Skip to content

REST API USE

Julio Lira | jul10l1r4 | Caranguejo esperto edited this page Jul 17, 2026 · 2 revisions

API Documentation

Base URL: https://julioliraup.github.io/AT

The Antiphishing Panel provides a public, read‑only JSON API that can be used to retrieve detailed information about individual Suricata SIDs as well as a concise index of all available SIDs.


1. Get SID Details

Endpoint: GET /db/sid/{sid}.json

Path Parameters:

  • sid (integer) – The Suricata rule identifier you want to inspect. Example: 6005281.

Description

  • Returns a full JSON representation of the rule identified by the supplied SID. The payload contains metadata such as the URL, classification, severity, references, and probing information.

Successful Response

  • 200 OK – JSON object with the following fields (partial list, additional fields may appear for some SIDs, e.g., print or screenshot):
    {
      "sid": 6005989,
      "url_path": "/",
      "url_base": "instagramusicabrasilinstagram.blogspot.com",
      "msg": "AT related malicious URL (instagramusicabrasilinstagram.blogspot.com/)",
      "protocol": "http",
      "classtype": "social-engineering",
      "rev": 1,
      "action": "alert",
      "severity": "high",
      "risk_score": 85,
      "references": [
        "openphish.com",
        "julioliraup.github.io/AT/signature.html?sid=6005989"
      ],
      "intel": {
        "virustotal": null,
        "urlhaus": null,
        "shodan": null,
        "ipinfo": null,
        "alienvault": null,
        "phishdestroy": null
      },
      "rule_raw": "alert http $HOME_NET any -> any any (msg:\"AT related malicious URL (instagramusicabrasilinstagram.blogspot.com/)\"; flow:established,to_server; http.uri; content:\"/\"; startswith; fast_pattern; http.host; content:\"instagramusicabrasilinstagram.blogspot.com\"; endswith; reference:url,openphish.com; reference:url,julioliraup.github.io/AT/signature.html?sid=6005989; classtype:social-engineering; sid:6005989; rev:1; metadata: signature_severity Major, created_et 2026_05_23, updated_et 2026_06_25;)",
      "updated_at": "2026-07-16T15:49:33.214479+00:00",
      "probe": {
        "dns": false,
        "whois": false,
        "status": "stale",
        "note": "dns-and-whois-unresponsive"
      },
      "rule_status": "stale"
    }

Example Request

GET https://julioliraup.github.io/AT/db/sid/6005281.json

Notes

  • The probe object indicates whether DNS/WHOIS look‑ups were successful; a status of stale means the intelligence has not been refreshed and should be considered inactive. A status of active denotes active intelligence.
  • Some SIDs contain additional data, such as a print field with a screenshot URL, intel.alienvault with detailed host information, or a intel.phishdestroy section with comprehensive threat analysis. The example above shows the most common structure.

2. List All SIDs (Index)

Endpoint: GET /db/index.json

Description

  • Returns a compact JSON array where each element summarises a SID. This endpoint is useful for building drop‑down lists, pagination, or over‑view dashboards.

Successful Response

  • 200 OK – JSON array of objects, each with a subset of fields:
    [
      {
        "sid": 6000000,
        "name": "AT DNS query to suspicious domain - Phishing",
        "protocol": "dns",
        "severity": "high",
        "domains_count": 243094
      },
      {
        "sid": 6000001,
        "name": "AT TLS SNI to suspicious domain - Phishing",
        "protocol": "tls",
        "severity": "high",
        "domains_count": 243094
      },
      {
        "sid": 6000002,
        "name": "AT related malicious URL (www .settlementdomain .com/5DLFML8/S5T8TN8/?__rpt=0&__po=17304&__ptid=6f70f5681ff84ca09100279f32029176&__rpa=1&__rc=1&sub1=&sub2=&sub3=&sub4=&sub5=&source_id=&__pcd=9)",
        "protocol": "http",
        "severity": "high"
      }
      // … many more entries …
    ]

Example Request

GET https://julioliraup.github.io/AT/db/index.json

Notes

  • The index can be large (several hundred entries). Clients should consider streaming or paginating locally.
  • Fields such as domains_count are present only for DNS‑related SIDs; other protocols may omit it.
  • Additional boolean flags like is_stale or rule_status may appear for specific entries.

General Information

  • Authentication: No authentication is required; the API is publicly accessible.
  • Rate Limiting: The GitHub Pages host does not enforce strict rate limits, but courteous usage (≤ 60 requests per minute) is recommended.
  • Content‑Type: All responses are application/json.
  • CORS: The endpoint includes Access‑Control‑Allow‑Origin: *, allowing browser‑based consumption.

References