前文回忆
《流量分析利器arkime的学习之路(一)---安装部署》
概述
注意点
Arkime对所有API调用都使用摘要身份验证,因此请确保在库或curl命令中启用摘要身份验证。学习如何进行API调用的最简单方法是打开浏览器的javascript控制台,观察Arkime UI正在进行的调用,它使用所有相同的API。
注意:许多API端点都需要一个数据库字段名称,这与您在搜索表达式中使用的名称不同。查看数据库字段名称的最简单方法是单击Arkime中的猫头鹰标志->单击左侧的字段标签->单击显示数据库字段。
参数地址中带有冒号的参数名称,就是可以修改替换的参数。
关键词及核心功能
SPI(Session Profile Information)会话配置文件信息。
SPI View用于深入分析分析人员希望进一步调查的会话的特定指标。允许分析师快速查看用户感兴趣的每个项目的数量。例如,如果分析师想要查看当前时间窗口内记录的所有基本授权标题,分析师可以打开http抽屉并单击以启用http.authorization字段。然后,分析师可以更新他们的搜索查询,以包括已观察到的特定授权字符串,或者使用通配符来查看特定类型的授权标题(基本*、不记名*等)的全部内容。此外,SPI视图允许分析师快速查看时间窗口内观察到的IP地址、http响应代码、IRC缺口/通道等更多信息。
SPI Graph允许用户通过一段时间内的条形图可视化SPI视图页面中的任何项目。该页面对于每种SPI类型的活动概览以及深入分析非常有用
Connections允许用户基于他们选择的源节点和目的节点查看树形图。使用这种方法可以直观地确定关系。
Hunt 允许用户在会话包搜索文本
Files 罗列出已经存储的pcap文件
详细信息可以点击Arkime的猫头鹰标志获取所有部分详细介绍。
在文档中标注的复杂数据类型,在文档最后都有介绍。
重点可能要关注
的数据为
查看类
- 连接关系 显示主机访问关系
- 会话 显示主机之间的协议
主动类
- Hunt 主动获取相关报文
所有API
连接关系
查询
构建弹性搜索连接查询。获取节点和链接的列表并将其返回给客户端。
地址
POST/GET - /api/connections
参数
参数 |
类型 |
默认值 |
描述 |
See_List |
SessionsQuery |
This API supports a common set of parameters documented in the SessionsQuery section |
|
srcField |
string |
"ip.src" |
The source database field name |
dstField |
string |
"ip.dst:port" |
The destination database field name |
baselineDate |
number |
0 |
The baseline date range to compare connections against. Default is 0, disabled. Options include: 1x - 1 times query range. 2x - 2 times query range. 4x - 4 times query range. 6x - 6 times query range. 8x - 8 times query range. 10x - 10 times query range. 1 - 1 hour. 6 - 6 hours. 24 - 1 day. 48 - 2 days. 72 - 3 days. 168 - 1 week. 336 - 2 weeks. 720 - 1 month. 1440 - 2 months. 4380 - 6 months. 8760 - 1 year. |
baselineVis |
string |
"all" |
Which connections to display when a baseline date range is applied. Default is all. Options include: ‘all’ - All Nodes: all nodes are visible. ‘actual’ - Actual Nodes: nodes present in the “current” timeframe query results are visible. ‘actualold’ - Baseline Nodes: nodes present in the “baseline” timeframe query results are visible. ‘new’ - New Nodes Only: nodes present in the “current” but NOT the “baseline” timeframe are visible. ‘old’ - Baseline Nodes Only: nodes present in the “baseline” but NOT the “current” timeframe are visible. |
返回:
名称 |
类型 |
描述 |
links |
array |
The list of links |
nodes |
array |
The list of nodes |
查询(CSV格式 )
构建弹性搜索连接查询。获取csv格式的节点和链接列表,并将它们返回给客户端。(ES)
地址
POST/GET - /api/connections/csv 或者 /api/connections.csv
参数:
参数 |
类型 |
默认值 |
描述 |
See_List |
SessionsQuery |
This API supports a common set of parameters documented in the SessionsQuery section |
|
srcField |
string |
"ip.src" |
The source database field name |
dstField |
string |
"ip.dst:port" |
The destination database field name |
返回值
名称 |
类型 |
描述 |
csv |
csv |
The csv with the connections requested |
定时任务
检索
检索用户可以查看的定期查询。
地址
GET - /api/crons
返回值
名称 |
类型 |
描述 |
queries |
Array.<ArkimeQuery> |
A list of query objects. |
新建
创建新的定期查询。
地址
POST - /api/cron
返回值
名称 |
类型 |
描述 |
success |
boolean |
Whether the create operation was successful. |
text |
string |
The success/error message to (optionally) display to the user. |
query |
ArkimeQuery |
The new query |
更新
更新定期查询。
地址
POST - /api/cron/:key
返回值
名称 |
类型 |
描述 |
success |
boolean |
Whether the update operation was successful. |
text |
string |
The success/error message to (optionally) display to the user. |
query |
ArkimeQuery |
The updated query object |
删除
删除定期查询。
地址
DELETE - /api/cron/:key
返回值
名称 |
类型 |
描述 |
success |
boolean |
Whether the delete operation was successful. |
