--------BEGIN CERTIFICATE--------

Cryptographic Data

---------END CERTIFICATE-----------

--------BEGIN CERTIFICATE--------

Cryptographic Data

---------END CERTIFICATE-----------
create file domain.key, add the domain key used to generate this certificate:

Open your certificate file with any text editor and copy its contents. Please make sure you include the
tags ‘BEGIN RSA PRIVATE KEY’ and ‘END RSA PRIVATE KEY'

Example:

#nano domain.key

--------BEGIN RSA PRIVATE KEY--------

Cryptographic Data

---------END RSA PRIVATE KEY-----------

export domain.crt and domain.key as variable:

#crt=`cat domain.crt`
#key=`cat domain.key`

authorize (ask NOC to whitelist) your IP to send posts to ips.voxility.com, then run the command to import certificate:

#curl --data-urlencode "ip=xxx.xxx.xxx.xxx" --data-urlencode


"private_key=$key" --data-urlencode "public_certificate=$crt"
https://ips.voxility.com/tls.php

You might also like