Skip to content
This repository has been archived by the owner on May 23, 2019. It is now read-only.

where do i start

Jump to bottom
Wes edited this page Apr 17, 2017 · 23 revisions

Overview

These integrations assume you have the python SDK or perl SDK or successfully installed and a valid ~/.cif.yml config. Installing the python client is as easy as:

$ sudo pip install 'cifsdk>=2.0,<3.0'

While CSIRT Gadgets DOES NOT ENDORSE ANY of these projects or services, we do our best to help bootstrap community integration. Please feel free to contribute integrations to the wiki!

Chrome Plugin

TODO

https://github.com/csirtgadgets/cif-chrome

Basic Output Formats

Table

$ cif --otype ipv4 --limit 5 --format table
+-------+----------+----------------------+----------------------+---------------+-------+----+-------+----------------------------------+------------+-------------+----------------+-----------------------------+---------------+
|  tlp  |  group   |       lasttime       |      reporttime      |   observable  | otype | cc |  asn  |             asn_desc             | confidence | description |      tags      |            rdata            | provider      |
+-------+----------+----------------------+----------------------+---------------+-------+----+-------+----------------------------------+------------+-------------+----------------+-----------------------------+---------------+
| amber | everyone | 2016-02-23T14:58:21Z | 2016-02-23T14:58:21Z | 107.180.51.16 |  ipv4 | US | 26496 | AS-26496-GO-DADDY-COM-LLC GoDa.. |   13.996   |             | phishing,rdata |       lasttimeserc.com      | openphish.com |
| amber | everyone | 2016-02-23T14:58:21Z | 2016-02-23T14:58:21Z | 216.69.185.19 |  ipv4 | US | 26496 | AS-26496-GO-DADDY-COM-LLC GoDa.. |   13.996   |             | phishing,rdata |    ns37.domaincontrol.com   | openphish.com |
| amber | everyone | 2016-02-23T14:58:22Z | 2016-02-23T14:58:22Z | 107.180.51.16 |  ipv4 | US | 26496 | AS-26496-GO-DADDY-COM-LLC GoDa.. |   13.996   |             | phishing,rdata |       lasttimeserc.com      | openphish.com |
| amber | everyone | 2016-02-23T14:58:22Z | 2016-02-23T14:58:22Z |  188.121.58.1 |  ipv4 | NL | 26496 | AS-26496-GO-DADDY-COM-LLC GoDa.. |   13.996   |             | phishing,rdata | inetsoftwaresolutions.co.uk | openphish.com |
| amber | everyone | 2016-02-23T14:58:22Z | 2016-02-23T14:58:22Z | 216.69.185.19 |  ipv4 | US | 26496 | AS-26496-GO-DADDY-COM-LLC GoDa.. |   20.023   |             | phishing,rdata |    ns37.domaincontrol.com   | spamhaus.org  |
+-------+----------+----------------------+----------------------+---------------+-------+----+-------+----------------------------------+------------+-------------+----------------+-----------------------------+---------------+

CSV

Most Fields

$ cif --otype ipv4 --limit 5 --format csv
amber,everyone,2016-02-23T14:58:21Z,2016-02-23T14:58:21Z,107.180.51.16,ipv4,US,26496,AS-26496-GO-DADDY-COM-LLC GoDa..,13.996,,"phishing,rdata",lasttimeserc.com,openphish.com
amber,everyone,2016-02-23T14:58:22Z,2016-02-23T14:58:22Z,107.180.51.16,ipv4,US,26496,AS-26496-GO-DADDY-COM-LLC GoDa..,13.996,,"phishing,rdata",lasttimeserc.com,openphish.com

Custom Fields

$ cif --otype ipv4 --limit 5 --format csv --fields tlp,group,reporttime,observable
amber,everyone,2016-02-23T14:58:21Z,107.180.51.16
amber,everyone,2016-02-23T14:58:22Z,107.180.51.16

JSON

$ cif --otype ipv4 --limit 5 --format json
[{"geolocation": "33.6119,-111.8906", "protocol": 6, "cc": "US", "rir": "arin", "related": "e7ab7044e21120408423e3aef2e7c09842e53d004e48e053c0bc16fe5383b429", "prefix": "107.180.51.0/24", "timezone": "America/Phoenix", ... }]

