Exploring the file system

This page will help you understand where the important files are for your CIF installation.

Find the CIF binaries on the system

$ ls -l /usr/local/bin/ | grep cif
-r-xr-xr-x 1 root root  6672 Nov 29 16:14 cif

$ ls -l /opt/cif/bin/
-r-xr-xr-x 1 root root 1090 Nov 29 16:17 cif.psgi
-r-xr-xr-x 1 root root 4762 Nov 29 16:17 cif-router
-r-xr-xr-x 1 root root 9478 Nov 29 16:17 cif-smrt
-r-xr-xr-x 1 root root 5396 Nov 29 16:17 cif-tokens
-r-xr-xr-x 1 root root 6770 Nov 29 16:17 cif-worker

Find the CIF init.d scripts

$ ls /etc/init.d/ | grep cif
cif-router
cif-services
cif-smrt
cif-starman
cif-worker

Explore the CIF configuration files on the system

[/etc/cif/]

$ ls -l /etc/cif/
-rw-rw---- 1 cif  cif   144 Jul  9 12:35 cif-smrt.yml
-rw-r--r-- 1 root root  190 Jul  8 17:23 cif-starman.conf
-rw-rw---- 1 cif  cif   117 Jul  8 17:23 cif-worker.yml
drwxrwx--- 5 cif  cif  4096 Jul  8 17:23 rules

$ cat /etc/cif/cif-smrt.yml 
---
client:
  remote: http://localhost:5000
  token: <value>

$ cat /etc/cif/cif-worker.yml 
---
client:
  remote: tcp://localhost:4961
  token: <value>

[/etc/default/]

$ ls -al /etc/default/ | grep cif
-rw-r--r--   1 root root  377 Mar  4 12:22 cif

$ cat /etc/default/cif
# Directory where the binary distribution resides
CIF_HOME=/opt/cif

PATH=$CIF_HOME/bin:$PATH

if [ -d /opt/cif/lib/perl5 ]; then
    export PERL5LIB=/opt/cif/lib/perl5
fi

# Run as this user ID and group ID
CIF_USER=cif
CIF_GROUP=cif

# data directory
DATA_DIR=/var
LOG_DIR=/var/log

# configuration directory
CONF_DIR=/etc/cif

# add -d to turn on debugging
CIF_DEBUGGING=""

[/home/<user>/]

$ ls -al /home/<user>/ | grep cif
-rw-rw---- 1 <user> <user>  133 Nov 29 16:19 .cif.yml

$ cat /home/<user>/.cif.yml 
---
client:
  no_verify_ssl: 1
  remote: https://localhost
  token: <value>

[/home/cif/]

$ ls -l /home/cif/.profile 
-rw-r--r-- 1 cif cif 746 Nov 29 16:19 /home/cif/.profile

List the preconfigured OSINT rules

$ ls -l /etc/cif/rules/default/
-rw-rw---- 1 cif cif  589 Nov 29 16:19 00_whitelist.yml
-rw-rw---- 1 cif cif  266 Nov 29 16:19 1d4_us.yml
-rw-rw---- 1 cif cif  615 Nov 29 16:19 alexa.yml
-rw-rw---- 1 cif cif  721 Nov 29 16:19 alienvault.yml
-rw-rw---- 1 cif cif  479 Nov 29 16:19 aper.yml
-rw-rw---- 1 cif cif  294 Nov 29 16:19 arbor.yml
-rw-rw---- 1 cif cif  441 Nov 29 16:19 bambenekconsulting_com.yml
-rw-rw---- 1 cif cif  309 Nov 29 16:19 botscout.yml
-rw-rw---- 1 cif cif  321 Nov 29 16:19 bruteforceblocker.yml
-rw-rw---- 1 cif cif  903 Nov 29 16:19 cleanmx.cfg
-rw-rw---- 1 cif cif  260 Nov 29 16:19 crimetracker_net.yml
-rw-rw---- 1 cif cif  449 Nov 29 16:19 drg.yml
-rw-rw---- 1 cif cif  482 Nov 29 16:19 feodotracker.yml
-rw-rw---- 1 cif cif  333 Nov 29 16:19 haleys_org.yml
-rw-rw---- 1 cif cif  444 Nov 29 16:19 isc_sans_edu.yml
-rw-rw---- 1 cif cif  602 Nov 29 16:19 malc0de.yml
-rw-rw---- 1 cif cif  261 Nov 29 16:19 malekal.yml
-rw-rw---- 1 cif cif 1309 Nov 29 16:19 malwaredomainlist.cfg
-rw-rw---- 1 cif cif  813 Nov 29 16:19 malwaredomains.yml
-rw-rw---- 1 cif cif  330 Nov 29 16:19 mirc.yml
-rw-rw---- 1 cif cif  279 Nov 29 16:19 nothink_org.yml
-rw-rw---- 1 cif cif  216 Nov 29 16:19 openphish.yml
-rw-rw---- 1 cif cif  469 Nov 29 16:19 phishtank.yml
-rw-rw---- 1 cif cif  805 Nov 29 16:19 shadowserver.cfg
-rw-rw---- 1 cif cif  390 Nov 29 16:19 spamhaus.yml
-rw-rw---- 1 cif cif 1072 Nov 29 16:19 spyeyetracker.yml
-rw-rw---- 1 cif cif  266 Nov 29 16:19 sshbl.yml
-rw-rw---- 1 cif cif  489 Nov 29 16:19 threatexpert.cfg
-rw-rw---- 1 cif cif 1068 Nov 29 16:19 zeustracker.yml