text |
string |
The success/error message to (optionally) display to the user. |
历史记录
检索
检索历史记录或用户客户端对API的请求的列表。
地址
GET - /api/histories
参数:
参数 |
类型 |
默认值 |
描述 |
date |
number |
1 |
The number of hours of data to return (-1 means all data). Defaults to 1. |
startTime |
number |
If the date parameter is not set, this is the start time of data to return. Format is seconds since Unix EPOC. |
|
stopTime |
number |
If the date parameter is not set, this is the stop time of data to return. Format is seconds since Unix EPOC. |
|
searchTerm |
string |
The search text to filter the history list by. |
|
length |
number |
100 |
The number of items to return. Defaults to 1,000. |
start |
number |
0 |
The entry to start at. Defaults to 0. |
sortField |
string |
"timestamp" |
The field to sort the results by. |
desc |
string |
true |
Whether to sort the results descending or ascending. Default is descending. |
userId |
string |
The ID of a user to request history results for. Admin can retrieve all users. Normal users can only retrieve their own. |
返回值
名称 |
类型 |
描述 |
data |
Array.<History> |
The list of history results. |
recordsTotal |
number |
The total number of history results stored. |
recordsFiltered |
number |
The number of history items returned in this result. |
删除
删除历史记录条目(仅限管理员)。
地址
DELETE - /api/history/:id
参数:
参数 |
类型 |
描述 |
index |
string |
The OpenSearch/Elasticsearch index that the history item was stored in. |
返回值
名称 |
类型 |
描述 |
success |
boolean |
Whether the delete history operation was successful. |
text |
string |
The success/error message to (optionally) display to the user. |
捕获
新建
创建新的狩猎。
地址
POST - /api/hunt
参数:
参数 |
类型 |
描述 |
See_List |
SessionsQuery |
This API supports a common set of parameters documented in the SessionsQuery section |
totalSessions |
number |
The number of sessions to search. |
name |
string |
The name of the hunt (not unique). |
size |
number |
The number of packets to search within each session. |
src |
boolean |
Whether to search the source packets. Must search src or dst or both. |
dst |
boolean |
Whether to search the destination packets. Must search src or dst or both. |
type |
string |
Whether to search raw or reassembled packets. |
search |
string |
The search text to search for within packets. |
searchType |
string |
What type of search the text is. Options include: ascii - search for case insensitive ascii text. asciicase - search for case sensitive ascii text. hex - search for hex text. regex - search for text using safe regex. hexregex - search for text using safe hex regex. |
notifier |
string |
The optional notifier name to fire when there is an error, or there are matches (every 10 minutes), or when the hunt is complete. |
users |
string |
The comma separated list of users to be added to the hunt so they can view the results. |
返回值
名称 |
类型 |
描述 |
success |
boolean |
Whether the creation of the hunt was successful. |
hunt |
Hunt |
The newly created hunt object. |
invalidUsers |
array |
The list of users that could not be added to the hunt because they were invalid or nonexitent. |
检索
检索狩猎列表。
地址
GET - /api/hunts
参数:
参数 |
类型 |
默认值 |
描述 |
searchTerm |
string |
The search text to search hunt results for. |
|
length |
number |
10000 |
The number of items to return. Defaults to 10000. |
start |
number |
0 |
The entry to start at. Defaults to 0 |
sortField |
string |
"created" |
The field to sort the hunt results by. Defaults to “created”. |
desc |
string |
false |
Whether to sort the results in descending order. Default is ascending. |