STIX

$ cif --otype ipv4 --limit 5 --format stix
<stix:STIX_Package 
	xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
	xmlns:cybox="http://cybox.mitre.org/cybox-2"
	xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
	xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
	xmlns:example="http://example.com"
	xmlns:indicator="http://stix.mitre.org/Indicator-2"
	xmlns:stix="http://stix.mitre.org/stix-1"
	xmlns:stixCommon="http://stix.mitre.org/common-1"
	xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="example:Package-38984c41-fa98-457a-befe-e97e65c94795" version="1.2">
    <stix:STIX_Header/>
    <stix:Indicators>
        <stix:Indicator id="example:indicator-6bed9b83-0879-4d48-8dd9-95f93fd2acbe" timestamp="2016-02-23T14:58:21+00:00" xsi:type='indicator:IndicatorType'>
            <indicator:Description>phishing,rdata</indicator:Description>
            <indicator:Observable id="example:Observable-780dacce-5338-4cee-b7e1-af2bda9d5502">
                <cybox:Object id="example:Address-a95f9a3a-de3c-49aa-b30c-331137031105">
                    <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
                        <AddressObj:Address_Value>107.180.51.16</AddressObj:Address_Value>
...

Open Source Integrations

Bro

While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Bro has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyberinfrastructure. Bro's user community includes major universities, research labs, supercomputing centers, and open-science communities.

see more at bro.org

$ cif --otype ipv4 --feed --confidence 85 --format bro --limit 5
#fields	indicator	indicator_type	meta.desc	meta.cif_confidence	meta.source
92.50.31.66	Intel::ADDR	exploit	95	spamhaus.org
210.4.72.138	Intel::ADDR	exploit	95	spamhaus.org
61.150.89.67	Intel::ADDR	spam	95	spamhaus.org
68.180.32.194	Intel::ADDR	exploit	95	spamhaus.org
221.206.72.203	Intel::ADDR	spam	95	spamhaus.org

Snort

Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

see more at snort.org

$ cif --otype ipv4 --feed --confidence 85 --format snort --limit 5
alert TCP any any -> 74.28.188.130 any (reference: http://www.spamhaus.org/query/bl?ip=74.28.188.130; priority: 1; threshold: type limit,track by_src,count 1,seconds 3600; sid: 5000000000; msg: CIF - GREEN - exploit;)
alert IP any any -> 74.208.184.119 any (reference: http://www.spamhaus.org/query/bl?ip=74.208.184.119; priority: 1; threshold: type limit,track by_src,count 1,seconds 3600; sid: 5000000001; msg: CIF - GREEN - spam;)
alert TCP any any -> 173.237.190.72 any (reference: http://www.spamhaus.org/query/bl?ip=173.237.190.72; priority: 1; threshold: type limit,track by_src,count 1,seconds 3600; sid: 5000000002; msg: CIF - GREEN - spam;)

Bind

BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet. It is a reference implementation of those protocols, but it is also production-grade software, suitable for use in high-volume and high-reliability applications. The name BIND stands for “Berkeley Internet Name Domain”, because the software originated in the early 1980s at the University of California at Berkeley.

BIND is by far the most widely used DNS software on the Internet, providing a robust and stable platform on top of which organizations can build distributed computing systems with the knowledge that those systems are fully compliant with published DNS standards.

see more at isc.org

$ cif --otype fqdn --feed --confidence 85 --format bind --limit 5
// generated by: CIF at 2016-35-23T10:02:55 EST
zone "mail.ghiend.com" {type master; file "/etc/namedb";};
zone "ghiend.com" {type master; file "/etc/namedb";};
zone "ns1.bwreg.com" {type master; file "/etc/namedb";};

JusinAzoff - Ninfo

NEEDS TO BE UPDATED FOR V2

QUERY ALL-THE-THINGS!!!! nInfo is a library, CLI tool, and web interface (and lots of plugins) for gathering information on any of the following:

  • IP Address (v4 or v6)
  • CIDR Block (v4 or v6)
  • MAC Address
  • Hostname
  • Username
  • Hashes (as in md5/sha1 etc)

It consists of multiple plugin classes that implement a get_info function. The classes contain metadata for the type of arguments they accept, and if they are relevant for internal and or external hosts.

see more at github.com/JustinAzoff/ninfo

for the CIF plugin, see: https://github.com/JustinAzoff/ninfo-plugin-cif

Kibana

Kibana is an open source (Apache Licensed), browser based analytics and search interface to Logstash and other timestamped data sets stored in ElasticSearch. With those in place Kibana is a snap to setup and start using (seriously). Kibana strives to be easy to get started with, while also being flexible and powerful

Commercial Integrations

PaloAlto

Building on the DShield model, leverage CIF to generate a text file that can be imported into the dynamic block list of your device:

$ cif --otype ipv4 --feed --confidence 85 --format csv --fields observable --limit 5
92.50.31.66
210.4.72.138
61.150.89.67
68.180.32.194
221.206.72.203

see more at Paloalto Networks

Creative Commons License

Clone this wiki locally