Reputation Service currently supports request for URLs, IP and files.
Before using the reputation service first get a token that is valid for a week from the rep-auth service, and then send a request to the reputation service using that token in the request.
Authentication to the reputation service acquires using a token generated from the rep-auth service.
The token will expire after a week, to renew the authentication - send a new token request.
The token should look like this: exp=1578566241~acl=/*~hmac=95add7c04faa2e7831b451fd45503e4a2ac0598c7e84a5ace7dd611d7b483e5f
Send an HTTPS GET request: https://rep.checkpoint.com/rep-auth/service/v1.0/request
Use the "Client-Key" header. (otherwise you will get HTTP status 401)
How do I know that the token expired?
Service respond status code 403 Forbidden
Send an HTTPS POST request: https://rep.checkpoint.com/url-rep/service/v2.0/query?resource={url}
Request headers:
- "Client-Key": You authorization id.
- "token": the token from the rep-auth service.
Request body, use JSON format:
{
"request": [{
"resource": "{url}"
}]
}| Parameter Name | Type | is Optional | Description |
|---|---|---|---|
| resource | String | No | the URL to query about |
| Classification | Description | Severity |
|---|---|---|
| Unclassified | The service couldn't classify the domain. there is no enough data about this resource. | N/A |
| Adware | Website operating in the gray areas of the law collecting private data on the users and display unwanted content, or website which contains sub-application to download. | Low |
| Volatile Website | Website that contains malicious software, for example: hacking websites. | Medium |
| Benign | Legit website, which aren't serve any malicious purpose. | N/A |
| CnC Server | Command and controller of malware. | Critical |
| Compromised Website | Legit website that was hacked and now serve a malicious purpose. | High |
| Phishing | Websites that attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication | High |
| Infecting Website | Website that may infect it’s visitors with malware. | High |
| Infecting URL | URL that may infect it’s visitors with malware. | |
| Web Hosting | Websites that allows to rent out space for websites to have your business in. | Medium |
| File Hosting | Websites that allows to rent out space for storage to have your business in. | Medium |
| Parked | Website which permanently does not have a content. it may contains advertising content on pages that have been registered but do not yet have original content | Medium |
| Spam | The url is used for spam. | High |
| Cryptominer | The url is used for cryptomining. | High |
Send an HTTPS POST request: https://rep.checkpoint.com/file-rep/service/v2.0/query?resource={file-hash}
request headers:
- "Client-Key": You authorization id.
- "token": the token from the rep-auth service.
request body, use JSON format:
{
"request": [{
"resource": "{file-hash}"
}]
}| Parameter Name | Type | Is Optional | Description |
|---|---|---|---|
| resource | String | No | SHA256 / MD5 / SHA1 of the file to query |
| Classification | Description | Severity |
|---|---|---|
| Unclassified | The service couldn't classify the domain. there is no enough data about this resource. | N/A |
| Adware | Installation file of Adware on your machine. Adware is a form of software that downloads or displays unwanted ads when a user is online, collects marketing data and other information without the user's knowledge or redirects search requests to certain advertising websites | Low |
| Riskware | Riskware is the name given to legitimate programs that can cause damage if they are exploited by malicious users – in order to delete, block, modify, or copy data, and disrupt the performance of computers or networks. | Medium |
| Malware | Malicious file | High |
| Benign | Legit file, which aren't serve any malicious purpose. | Medium |
| Unknown | File that was never seen before by the service's vendors. | N/A |
| Spam | The file is used for spam. | High |
| Cryptominer | The file is used for cryptomining. | High |
Send an HTTPS POST request: https://rep.checkpoint.com/ip-rep/service/v2.0/query?resource={ip}
request headers:
- "Client-Key": You authorization id.
- "token": the token from the rep-auth service.
request body, use JSON format:
{
"request": [{
"resource": "{ip}"
}]
}| Parameter Name | Type | Is Optional | Description |
|---|---|---|---|
| resource | String | No | The IP to query |
| Classification | Description | Severity |
|---|---|---|
| Unclassified | The service couldn't classify the IP. there is not enough data about this resource. | N/A |
| Adware | The IP's domains operating in the gray areas of the law collecting private data on the users and display unwanted content, or website which contains sub-application to download. | Low |
| Volatile | The IP's domains contain malicious software, for example hacking websites. | Medium |
| Benign | Legit IP, which doesn't serve any malicious purpose. | N/A |
| CnC Server | Command and control of malware. | Critical |
| Compromised Server | Legit IP that was hacked and now serve a malicious purpose. | High |
| Phishing | The IP's domains attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication | High |
| Infection Source | The IP's domains may infect its visitors with malware. | High |
| Web Hosting | The IP's domains allow to rent out space for websites to have your business in. | Medium |
| File Hosting | The IP's domains allow to rent out space for storage to have your business in. | Medium |
| Parked | The IP's domains permanently do not have content. it may contain advertising content on pages that have been registered but do not yet have original content | Medium |
| Scanner | The IP is a known internet scanner. | Medium |
| Anonymiser | The IP is a known TOR anonymity internet. | |
| Cryptominer | The IP's domains are used for cryptomining. | High |
| Spam | The IP's domains are used for spam. | High |
| Compromised Host | Victim IP. | Medium |
| Attribute Name | Type | Is Optional | Description | Inner Attribute | Inner Attribute Description |
|---|---|---|---|---|---|
| status | Object | No | Reflect the application status |
|
code: 2001 code: 2002 code: 2003 |
| resource | String | No | The URL from the request | ||
| reputation | Object | No | Reputation meta-data | classification | |
| severity | The severity of the classification. Possible values:
|
||||
| confidence | How much the service is confident with the reputation response.
|
| HTTP Response Code | Description |
|---|---|
| 200 | OK |
| 400 | Bad request - either the resource is not valid or the request parameter doesn't match the resource in the request body |
| 401 | Bad or missing "Client-Key" header |
| 403 | Bad or missing "token" header |
| Risk Range | Description | Confidence | Severity |
|---|---|---|---|
| Risk=0 | Indications of a legit website | High | N/A |
| 0<Risk<10 | Internet long tail | Low/Medium | Low |
| 10<=Risk<50 | Adware servers, rouge popups URLs | Low/Medium/High | Low/Medium |
| Risk=50 | Anonymizers, hosting and parked websites, Unknown files | Medium/High | Medium |
| 50<Risk< 80 | No proven legit was activity witnessed by the resource | Low | High/Critical |
| 80<=Risk<100 | No proven legit was activity witnessed by the resource and there are circumstantial evidences that ties the resource to malicious activity | Medium | High/Critical |
| Risk=100 | Known malicious resource by at least one trusted vendors | High | High/Critical |