This repository has been archived by the owner on May 23, 2019. It is now read-only.
CIF Manpage
cif
$ cif [--config] [--remote] [--token] [-q] [--limit] [--feed] [--format] example.org
$ cif --otype ipv4 --format csv --feed
$ cif --otype ipv4 --format bro --feedcif is a command line tool to query the collective intelligence framework for observables, to generate data feeds and to submit data.
Options:
-q, --query=STRING specify a search
--id STRING specify an id to retrieve
-f, --format=FORMAT specify the output format (Table, CSV, Json, Snort, Bro, default: table)
-l, --limit=INT specify a return limit (default set at router)
-s, --submit submit data via STDIN (json keypairs)
-h, --help this message
Filters:
-c, --confidence=INT by confidence (greater or equal to)
-n, --nolog do not log the query
--tags=STRING,STRING by tags (scanner,hijacked,botnet, ...)
--description=STRING by description
--cc=STRING,STRING by country codes (RU,US, ...)
--asn=INT,INT by asns (1234,2445, ...)
--otype=STRING,STRING by observable type (ipv4,fqdn,url, ...)
--provider=STRING,STRING by provider (spamhaus.org,dragonresearchgroup.org, ...)
--application=STRING filter based on the application field
--rdata=STRING by rdata
--group=STRING by groups (everyone,group1,group2, ...)
--lasttime STRING specify filter based on lasttime timestamp (less than, format: YYYY-MM-DDTHH:MM:SSZ)
--firsttime STRING specify filter based on firsttime timestmap (greater than, format: YYYY-MM-DDTHH:MM:SSZ)
--reporttime STRING specify filter based on reporttime timestmap (greater than, format: YYYY-MM-DDTHH:MM:SSZ)
--reporttime-end STRING specify filter based on reporttime timestmap (less than, format: YYYY-MM-DDTHH:MM:SSZ)
--today auto-sets reporttime to today, 00:00:00Z (UTC)
--last-hour auto-sets reporttime to the beginning of the previous full hour
and reporttime-end to end of previous full hour
--last-day auto-sets reporttime to 23 hours and 59 seconds ago (current time UTC)
and reporttime-end to "now"
--days number of days to go back
--feed generate a feed of data, meaning deduplicated and whitelisted
--whitelist-confidence=INT by confidence (greater or equal to) (default 25)
--whitelist-limit=INT specify a return limit of generated whitelist (default 50000)
Advanced Options:
-C, --config=STRING specify a config file
-d, --debug print debug output to stdout
-p, --ping ping the router for testing connectivity
-T, --token=STRING specify an access token
-R, --remote=STRING specify the remote, default: https://localhost
-v, --verbosity -v (level 1) through -vvvvvv (level 6)
--no-verify-ssl turn off SSL/TLS verification
Formatting Options:
--sortby sort output, default: lasttime
--sortby-direction sortby direction, default: asc
--aggregate aggregate output based on field (ie: observable)
--fields specify output fields [default: tlp,group,reporttime,observable,cc,asn,confidence,tags,description,rdata,provider,altid_tlp,altid]
Ping Options:
--ttl=INT specify number of pings to send, default: 4
(0 infinite, halt with SIGINT or CTRL+C)
~/.cif.yml
$ cif -q 130.201.0.2
$ cif -q 130.201.0.0/16
$ cif -q 2001:4860:4860::8888
$ cif -q example.com
$ cif -q 'http://www.example.com'
$ cif -q 'john@example.com'
$ cif -q bf9d457bcd702fe836201df1b48c0bec
$ cif --tags botnet,zeus -c 85
$ cif --application vnc,ssh --asns 1234 --cc RU,US
$ cif -q example.com --tags botnet,zeus -c 85 --limit 50
$ cif --otype ipv4 --aggregate observable --today
$ cif --feed --otype ipv4 -c 85 -f csv
$ cif --feed --otype fqdn -c 95 --tags botnet -f csv
$ cif --feed --otype url -c 75 --today -f csv
