đź’ˇ
Analyze the IP/domain names of external access scenarios, such as office network/production network, and accurately determine whether the IP/domain name is malicious, risk severity level, and credibility level through the decision rules; accurately identify remote control (C2), malware, and mining pool threats, and provide related security events or group labels.

Request

Request method

Request address Request method
https://t.ruhr/api/threat_intelligence/intrusion_detection POST GET

Description of request parameters

Parameter Name Type Description Required
access_key string The identifier of the API request true
resource string IP address true

Response

Description of response parameters

Parameter Name Type Description
success boolean A normal response will return true
date string Intelligence was last updated
is_malicious boolean Whether the IP is malicious or not. boolean type, true for malicious, false for non-malicious
confidence_level number Credibility. The degree of credibility of malicious intent as determined by the source of intelligence and the credibility model, which is categorized as 1 (low), 2 (medium), or 3 (high)
severity string Severity Level. Indicates the degree of danger of the information, and is categorized into five degree types: critical, high, medium, low and info
tags_classes array Relevant attack group or security event information, JSON array, each item contains field descriptions as follows:
  • tags_type tag category, e.g. “industry”, “gangs”, “virus_family”, etc.
  • tags specific attack groups or security event tags, such as: APT, Sea Lotus, etc.
judgments array Analyzed from threat intelligence, extracted from a comprehensive determination of threat types, JSON array.
  1. The types judged as malicious in this interface contain:
    • Spam spam
    • Zombie puppet machine
    • Scanner scanning
    • Exploit vulnerability exploitation
    • Botnet botnet
    • Suspicious suspicious
    • Brute Force brute force
      The Brute Force subclass is related, see: Threat Type Complete for a description.
  2. Types determined to be non-malicious are included in this interface:
    • Whitelist whitelist
    • Info basic information
categories map Domain categories, json object, each item contains fields described below:
  • first_cats first category, an array
  • second_cats second level categories, a string
rank object The domain's ranking information, a JSON object with the following field descriptions:
  • alexa_rank Alexa rank. Is 1 JSON object. Each item contains the following:
    • global_rank current Alexa global rank, integer. Only data within 100W will be counted, if the rank exceeds 100W, it will not be counted and return -1
  • umbrella_rank Umbrella rank. It is a JSON object, each item contains the same content as alexa_rank

Request Example

T.ruhr API supports requests in cURL, Python, PHP, Java, and Go languages, taking Python as an example:

import requests

url = "https://t.ruhr/api/threat_intelligence/intrusion_detection"

query = {
  "access_key": "<YOUR-ACCESS-KEY>",
  "resource": "0.0.0.0"
}

response = requests.request("GET", url, params=query)

print(response.json())

Please replace <YOUR-ACCESS-KEY> with your access key.

or cURL:

curl -v -X GET \
  'https://t.ruhr/api/threat_intelligence/intrusion_detection?access_key=<YOUR-ACCESS-KEY>&resource=0.0.0.0'

Please replace <YOUR-ACCESS-KEY> with your access key.

or PHP:

<?php

// get cURL resource
$ch = curl_init();

// set url
curl_setopt($ch, CURLOPT_URL, "https://t.ruhr/api/threat_intelligence/intrusion_detection?access_key=<YOUR-ACCESS-KEY>&resource=0.0.0.0");
// set method
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'GET');
// return the transfer as a string
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

// send the request and save response to $response
$response = curl_exec($ch);

header("Content-Type: text/plain");
if ($response !== false) {
    echo 'HTTP Status Code: ' . curl_getinfo($ch, CURLINFO_HTTP_CODE) . PHP_EOL;
    echo 'Response Body: ' . $response . PHP_EOL;
} else {
    echo 'Error: "' . curl_error($ch) . '" - Code: ' . curl_errno($ch) . PHP_EOL;
}

// close curl resource to free up system resources
curl_close($ch);

Please replace <YOUR-ACCESS-KEY> with your access key.

or Java:

import java.io.IOException;
import org.apache.http.client.fluent.*;

public class FileReport
{
  public static void main(String[] args) {
    sendRequest();
  }

  private static void sendRequest() {

    // file/upload Duplicate (GET )

    try {

      // Create request
      Content content = Request.Get("https://t.ruhr/api/threat_intelligence/intrusion_detection?access_key=<YOUR-ACCESS-KEY>&resource=0.0.0.0")

      // Fetch request and return content
      .execute().returnContent();

      // Print content
      System.out.println(content);
    }
    catch (IOException e) { System.out.println(e); }
  }
}

Please replace <YOUR-ACCESS-KEY> with your access key.

or Go:

package main

import (
    "fmt"
    "net/http"
    "io/ioutil"
)

func main() {

    url := "https://t.ruhr/api/threat_intelligence/intrusion_detection?access_key=<YOUR-ACCESS-KEY>&resource=0.0.0.0"

    req, _ := http.NewRequest("GET", url, nil)

    res, _ := http.DefaultClient.Do(req)

    defer res.Body.Close()
    body, _ := ioutil.ReadAll(res.Body)

    fmt.Println(res)
    fmt.Println(string(body))

}

Please replace <YOUR-ACCESS-KEY> with your access key.

Sample response (JSON)

{
    "success": true,
    "date": "2025-01-01 08:00:00",
    "is_malicious": true,
    "confidence_level": 3,
    "severity": "medium",
    "tags_classes": [
        {
            "tags_type": "industry",
            "tags": [
                "Finance"
            ]
        },
        {
            "tags_type": "basic",
            "tags": [
                "APT"
            ]
        }
    ],
    "judgments": [
        "Malware",
        "C2"
    ],
    "categories": {
      "first_cats": ["Other", "Other"]
      "second_cats": "Other"
    },
    "rank": {
        "alexa_rank": {
            "global_rank": 4
        },
        "umbrella_rank": {
            "global_rank": -1
        }
    }
}

This JSON data is only a demo and does not represent the actual request output.