You can use HTTP GET to get recent hijacking alarms (or anomalous). The HTTP response message contains information of the hijacking alarms (or anomalous UPDATEs), formatted in json. For each entry, the following attributes are given:
- timestamp: the start time (UNIX timestamp) of the hijacking event.
- prefix: the hijacked IP prefix.
- bad_path_segment: the anomalous AS neighbor (or policy), it is empty if the hijacking update has an anomalous origin AS.
- bad_origin: the anomalous origin AS, it is empty if the hijacking update does not have an anomalous origin.
- origin: the regular origin AS, it is empty if the hijacking update does not have an anomalous origin.
- uri: the resource uri of the detail information about this hijacking/anomaly event.
- /api/alarms/ returns recent 10 hijacking alarms,
- /api/anomalous/ returns recent 10 anomalous UPDATEs.
- /api/alarms/100,123/ returns 23 hijacking alarms,
- /api/anomalous/200,234/ returns 34 anomalous UPDATEs.
Attention: each IP address can only access these APIs 1/second!
You can also subscribe our hijacking alarms. Every time there is a hijacking alarm, Argus will notify all subscribers via HTTP POST. In this case, you need to keep listening on port 80 in your server. The POST data is also formatted in json and has six fields for each hijacking alarm: timestamp, prefix, origin, bad_origin, bad_path_segment, url.
To subscribe our alarms, you need to provide the following information to us:
- Your name
- Your affiliation
- The url of your API
- something about your project