$ sudo cat /etc/cif/rules/default/drg.yml

parser: pipe
defaults:
  tags: scanner
  protocol: tcp
  provider: dragonresearchgroup.org
  altid_tlp: green
  tlp: amber
  confidence: 85
  values:
    - asn
    - asn_desc
    - observable
    - lasttime
    - null
feeds:
  ssh:
    remote: http://dragonresearchgroup.org/insight/sshpwauth.txt
    application: ssh
    portlist: 22
  vnc:
    remote: http://dragonresearchgroup.org/insight/vncprobe.txt
    application: vnc
    portlist: 5900-5904

$ ls -l /etc/cif/rules/example/
-rw-rw---- 1 cif cif 453 Nov 29 16:19 freeform.yml
-rw-rw---- 1 cif cif 212 Nov 29 16:19 garwarn.yml
-rw-rw---- 1 cif cif 889 Nov 29 16:19 malware_patrol.yml
-rw-rw---- 1 cif cif 376 Nov 29 16:19 passivedns.yml
-rw-rw---- 1 cif cif 287 Nov 29 16:19 pastebin.yml

Explore the Apache config files

$ cat /etc/apache2/cif.conf 
<Proxy *>
    Order deny,allow
    Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:5000/ keepalive=Off
ProxyPassReverse / http://localhost:5000/

$ cat /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        Include /etc/apache2/cif.conf

        ErrorLog ${APACHE_LOG_DIR}/error.log
...

Explore the Bind config files

$ cat /etc/bind/named.conf.options | grep -v '//'
options {
        directory "/var/cache/bind";
        dnssec-validation auto;
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
    forward only;  
    forwarders {  
        8.8.8.8;  
        8.8.4.4;
    };
};

$ cat /etc/bind/named.conf.local | grep -v '//'
zone "cymru.com" {
    forward only;
    type forward;
    forwarders { };
};

zone "zen.spamhaus.org" {
    forward only;
    type forward;
    forwarders { };
};

zone "dbl.spamhaus.org" {
    forward only;
    type forward;
    forwarders { };
};

Explore the Monit configuration files

$ ls -l /etc/monit/conf.d/

-rw-r--r-- 1 root root 846 Mar 28 13:49 cif
-rw-r--r-- 1 root root 355 Mar 28 13:49 elasticsearch

Explore the weekly crontab

$ ls -l cif* /etc/cron.weekly/

-rwxr-xr-x 1 root root   49 Mar 28 13:49 cif-router
-rwxr-xr-x 1 root root   50 Mar 28 13:49 cif-worker

Explore the cache files

ls -l /var/smrt/cache/
-rw-r--r-- 1 cif cif      684 Aug 25 14:00 1d4.us-ssh
-rw-r--r-- 1 cif cif  7985835 Aug 25 14:24 20150825.log
-rw-r--r-- 1 cif cif 10068838 Aug 25 13:20 alexa.com-top10
...