Skip to content
This repository has been archived by the owner on Jun 17, 2023. It is now read-only.

Where do I start

Jump to bottom
Wes edited this page Jan 30, 2018 · 3 revisions

Overview

IF YOU ARE WORKING ON THE BOX WHERE YOU JUST INSTALLED THE EASY BUTTON- SKIP RE-INSTALLING THE CLIENT AND GO STRAIGHT TO THE EXAMPLES

These integrations assume you have the python SDK successfully installed and a valid ~/.cif.yml config. Installing the python client is as easy as:

$ pip install 'cifsdk>=3.0.0b4'

While CSIRT Gadgets DOES NOT ENDORSE ANY of these projects or services, we do our best to help bootstrap community integration. Please feel free to contribute integrations to the wiki!

Basic Output Formats

Table

$ cif --itype ipv4 --limit 5 --format table
+-------+----------+----------------------+----------------------+---------------+-------+----+-------+----------------------------------+------------+-------------+----------------+-----------------------------+---------------+
|  tlp  |  group   |       lasttime       |      reporttime      |   indicator  | itype | cc |  asn  |             asn_desc             | confidence | description |      tags      |            rdata            | provider      |
+-------+----------+----------------------+----------------------+---------------+-------+----+-------+----------------------------------+------------+-------------+----------------+-----------------------------+---------------+
| amber | everyone | 2016-02-23T14:58:21Z | 2016-02-23T14:58:21Z | 107.180.51.16 |  ipv4 | US | 26496 | AS-26496-GO-DADDY-COM-LLC GoDa.. |   13.996   |             | phishing,rdata |       lasttimeserc.com      | openphish.com |
| amber | everyone | 2016-02-23T14:58:21Z | 2016-02-23T14:58:21Z | 216.69.185.19 |  ipv4 | US | 26496 | AS-26496-GO-DADDY-COM-LLC GoDa.. |   13.996   |             | phishing,rdata |    ns37.domaincontrol.com   | openphish.com |
| amber | everyone | 2016-02-23T14:58:22Z | 2016-02-23T14:58:22Z | 107.180.51.16 |  ipv4 | US | 26496 | AS-26496-GO-DADDY-COM-LLC GoDa.. |   13.996   |             | phishing,rdata |       lasttimeserc.com      | openphish.com |
| amber | everyone | 2016-02-23T14:58:22Z | 2016-02-23T14:58:22Z |  188.121.58.1 |  ipv4 | NL | 26496 | AS-26496-GO-DADDY-COM-LLC GoDa.. |   13.996   |             | phishing,rdata | inetsoftwaresolutions.co.uk | openphish.com |
| amber | everyone | 2016-02-23T14:58:22Z | 2016-02-23T14:58:22Z | 216.69.185.19 |  ipv4 | US | 26496 | AS-26496-GO-DADDY-COM-LLC GoDa.. |   20.023   |             | phishing,rdata |    ns37.domaincontrol.com   | spamhaus.org  |
+-------+----------+----------------------+----------------------+---------------+-------+----+-------+----------------------------------+------------+-------------+----------------+-----------------------------+---------------+

CSV

Most Fields

$ cif --itype ipv4 --limit 5 --format csv
amber,everyone,2016-02-23T14:58:21Z,2016-02-23T14:58:21Z,107.180.51.16,ipv4,US,26496,AS-26496-GO-DADDY-COM-LLC GoDa..,13.996,,"phishing,rdata",lasttimeserc.com,openphish.com
amber,everyone,2016-02-23T14:58:22Z,2016-02-23T14:58:22Z,107.180.51.16,ipv4,US,26496,AS-26496-GO-DADDY-COM-LLC GoDa..,13.996,,"phishing,rdata",lasttimeserc.com,openphish.com

Custom Fields

$ cif --itype ipv4 --limit 5 --format csv --fields tlp,group,reporttime,indicator
amber,everyone,2016-02-23T14:58:21Z,107.180.51.16
amber,everyone,2016-02-23T14:58:22Z,107.180.51.16

JSON

$ cif --itype ipv4 --limit 5 --format json
[{"geolocation": "33.6119,-111.8906", "protocol": 6, "cc": "US", "rir": "arin", "related": "e7ab7044e21120408423e3aef2e7c09842e53d004e48e053c0bc16fe5383b429", "prefix": "107.180.51.0/24", "timezone": "America/Phoenix", ... }]

STIX

$ cif --itype ipv4 --limit 5 --format stix
<stix:STIX_Package 
	xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
	xmlns:cybox="http://cybox.mitre.org/cybox-2"
	xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
	xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
	xmlns:example="http://example.com"
	xmlns:indicator="http://stix.mitre.org/Indicator-2"
	xmlns:stix="http://stix.mitre.org/stix-1"
	xmlns:stixCommon="http://stix.mitre.org/common-1"
	xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="example:Package-38984c41-fa98-457a-befe-e97e65c94795" version="1.2">
    <stix:STIX_Header/>
    <stix:Indicators>
        <stix:Indicator id="example:indicator-6bed9b83-0879-4d48-8dd9-95f93fd2acbe" timestamp="2016-02-23T14:58:21+00:00" xsi:type='indicator:IndicatorType'>
            <indicator:Description>phishing,rdata</indicator:Description>
            <indicator:Observable id="example:Observable-780dacce-5338-4cee-b7e1-af2bda9d5502">
                <cybox:Object id="example:Address-a95f9a3a-de3c-49aa-b30c-331137031105">
                    <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">
                        <AddressObj:Address_Value>107.180.51.16</AddressObj:Address_Value>
...
Clone this wiki locally