Spamhaus SIA API

H077E · March 24, 2023, 1:04pm

Hi folks,

i want to integrate IP reputation into Graylog via Spamhaus SIA API (Spamhaus Intelligence API (SIA) — Spamhaus Technology Documentation 2.0 documentation).
Anyone have experience with it?
The problem is that the token has to be requested via post-request and the running time is limited to 24 hours. Then the token has expired and a new post request is required.
An HTTP-JSON data adapter with a static header field is not usable.

My only idea is to set up a separate API JSON server. The server pulls the complete Spamhaus XBL records and creates a JSON dataset. I then use an HTTP-JSON data-adapter to query my local API. But, that’s not cool.

gsmith · March 25, 2023, 3:00am

Hey @H077E

I havent used HTTP-JSON data adapter, but as for a token have you tried to create a service user account and/or Trusted Header Authentication? if so does that only last for 24 housr?

H077E · March 25, 2023, 5:02pm

Hey @gsmith,

Your suggestion is good.
Unfortunately, Spamhaus SIA doesn’t work that way. There is no traditional way to save a token in a service account.

First step is, generate an auth token (from Spamhaus tech-docs):

To access the API, every request requires a proper Authorization header containing a specific token. Therefore, to get SIA access, you must pass the authentication stage.
To fetch your temporary token, send a request to the Login API, which you can access by sending a POST request to the /api/v1/login endpoint.
The POST payload should include a JSON object containing the username and the password, as set up in the customer portal, as the following example shows:

curl -s -d '
    {
	"username":"test@example.com",
	"password":"m4g1c",
	"realm":"intel"
    }' https://api.spamhaus.org/api/v1/login

In the case of success, the HTTP status code will be 200 and the body will contain a JSON object similar to the following one:

{
  "code": 200,
  "token": "eyJ0eXAi[......]dx2UTSGcyEKvU",
  "expires": 1583252180
}

The successful JSON response object will include an “expires” integer field detailing the Unix timestamp of when the token will expire. Usually, each token is valid for 24 hours.

The challenge is to request only one auth token within 24 hours. (or something requests more)
Otherwise I will be blocked for breaking the rules. e.g. DoS protection policy

Now, i can send a query to the Spamhaus SIA API:

curl -s https://api.spamhaus.org/api/intel/v1/byobject/cidr/XBL/listed/live/<IP Address> -H 'Authorization: Bearer <AUTH TOKEN>'

I guess now, the best solution is to develop a plugin or my dirty solution using a JSON server

gsmith · March 27, 2023, 9:13pm

I understand now…That sucks.

You may have to not sure if yo seen this.

GitHub - Graylog2/graylog-project: Packaging/development helper for Graylog

H077E · March 28, 2023, 8:09am

Thank you for sharing. That’s great.
I’m looking for a Java developer in my company first

My idea for the plugin data adapter form (UI):

Title
Description
Name
Username
Password
Realm
selection list for datasets (e.g. XBL, CSS, BCL, ALL)
Limits (query results range 1 - 2000)
Since (results with a timestamp greater than or equal to ‘since’)

In the plugin background function, an access token is created or renewed within 24 hours.
The current token is used dynamically for the API requests.
Then a lookup in the pipeline rule. In case of a detection, a field XY is set.

When I read that, I think it belongs in the ThreatIntel plugin

system · April 11, 2023, 8:10am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.