l9format

l9format is a schema declaration targeted at interoperability between network recon tools used at LeakIX.
It is the default format returned by our API and various tools.
Its definition can be found on GitHub.
l9event schema

  1{
  2  "event_type": "leak",
  3  "event_source": "DotEnvConfigPlugin",
  4  "event_pipeline": ["ip4scout", "l9tcpid", "l9explore", "DotEnvConfigPlugin"],
  5  "event_fingerprint": "ab2848eed8451d0ea0d48a691126d1aeab2848eed8451d0ea0d48a691126d1ae",
  6  "ip": "127.0.0.1",
  7  "host": "site1.example.com",
  8  "reverse": "ptr1.example.com",
  9  "port": "8080",
 10  "mac": "",
 11  "vendor": "",
 12  "transport": ["tcp", "tls", "http"],
 13  "protocol": "https",
 14  "http": {
 15    "root": "/site1",
 16    "url": "/site1/.env",
 17    "status": 200,
 18    "length": 12423,
 19    "header": {
 20      "Content-Type": "application/text",
 21      "Server": "Apache"
 22    },
 23    "title": "Apache welcome page",
 24    "favicon_hash": "e7bc546316d2d0ec13a2d3117b13468f5e939f95"
 25  },
 26  "summary": "GET /... qwerqwer",
 27  "time": "0001-01-01T00:00:00Z",
 28  "ssl": {
 29    "detected": true,
 30    "enabled": true,
 31    "jarm": "29d29d00029d29d21c41d41d00041dba71dd2df645850cf5f0b5af18a5fdcf",
 32    "cypher_suite": "TLS_AES_128_GCM_SHA256",
 33    "version": "TLSv1.3",
 34    "certificate": {
 35      "cn": "example.com",
 36      "domain": ["site.example.com", "admin.example.com"],
 37      "fingerprint": "e998e371dd4678c9113e196bc5e4a5e901455750c6dbc9985c84403b91055260",
 38      "key_algo": "RSA",
 39      "key_size": 2048,
 40      "issuer_name": "Rapid SSL",
 41      "not_before": "0001-01-01T00:00:00Z",
 42      "not_after": "0001-01-01T00:00:00Z",
 43      "valid": false
 44    }
 45  },
 46  "ssh": {
 47    "fingerprint": "",
 48    "version": 0,
 49    "banner": "",
 50    "motd": ""
 51  },
 52  "service": {
 53    "credentials": {
 54      "noauth": true,
 55      "username": "",
 56      "password": "",
 57      "key": "",
 58      "raw": "SSBhbSBhIGtleQo="
 59    },
 60    "software": {
 61      "name": "Apache",
 62      "version": "2.2.4",
 63      "os": "Ubuntu",
 64      "modules": [
 65        {
 66          "name": "PHP",
 67          "version": "4.4.2",
 68          "fingerprint": "php-4-4-2"
 69        }
 70      ],
 71      "fingerprint": "apache-2-2-4"
 72    }
 73  },
 74  "leak": {
 75    "stage": "open",
 76    "type": "configuration",
 77    "severity": "medium",
 78    "dataset": {
 79      "rows": 4,
 80      "files": 1,
 81      "size": 13223,
 82      "collections": 1,
 83      "infected": false,
 84      "ransom_notes": ["Do this", "Don't do that", "We love GDPR"]
 85    }
 86  },
 87  "tags": ["plc"],
 88  "geoip": {
 89    "continent_name": "",
 90    "region_iso_code": "",
 91    "city_name": "",
 92    "country_iso_code": "",
 93    "country_name": "",
 94    "region_name": "",
 95    "location": {
 96      "lat": 0,
 97      "lon": 0
 98    }
 99  },
100  "network": {
101    "organization_name": "",
102    "asn": 0,
103    "network": ""
104  }
105}