Reputation Service currently supports request for URLs, IP and files.
Before using the reputation service first get a token that is valid for a week from the rep-auth service, and then send a request to the reputation service using that token in the request.
Authentication to the reputation service acquires using a token generated from the rep-auth service.
The token will expire after a week, to renew the authentication - send a new token request.
The token should look like this: exp=1578566241~acl=/*~hmac=95add7c04faa2e7831b451fd45503e4a2ac0598c7e84a5ace7dd611d7b483e5f
Send an HTTPS GET request: https://rep.checkpoint.com/rep-auth/service/v1.0/request
Use the "Client-Key" header. (otherwise you will get HTTP status 401)
How do I know that the token expired?
Service respond status code 403 Forbidden
Send an HTTPS POST request: https://rep.checkpoint.com/url-rep/service/v2.0/query?resource={url}
Request headers:
- "Client-Key": You authorization id.
- "token": the token from the rep-auth service.
Request body, use JSON format:
{
"request": [{
"resource": "{url}"
}]
}
Parameter Name | Type | is Optional | Description |
---|---|---|---|
resource | String | No | the URL to query about |
Classification | Description | Severity |
---|---|---|
Unclassified | The service couldn't classify the domain. there is no enough data about this resource. | N/A |
Adware | Website operating in the gray areas of the law collecting private data on the users and display unwanted content, or website which contains sub-application to download. | Low |
Volatile Website | Website that contains malicious software, for example: hacking websites. | Medium |
Benign | Legit website, which aren't serve any malicious purpose. | N/A |
CnC Server | Command and controller of malware. | Critical |
Compromised Website | Legit website that was hacked and now serve a malicious purpose. | High |
Phishing | Websites that attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication | High |
Infecting Website | Website that may infect it’s visitors with malware. | High |
Infecting URL | URL that may infect it’s visitors with malware. | |
Web Hosting | Websites that allows to rent out space for websites to have your business in. | Medium |
File Hosting | Websites that allows to rent out space for storage to have your business in. | Medium |
Parked | Website which permanently does not have a content. it may contains advertising content on pages that have been registered but do not yet have original content | Medium |
Spam | The url is used for spam. | High |
Cryptominer | The url is used for cryptomining. | High |
Send an HTTPS POST request: https://rep.checkpoint.com/file-rep/service/v2.0/query?resource={file-hash}
request headers:
- "Client-Key": You authorization id.
- "token": the token from the rep-auth service.
request body, use JSON format:
{
"request": [{
"resource": "{file-hash}"
}]
}
Parameter Name | Type | Is Optional | Description |
---|---|---|---|
resource | String | No | SHA256 / MD5 / SHA1 of the file to query |
Classification | Description | Severity |
---|---|---|
Unclassified | The service couldn't classify the domain. there is no enough data about this resource. | N/A |
Adware | Installation file of Adware on your machine. Adware is a form of software that downloads or displays unwanted ads when a user is online, collects marketing data and other information without the user's knowledge or redirects search requests to certain advertising websites | Low |
Riskware | Riskware is the name given to legitimate programs that can cause damage if they are exploited by malicious users – in order to delete, block, modify, or copy data, and disrupt the performance of computers or networks. | Medium |
Malware | Malicious file | High |
Benign | Legit file, which aren't serve any malicious purpose. | Medium |
Unknown | File that was never seen before by the service's vendors. | N/A |
Spam | The file is used for spam. | High |
Cryptominer | The file is used for cryptomining. | High |
Send an HTTPS POST request: https://rep.checkpoint.com/ip-rep/service/v2.0/query?resource={ip}
request headers:
- "Client-Key": You authorization id.
- "token": the token from the rep-auth service.
request body, use JSON format:
{
"request": [{
"resource": "{ip}"
}]
}
Parameter Name | Type | Is Optional | Description |
---|---|---|---|
resource | String | No | The IP to query |
Classification | Description | Severity |
---|---|---|
Unclassified | The service couldn't classify the IP. there is not enough data about this resource. | N/A |
Adware | The IP's domains operating in the gray areas of the law collecting private data on the users and display unwanted content, or website which contains sub-application to download. | Low |
Volatile | The IP's domains contain malicious software, for example hacking websites. | Medium |
Benign | Legit IP, which doesn't serve any malicious purpose. | N/A |
CnC Server | Command and control of malware. | Critical |
Compromised Server | Legit IP that was hacked and now serve a malicious purpose. | High |
Phishing | The IP's domains attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication | High |
Infection Source | The IP's domains may infect its visitors with malware. | High |
Web Hosting | The IP's domains allow to rent out space for websites to have your business in. | Medium |
File Hosting | The IP's domains allow to rent out space for storage to have your business in. | Medium |
Parked | The IP's domains permanently do not have content. it may contain advertising content on pages that have been registered but do not yet have original content | Medium |
Scanner | The IP is a known internet scanner. | Medium |
Anonymiser | The IP is a known TOR anonymity internet. | |
Cryptominer | The IP's domains are used for cryptomining. | High |
Spam | The IP's domains are used for spam. | High |
Compromised Host | Victim IP. | Medium |
Attribute Name | Type | Is Optional | Description | Inner Attribute | Inner Attribute Description |
---|---|---|---|---|---|
status | Object | No | Reflect the application status |
|
code: 2001 code: 2002 code: 2003 |
resource | String | No | The URL from the request | ||
reputation | Object | No | Reputation meta-data | classification | |
severity | The severity of the classification. Possible values:
|
||||
confidence | How much the service is confident with the reputation response.
|
HTTP Response Code | Description |
---|---|
200 | OK |
400 | Bad request - either the resource is not valid or the request parameter doesn't match the resource in the request body |
401 | Bad or missing "Client-Key" header |
403 | Bad or missing "token" header |
Risk Range | Description | Confidence | Severity |
---|---|---|---|
Risk=0 | Indications of a legit website | High | N/A |
0<Risk<10 | Internet long tail | Low/Medium | Low |
10<=Risk<50 | Adware servers, rouge popups URLs | Low/Medium/High | Low/Medium |
Risk=50 | Anonymizers, hosting and parked websites, Unknown files | Medium/High | Medium |
50<Risk< 80 | No proven legit was activity witnessed by the resource | Low | High/Critical |
80<=Risk<100 | No proven legit was activity witnessed by the resource and there are circumstantial evidences that ties the resource to malicious activity | Medium | High/Critical |
Risk=100 | Known malicious resource by at least one trusted vendors | High | High/Critical |