l9format
l9format is a schema declaration targeted at interoperability between network recon tools used at LeakIX.
It is the default format returned by our API and various tools.
Its definition can be found on GitHub.
l9event schema
1{
2 "event_type": "leak",
3 "event_source": "DotEnvConfigPlugin",
4 "event_pipeline": ["ip4scout", "l9tcpid", "l9explore", "DotEnvConfigPlugin"],
5 "event_fingerprint": "ab2848eed8451d0ea0d48a691126d1aeab2848eed8451d0ea0d48a691126d1ae",
6 "ip": "127.0.0.1",
7 "host": "site1.example.com",
8 "reverse": "ptr1.example.com",
9 "port": "8080",
10 "mac": "",
11 "vendor": "",
12 "transport": ["tcp", "tls", "http"],
13 "protocol": "https",
14 "http": {
15 "root": "/site1",
16 "url": "/site1/.env",
17 "status": 200,
18 "length": 12423,
19 "header": {
20 "Content-Type": "application/text",
21 "Server": "Apache"
22 },
23 "title": "Apache welcome page",
24 "favicon_hash": "e7bc546316d2d0ec13a2d3117b13468f5e939f95"
25 },
26 "summary": "GET /... qwerqwer",
27 "time": "0001-01-01T00:00:00Z",
28 "ssl": {
29 "detected": true,
30 "enabled": true,
31 "jarm": "29d29d00029d29d21c41d41d00041dba71dd2df645850cf5f0b5af18a5fdcf",
32 "cypher_suite": "TLS_AES_128_GCM_SHA256",
33 "version": "TLSv1.3",
34 "certificate": {
35 "cn": "example.com",
36 "domain": ["site.example.com", "admin.example.com"],
37 "fingerprint": "e998e371dd4678c9113e196bc5e4a5e901455750c6dbc9985c84403b91055260",
38 "key_algo": "RSA",
39 "key_size": 2048,
40 "issuer_name": "Rapid SSL",
41 "not_before": "0001-01-01T00:00:00Z",
42 "not_after": "0001-01-01T00:00:00Z",
43 "valid": false
44 }
45 },
46 "ssh": {
47 "fingerprint": "",
48 "version": 0,
49 "banner": "",
50 "motd": ""
51 },
52 "service": {
53 "credentials": {
54 "noauth": true,
55 "username": "",
56 "password": "",
57 "key": "",
58 "raw": "SSBhbSBhIGtleQo="
59 },
60 "software": {
61 "name": "Apache",
62 "version": "2.2.4",
63 "os": "Ubuntu",
64 "modules": [
65 {
66 "name": "PHP",
67 "version": "4.4.2",
68 "fingerprint": "php-4-4-2"
69 }
70 ],
71 "fingerprint": "apache-2-2-4"
72 }
73 },
74 "leak": {
75 "stage": "open",
76 "type": "configuration",
77 "severity": "medium",
78 "dataset": {
79 "rows": 4,
80 "files": 1,
81 "size": 13223,
82 "collections": 1,
83 "infected": false,
84 "ransom_notes": ["Do this", "Don't do that", "We love GDPR"]
85 }
86 },
87 "tags": ["plc"],
88 "geoip": {
89 "continent_name": "",
90 "region_iso_code": "",
91 "city_name": "",
92 "country_iso_code": "",
93 "country_name": "",
94 "region_name": "",
95 "location": {
96 "lat": 0,
97 "lon": 0
98 }
99 },
100 "network": {
101 "organization_name": "",
102 "asn": 0,
103 "network": ""
104 }
105}