-
Notifications
You must be signed in to change notification settings - Fork 0
/
forensics.yaml
355 lines (344 loc) · 12.2 KB
/
forensics.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
# For this updated focus on scanning and analysis, I’ll set up an OpenAPI schema for an API that helps with:
# IP address and port scanning to identify active services.
# Protocol detection for identifying the types of communication on open ports.
# Best practices in log analysis to help identify malicious patterns and log aggregation parameters.
# forensics -- for Scan for IP addresses, ports, protocols and
# Base conversion and encryption key support to assist in interpreting log data or other encoded information.
# The API will offer endpoints that align with best practices for cybersecurity, such as handling data securely, adhering to privacy standards, and focusing on anomaly detection rather than automated attack replication.
# yaml
openapi: 3.1.0
info:
title: Network and Log Analysis API
version: 1.2.0
servers:
- url: https://api.cyberlogtools.com
paths:
/parseSSHLog:
post:
operationId: parseSSHLog
summary: Parses SSH logs to identify connection attempts, failures, and suspicious activity.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
logData:
type: string
description: Raw SSH log data.
responses:
'200':
description: Parsed SSH log with insights.
content:
application/json:
schema:
type: object
properties:
parsedEvents:
type: array
items:
type: object
properties:
timestamp:
type: string
format: date-time
description: Event timestamp.
event:
type: string
description: Type of SSH event (e.g., login attempt, failure).
sourceIP:
type: string
description: Source IP address if available.
status:
type: string
description: Event status (e.g., success, failure).
'400':
description: Invalid SSH log format
/parseNGINXLog:
post:
operationId: parseNGINXLog
summary: Parses NGINX access logs to analyze HTTP requests, status codes, and potential issues.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
logData:
type: string
description: Raw NGINX access log data.
responses:
'200':
description: Parsed NGINX log data with request insights.
content:
application/json:
schema:
type: object
properties:
requests:
type: array
items:
type: object
properties:
ip:
type: string
description: Requesting IP address.
timestamp:
type: string
format: date-time
description: Request timestamp.
method:
type: string
description: HTTP method (e.g., GET, POST).
endpoint:
type: string
description: Accessed endpoint.
statusCode:
type: integer
description: HTTP status code.
'400':
description: Invalid NGINX log format
/parseHistoryLog:
post:
operationId: parseHistoryLog
summary: Parses command history logs (e.g., bash history) for command usage analysis.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
logData:
type: string
description: Raw history log data (e.g., bash history).
responses:
'200':
description: Parsed command history with usage insights.
content:
application/json:
schema:
type: object
properties:
commands:
type: array
items:
type: object
properties:
timestamp:
type: string
format: date-time
description: Command execution timestamp.
command:
type: string
description: Command executed.
'400':
description: Invalid history log format
/parseSquidLog:
post:
operationId: parseSquidLog
summary: Parses Squid proxy logs to analyze requests, access control, and usage patterns.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
logData:
type: string
description: Raw Squid proxy log data.
responses:
'200':
description: Parsed Squid log with request insights.
content:
application/json:
schema:
type: object
properties:
requests:
type: array
items:
type: object
properties:
timestamp:
type: string
format: date-time
description: Request timestamp.
sourceIP:
type: string
description: IP address of the requestor.
destinationURL:
type: string
description: URL accessed.
status:
type: string
description: Status code (e.g., TCP_HIT, TCP_MISS).
'400':
description: Invalid Squid log format
/parsePaymentLog:
post:
operationId: parsePaymentLog
summary: Parses payment processing logs to identify transactions, errors, and status updates.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
logData:
type: string
description: Raw payment log data.
responses:
'200':
description: Parsed payment log with transaction details.
content:
application/json:
schema:
type: object
properties:
transactions:
type: array
items:
type: object
properties:
transactionID:
type: string
description: Unique transaction identifier.
timestamp:
type: string
format: date-time
description: Transaction timestamp.
amount:
type: number
format: float
description: Transaction amount.
status:
type: string
description: Transaction status (e.g., completed, failed).
'400':
description: Invalid payment log format
/parseVSFTPDLog:
post:
operationId: parseVSFTPDLog
summary: Parses VSFTPD logs to track file transfers, connections, and authentication events.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
logData:
type: string
description: Raw VSFTPD log data.
responses:
'200':
description: Parsed VSFTPD log with file transfer insights.
content:
application/json:
schema:
type: object
properties:
transfers:
type: array
items:
type: object
properties:
timestamp:
type: string
format: date-time
description: Transfer timestamp.
filePath:
type: string
description: Path of the file transferred.
transferType:
type: string
description: Transfer type (e.g., upload, download).
status:
type: string
description: Status of the transfer.
'400':
description: Invalid VSFTPD log format
/parseLoginLog:
post:
operationId: parseLoginLog
summary: Parses login logs to identify login attempts, successes, and failures.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
logData:
type: string
description: Raw login log data.
responses:
'200':
description: Parsed login log with login attempt insights.
content:
application/json:
schema:
type: object
properties:
loginAttempts:
type: array
items:
type: object
properties:
timestamp:
type: string
format: date-time
description: Login attempt timestamp.
username:
type: string
description: Username used in the attempt.
status:
type: string
description: Result of the login attempt (e.g., success, failure).
'400':
description: Invalid login log format
/parseCustomLog:
post:
operationId: parseCustomLog
summary: Parses custom log file formats by matching configurable patterns.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
logData:
type: string
description: Raw custom log data.
pattern:
type: string
description: Custom pattern (e.g., regex) to match log events.
responses:
'200':
description: Parsed custom log with matching patterns.
content:
application/json:
schema:
type: object
properties:
parsedEntries:
type: array
items:
type: object
properties:
timestamp:
type: string
format: date-time
description: Event timestamp.
event:
type: string
description: Parsed event description.
'400':
description: Invalid custom log format or pattern
# This update sets the new base URL to https://api.cyberlogtools.com, allowing you to avoid the duplicate domain conflict. Let me know if there’s anything else you need!