l9format

l9format is a schema declaration targeted at interoperability between network recon tools used at LeakIX.

It is the default format returned by our API and various tools.

Its definition can be found on GitHub.

l9event schema

  1{
  2  "event_type": "leak",
  3  "event_source": "DotEnvConfigPlugin",
  4  "event_pipeline": [
  5    "ip4scout",
  6    "l9tcpid",
  7    "l9explore",
  8    "DotEnvConfigPlugin"
  9  ],
 10  "event_fingerprint": "ab2848eed8451d0ea0d48a691126d1aeab2848eed8451d0ea0d48a691126d1ae",
 11  "ip": "127.0.0.1",
 12  "host": "site1.example.com",
 13  "reverse": "ptr1.example.com",
 14  "port": "8080",
 15  "mac": "",
 16  "vendor": "",
 17  "transport": [
 18    "tcp",
 19    "tls",
 20    "http"
 21  ],
 22  "protocol": "https",
 23  "http": {
 24    "root": "/site1",
 25    "url": "/site1/.env",
 26    "status": 200,
 27    "length": 12423,
 28    "header": {
 29      "Content-Type": "application/text",
 30      "Server": "Apache"
 31    },
 32    "title": "Apache welcome page",
 33    "favicon_hash": "e7bc546316d2d0ec13a2d3117b13468f5e939f95"
 34  },
 35  "summary": "GET /... qwerqwer",
 36  "time": "0001-01-01T00:00:00Z",
 37  "ssl": {
 38    "detected": true,
 39    "enabled": true,
 40    "jarm": "29d29d00029d29d21c41d41d00041dba71dd2df645850cf5f0b5af18a5fdcf",
 41    "cypher_suite": "TLS_AES_128_GCM_SHA256",
 42    "version": "TLSv1.3",
 43    "certificate": {
 44      "cn": "example.com",
 45      "domain": [
 46        "site.example.com",
 47        "admin.example.com"
 48      ],
 49      "fingerprint": "e998e371dd4678c9113e196bc5e4a5e901455750c6dbc9985c84403b91055260",
 50      "key_algo": "RSA",
 51      "key_size": 2048,
 52      "issuer_name": "Rapid SSL",
 53      "not_before": "0001-01-01T00:00:00Z",
 54      "not_after": "0001-01-01T00:00:00Z",
 55      "valid": false
 56    }
 57  },
 58  "ssh": {
 59    "fingerprint": "",
 60    "version": 0,
 61    "banner": "",
 62    "motd": ""
 63  },
 64  "service": {
 65    "credentials": {
 66      "noauth": true,
 67      "username": "",
 68      "password": "",
 69      "key": "",
 70      "raw": "SSBhbSBhIGtleQo="
 71    },
 72    "software": {
 73      "name": "Apache",
 74      "version": "2.2.4",
 75      "os": "Ubuntu",
 76      "modules": [
 77        {
 78          "name": "PHP",
 79          "version": "4.4.2",
 80          "fingerprint": "php-4-4-2"
 81        }
 82      ],
 83      "fingerprint": "apache-2-2-4"
 84    }
 85  },
 86  "leak": {
 87    "stage": "open",
 88    "type": "configuration",
 89    "severity": "medium",
 90    "dataset": {
 91      "rows": 4,
 92      "files": 1,
 93      "size": 13223,
 94      "collections": 1,
 95      "infected": false,
 96      "ransom_notes": [
 97        "Do this",
 98        "Don't do that",
 99        "We love GDPR"
100      ]
101    }
102  },
103  "tags": [
104    "plc"
105  ],
106  "geoip": {
107    "continent_name": "",
108    "region_iso_code": "",
109    "city_name": "",
110    "country_iso_code": "",
111    "country_name": "",
112    "region_name": "",
113    "location": {
114      "lat": 0,
115      "lon": 0
116    }
117  },
118  "network": {
119    "organization_name": "",
120    "asn": 0,
121    "network": ""
122  }
123}