history |
string |
false |
Whether to return only finished hunts. Default is to return queued, paused, and running hunts. |
返回值
名称 |
类型 |
描述 |
runningJob |
Hunt |
If there is a hunt running, returns the currently running hunt object. |
data |
Array.<Hunt> |
The list of hunts (either finished or queued/paused/running). |
recordsTotal |
number |
The total number of hunts Arkime has. |
recordsFiltered |
number |
The number of hunts returned in this result. |
删除
删除一个狩猎
地址
DELETE - /api/hunt/:id
返回值
名称 |
类型 |
描述 |
success |
boolean |
Whether the delete hunt operation was successful. |
text |
string |
The success/error message to (optionally) display to the user. |
取消
取消狩猎。完成狩猎并将其放入狩猎历史。
地址
PUT - /api/hunt/:id/cancel
返回值
名称 |
类型 |
描述 |
success |
boolean |
Whether the cancel hunt operation was successful. |
text |
string |
The success/error message to (optionally) display to the user. |
暂停
暂停狩猎。
地址
PUT - /api/hunt/:id/pause
返回值
名称 |
类型 |
描述 |
success |
boolean |
Whether the pause hunt operation was successful. |
text |
string |
The success/error message to (optionally) display to the user. |
开启
进行狩猎。
地址
PUT - /api/hunt/:id/play
返回值
名称 |
类型 |
描述 |
success |
boolean |
Whether the play hunt operation was successful. |
text |
string |
The success/error message to (optionally) display to the user. |
删除匹配
从匹配的会话中删除搜索ID和名称。
地址
PUT - /api/hunt/:id/removefromsessions
返回值
名称 |
类型 |
描述 |
success |
boolean |
Whether the operation was successful. |
text |
string |
The success/error message to (optionally) display to the user. |
更新
更新搜索-只能更新描述和角色
地址
PUT - /api/hunt/:id
参数:
参数 |
类型 |
描述 |
hunt |
Hunt |
The new hunt data |
返回值
名称 |
类型 |
描述 |
success |
boolean |
Whether the operation was successful. |
text |
string |
The success/error message to (optionally) display to the user. |
检索用户
将用户添加到搜寻。
地址
POST - /api/hunt/:id/users
参数:
参数 |
类型 |
描述 |
users |
string |
Comma separated list of user ids to add to the hunt. |
返回值
名称 |
类型 |
描述 |
success |
boolean |
Whether the add users operation was successful. |
users |
array |
The list of users that were added to the hunt. |
invalidUsers |
array |
The list of users that could not be added to the hunt because they were invalid or nonexitent. |
删除用户
从搜索中删除用户。
地址
DELETE - /api/hunt/:id/user/:user
返回值
名称 |
类型 |
描述 |
success |
boolean |
Whether the remove users operation was successful. |
users |
array |
The list of users who have access to the hunt. |
invalidUsers |
array |
The list of users that could not be removed from the hunt because they were invalid or nonexitent. |
字段
获取与会话相关的可用数据库字段对象。
地址
GET - /api/fields
参数:
参数 |
类型 |
默认值 |
描述 |
array |
boolean |
false |
Whether to return an array of fields, otherwise returns a map |
返回值
名称 |
类型 |
描述 |
array/map |
The map or list of database fields |
PCAP文件
列表
地址
GET - /api/files
获取Arkime知道的PCAP文件列表。
参数:
参数 |
类型 |
默认值 |
描述 |
length |
number |
100 |
The number of items to return. Defaults to 500, Max is 10,000 |
start |
number |
0 |
The entry to start at. Defaults to 0 |
返回值
名称 |
类型 |
描述 |
data |
Array |
The list of files |
recordsTotal |
number |
The total number of files Arkime knows about |
recordsFiltered |
number |
The number of files returned in this result |
大小
检索PCAP文件的文件大小。
地址
GET - /api/:nodeName/:fileNum/filesize
返回值
名称 |
类型 |
描述 |
filesize |
number |
The size of the file ( |
元数据操作
检索
检索可以对元数据值执行的操作。
地址
GET - /api/valueactions
返回值
名称 |
类型 |
描述 |
object |
The list of actions that can be preformed on data values. |
字段操作
检索
地址
GET - /api/fieldactions
检索可以在字段上执行的操作。