Last active
January 14, 2025 16:14
-
-
Save mazzma12/7e0c1466933a7e95ece5fbaa068c9531 to your computer and use it in GitHub Desktop.
Crowdsec CTI: easily interact with the main endpoints
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Function to display usage information | |
| usage() { | |
| echo "Usage: $0 <command> [options]" | |
| echo "Commands:" | |
| echo " smoke <IP_ADDRESS> Query the smoke endpoint for an IP address" | |
| echo " fire Query the fire endpoint" | |
| echo " search --query <query> --since <duration> Search using a Lucene query and time filter" | |
| exit 1 | |
| } | |
| # Check if CROWDSEC_CTI_API_KEY is set | |
| if [[ -z "$CROWDSEC_CTI_API_KEY" ]]; then | |
| echo "Error: CROWDSEC_CTI_API_KEY environment variable is not set." | |
| exit 1 | |
| fi | |
| # Ensure a command is provided | |
| if [[ $# -lt 1 ]]; then | |
| usage | |
| fi | |
| COMMAND=$1 | |
| shift | |
| # Define the base API URL | |
| BASE_API_URL="https://cti.api.crowdsec.net/v2" | |
| case "$COMMAND" in | |
| smoke) | |
| # Ensure an IP address is provided | |
| if [[ $# -ne 1 ]]; then | |
| echo "Error: IP address is required for the smoke command." | |
| usage | |
| fi | |
| IP_ADDRESS=$1 | |
| RESPONSE=$(curl -s -X 'GET' \ | |
| "$BASE_API_URL/smoke/$IP_ADDRESS" \ | |
| -H 'accept: application/json' \ | |
| -H "x-api-key: $CROWDSEC_CTI_API_KEY") | |
| ;; | |
| fire) | |
| RESPONSE=$(curl -s -X 'GET' \ | |
| "$BASE_API_URL/fire" \ | |
| -H 'accept: application/json' \ | |
| -H "x-api-key: $CROWDSEC_CTI_API_KEY") | |
| ;; | |
| search) | |
| # Parse options for search | |
| QUERY="" | |
| SINCE="" | |
| while [[ $# -gt 0 ]]; do | |
| case $1 in | |
| --query) | |
| QUERY=$2 | |
| shift 2 | |
| ;; | |
| --since) | |
| SINCE=$2 | |
| shift 2 | |
| ;; | |
| *) | |
| echo "Error: Unknown option '$1' for search command." | |
| usage | |
| ;; | |
| esac | |
| done | |
| # Ensure required parameters are provided | |
| if [[ -z "$QUERY" || -z "$SINCE" ]]; then | |
| echo "Error: Both --query and --since options are required for the search command." | |
| usage | |
| fi | |
| set -x | |
| RESPONSE=$(curl -s -X 'GET' \ | |
| "$BASE_API_URL/smoke/search?query=$(echo "$QUERY" | jq -sRr @uri)&since=$SINCE" \ | |
| -H 'accept: application/json' \ | |
| -H "x-api-key: $CROWDSEC_CTI_API_KEY") | |
| ;; | |
| *) | |
| echo "Error: Unknown command '$COMMAND'." | |
| usage | |
| ;; | |
| esac | |
| # Check if the response is empty or an error | |
| if [[ -z "$RESPONSE" ]]; then | |
| echo "Error: No response received from the API." | |
| exit 1 | |
| fi | |
| # Display the response | |
| echo "$RESPONSE" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment