Backend Routes

Welcome to the documentation for our backend part of project, written in C++ using the Pistache framework. This documentation covers the functionality and usage of the routes in our API. Our API provides numerous capabilities for managing events, rules, indicators of compromise (IOC), as well as statistical data, making it a powerful tool for monitoring and managing various aspects of security systems.

Key Features #

Events #

The API provides routes for retrieving, searching, deleting, and checking events of a specific type. You can easily retrieve all events of a given type, find a specific event by its ID or other parameters, and delete all events of a particular type. This flexibility and powerful functionality enable efficient event management.

Rules #

The routes for rule management allow a wide range of operations, including displaying all rules, searching for rules by various criteria, adding, updating, and deleting rules, as well as toggling rule status. These functions allow for effective rule management and provide a high level of control and customization of the security system.

Threats (IOC) #

The API for indicators of compromise includes routes for downloading new IoCs, filtering IoCs by time period, retrieving all IoCs or subsets based on type or status, and changing the status of IoCs. This enables system administrators and security analysts to easily manage and respond to threat indicators.

Statistics #

The system provides access to a variety of statistical information, including data on packets, alerts, CPU usage, and memory usage, as well as data for histograms. This information is crucial for monitoring system performance and identifying potential issues.

Suricata Management #

The API includes routes for managing the Suricata process, allowing you to start, stop, and reload Suricata, as well as update rules. This provides a high degree of control over the operation of the intrusion detection system.

This API is designed with high performance and scalability in mind, making it suitable for use in large and complex infrastructures. In the following section of the documentation, we will detail each route and provide examples of their usage.

Routes:

Events:

• GET /events/:event_type get all events of a given type (:event_type)

• GET /events/count/:event_type get the number of events of a given type (:event_type)

• GET /events/:event_type/:event_id find an event of a given type (:event_type) by event_id

• GET /events/search/:flow_id find an event of a given type (:event_type) by flow_id

• DELETE /events/delete/:event_type delete all events of the given type (:event_type)

• GET /events/find/:event_type find events of a given type by parameters

• GET /events/check/:event_type get all events of a given type within a certain period of time

• GET /events/fast output contents of fast.log

Rules:

• GET /rules display all rules

• GET /rules/:sid find a rule with a given sid

• GET /rules/action/:action find a rule with a given action

• GET /rules/status/:status find a rule with a given status

• GET /rules/protocol/:proto find a rule with a given proto

• GET /rules/search find a rule with the given parameters

• POST /rules/toggle/ switch rule status

• POST /rules/add/ add rule

• POST /rules/validate/ confirm the rule

• POST /rules/delete/ delete rule

• POST /rules/update/ update rules

• GET /rules/additional/status/ get additional rules status

• POST /rules/additional/update/ update of additional rules

• POST /validate_rule_endpoint rules validation

• GET /suricata/reload/ overload the meerkat

• GET /rules/reload/blocking overloading rules with blocking

• GET /rules/reload/nonblocking overloading rules without blocking

• GET /rules/duplicated/:sid find duplicate rules

• GET /suricata/start/ start suricata

• GET /suricata/stop/ stop the suricata

• GET /suricata/update/ rules update

Threats (IOC):

• GET /ioc/download/ download fresh IoC

• GET /ioc/filter/:n_days select rules for the period n_days

• GET /ioc/ display all IoC

• GET /ioc/ioc_type/:ioc_type get IoC of given type

• GET /ioc/ioc_id/:id get IoC with given id

• GET /ioc/ioc_status/:status display all IoCs with a given status

• POST /ioc/toggle/ toggle IoC status

• GET /ioc/fetch/ create IoC rules files

• GET /ioc/rules/status/ get IoC rule statuses

• POST /ioc/rules/modify/ change IoC rule statuses

Stats:

• GET /stats/ get statistics data

• GET /stats/pkts/ get statistics about packages

• GET /stats/alerts/ get statistics about alerts

• GET /stats/cpu/ get CPU statistics data

• GET /stats/vm/ get virtual memory statistics data

• GET /stats/pm/ get memory statistics data

• GET /stats/histogramm/ get data for histograms

• GET /suricata/running/ assess the status of the meerkats process

• GET /stats/update/ statistics update

Backend confid

Updated on July 18, 2024

Introduction

Log parser

Backend

Event Viewer

Rules Management

Threats Management

Controls

Statistic and Analytics

Installation and setup