-
Notifications
You must be signed in to change notification settings - Fork 0
REST API USE
Julio Lira | jul10l1r4 | Caranguejo esperto edited this page Jul 17, 2026
·
2 revisions
Base URL: https://julioliraup.github.io/AT
The Antiphishing Panel provides a public, read‑only JSON API that can be used to retrieve detailed information about individual Suricata SIDs as well as a concise index of all available SIDs.
Endpoint: GET /db/sid/{sid}.json
Path Parameters:
-
sid(integer) – The Suricata rule identifier you want to inspect. Example:6005281.
Description
- Returns a full JSON representation of the rule identified by the supplied SID. The payload contains metadata such as the URL, classification, severity, references, and probing information.
Successful Response
-
200 OK– JSON object with the following fields (partial list, additional fields may appear for some SIDs, e.g.,printorscreenshot):{ "sid": 6005989, "url_path": "/", "url_base": "instagramusicabrasilinstagram.blogspot.com", "msg": "AT related malicious URL (instagramusicabrasilinstagram.blogspot.com/)", "protocol": "http", "classtype": "social-engineering", "rev": 1, "action": "alert", "severity": "high", "risk_score": 85, "references": [ "openphish.com", "julioliraup.github.io/AT/signature.html?sid=6005989" ], "intel": { "virustotal": null, "urlhaus": null, "shodan": null, "ipinfo": null, "alienvault": null, "phishdestroy": null }, "rule_raw": "alert http $HOME_NET any -> any any (msg:\"AT related malicious URL (instagramusicabrasilinstagram.blogspot.com/)\"; flow:established,to_server; http.uri; content:\"/\"; startswith; fast_pattern; http.host; content:\"instagramusicabrasilinstagram.blogspot.com\"; endswith; reference:url,openphish.com; reference:url,julioliraup.github.io/AT/signature.html?sid=6005989; classtype:social-engineering; sid:6005989; rev:1; metadata: signature_severity Major, created_et 2026_05_23, updated_et 2026_06_25;)", "updated_at": "2026-07-16T15:49:33.214479+00:00", "probe": { "dns": false, "whois": false, "status": "stale", "note": "dns-and-whois-unresponsive" }, "rule_status": "stale" }
Example Request
GET https://julioliraup.github.io/AT/db/sid/6005281.json
Notes
- The
probeobject indicates whether DNS/WHOIS look‑ups were successful; astatusofstalemeans the intelligence has not been refreshed and should be considered inactive. Astatusofactivedenotes active intelligence. - Some SIDs contain additional data, such as a
printfield with a screenshot URL,intel.alienvaultwith detailed host information, or aintel.phishdestroysection with comprehensive threat analysis. The example above shows the most common structure.
Endpoint: GET /db/index.json
Description
- Returns a compact JSON array where each element summarises a SID. This endpoint is useful for building drop‑down lists, pagination, or over‑view dashboards.
Successful Response
-
200 OK– JSON array of objects, each with a subset of fields:[ { "sid": 6000000, "name": "AT DNS query to suspicious domain - Phishing", "protocol": "dns", "severity": "high", "domains_count": 243094 }, { "sid": 6000001, "name": "AT TLS SNI to suspicious domain - Phishing", "protocol": "tls", "severity": "high", "domains_count": 243094 }, { "sid": 6000002, "name": "AT related malicious URL (www .settlementdomain .com/5DLFML8/S5T8TN8/?__rpt=0&__po=17304&__ptid=6f70f5681ff84ca09100279f32029176&__rpa=1&__rc=1&sub1=&sub2=&sub3=&sub4=&sub5=&source_id=&__pcd=9)", "protocol": "http", "severity": "high" } // … many more entries … ]
Example Request
GET https://julioliraup.github.io/AT/db/index.json
Notes
- The index can be large (several hundred entries). Clients should consider streaming or paginating locally.
- Fields such as
domains_countare present only for DNS‑related SIDs; other protocols may omit it. - Additional boolean flags like
is_staleorrule_statusmay appear for specific entries.
- Authentication: No authentication is required; the API is publicly accessible.
- Rate Limiting: The GitHub Pages host does not enforce strict rate limits, but courteous usage (≤ 60 requests per minute) is recommended.
-
Content‑Type: All responses are
application/json. -
CORS: The endpoint includes
Access‑Control‑Allow‑Origin: *, allowing browser‑based consumption.
- Official repository of ruleset: https://github.com/julioliraup/Antiphishing
[ DONATE - DASHBOARD VECTORS - CONTRIBUTING - SUBMIT A VECTOR - REST API CTI ]