Skip to content
This repository was archived by the owner on Apr 30, 2022. It is now read-only.

Introducing the CIF client

Jump to bottom
wes edited this page May 21, 2019 · 1 revision

The primary way you will interact with your CIF installation is CIF CLI client [usually] installed at cif.

This first thing you'll want to do is get familiar with the CIF client by reading the help:

$ cif -h
...

Examples

Here are many examples on how to use the CIF client:

IP Based Queries

$ cif -q 130.201.0.2
$ cif -q 130.201.0.0/16
$ cif -q 2001:4860:4860::8888

FQDNs

$ cif -q google.com
$ cif -q plus.google.com

URLs

$ cif -q 'http://www.google.com'
$ cif -q 'https://www.google.com/search?12345.html'

Hashes

$ cif -q de305d54-75b4-431b-adb2-eb6b9e546013                              # uuid
$ cif -q 3b6a927c890f067ad524baac9d751480                                  # md5
$ cif -q 57c64d62e79a5b9829e5a902e4a3fb22ff618d89                          # sha1
$ cif -q b712dfc617a327ce948e3341fa4d3f759988c299fcdbc80630f8b3c2c5408be2  # sha256

by indicator Type

Query or filter by indicator type

$ cif --itype ipv4   # ipv4 address
$ cif --itype ipv6   # ipv6 address
$ cif --itype fqdn   # fully qualified domain address
$ cif --itype url    # url address
$ cif --itype email  # email address

$ cif --itype md5    # md5 hash
$ cif --itype sha1   # sha1 hash
$ cif --itype sha256 # sha256 hash
$ cif --itype sha512 # sha512 hash
$ cif --itype uuid   # uuid hash

Tags

Query or filter by tags

CIF ships with a handful of tags but you can add your own to any data you ingest in CIF. A few examples:

$ cif --tags malware
$ cif --tags botnet
$ cif --tags phishing
$ cif --tags scanner
$ cif --tags hijacked
$ cif --tags suspicious

Country Code

Query or filter by country code. A few examples:

$ cif --cc US
$ cif --cc CN
$ cif --cc JP

ASN

Query or filter by ASN. A few examples:

$ cif --asn 36351
$ cif --asn 199789

Provider

Query of filter by provider, providers are specified at ingest. A few examples:

$ cif --provider spamhaus.org
$ cif --provider dshield.org
$ cif --provider dragonresearchgroup.org

Confidence

Query of filter by confidence, confidence is specified at ingest. A few examples:

$ cif --itype ipv4 -c 9
$ cif --itype fqdn -c 8
$ cif --itype url -c 6

Related data

Query of filter by rdata. A few examples:

$ cif --rdata ns1.pixelshouse.com
$ cif --rdata ns577.hostgator.com
$ cif --rdata google.com

Group

Query of filter by group, groups are specified at ingest. Example:

$ cif --itype fqdn --group everyone
$ cif --itype url --group group1,group2,everyone

Format

The CIF client can supports several different output formats:

$ cif -q google.com -f table
$ cif -q google.com -f json
$ cif -q google.com -f csv
$ cif -q google.com -f snort
$ cif -q google.com -f bro
$ cif -q google.com -f bind
$ cif -q google.com -f html

Limit

Limit the number of results returned by CIF. A few examples:

$ cif --cc us --limit 5
$ cif --application http -l 5
$ cif --itype fqdn -l 3

Time

CIF has many filters that allow you to filter your queries by time.

  1. Lasttime - specify filter based on lasttime timestmap (less than)

cif --itype url --lasttime 2015-04-07T00:00Z

  1. Firsttime - specify filter based on firsttime timestmap (greater than)

cif --itype url --firsttime 2015-04-07T00:00Z

  1. Reporttime - specify filter based on reporttime timestmap (greater than)

cif --itype url --reporttime 2015-04-07T00:00Z

  1. Reporttime-end - specify filter based on reporttime timestmap (less than)

cif --itype url --reporttime-end 2015-04-07T00:00Z

  1. Today - auto-sets reporttime to today, 00:00:00Z (UTC)

cif --itype url --today

  1. Last hour - auto-sets reporttime to the beginning of the previous full hour and reporttimeend to end of previous full hour

cif --itype url --last-hour

Support the Project!

Clone this wiki locally