FAQ
- Asking for help
- Something odd is happening, what logs do i check?
- Why isn't my PROXY config working?
- Why aren't queries working?
- What is a Hunter | Enricher?
- Why are Hunters off by Default?
- DNS Warnings
- What open source feeds come out of the box?
Everything under the hood uses the Python Requests. This means you need to set the correct environmental var's for both csirtg-fm and the cif command to pick up your proxy. In the case of csirtg-fm it means adding HTTPS_PROXY=example.org:8443 to your docker compose file.
csirtg-fm:
depends_on:
- cif-router
image: csirtgadgets/csirtg-fm:latest
container_name: csirtg-fm
volumes:
- ./data/fm:/var/lib/fm
- ./data/cif:/var/lib/cif
environment:
...
HTTPS_PROXY: example.org:8443If you're not getting results right after the install, that's OK. csirtg-fm takes a few minutes to run, and the hunters take a few minutes to process the data. Give your system some time to get through a few data passes before logging an issue. Then try a query like:
$ cif --itype ipv4 --tags scanner --confidence 2-
Make sure you enable the following vars variables the corresponding
environment:section of your docker-compose file:CIF_ROUTER_TRACE=1 CIF_STORE_TRACE=1 CIF_HTTPD_TRACE=1 CIF_HUNTER_TRACE=1 CIF_ENRICHER_TRACE=1 -
Restart the corresponding docker containers via
docker-compose restart [cif-router|cif-httpd|...].$ docker-compose logs -f cif-router
Enrichers enrich the data (geo, cc, asn), hunters “pile on more data” (eg: take a url and generate an fqdn, ip, etc.. all with lower confidence values of course).
as you query- you’ll see more and more results as they come in. easy to test and see with the openphish feed, where it’s taking lots of urls and turning them into ip addresses over time. (hint: use the —itype|—provider|—tags combo to see the differing datasets as they get generated).
ref:
- https://github.com/csirtgadgets/cif-v5/blob/master/cif/enricher/__init__.py
- https://github.com/csirtgadgets/cif-v5/blob/master/cif/hunter/__init__.py
- https://groups.google.com/forum/#!topic/ci-framework/5xX7lTi4dZg
In the latest default install we're leaving those blank on purpose. We've had numerous issues over the years with new users who didn't quite understand what hunters (formally cif-worker) did, and why the default install wreaked havoc on their system (network traffic, cpu utilization, as hunters churned through messages).
- this can be an EC2-like instance, but be ware of the network activity coming from the box, it could be flagged as malicious, check with your provider's policies
- with post processing, these boxes make a lot of threaded DNS resolution requests, make sure you understand your operating environment and work with your network team to address high volume dns queries
- http://www.spamhaus.org/zen
- http://www.spamhaus.org/dbl
- http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage
- http://www.team-cymru.org/Services/ip-to-asn.html
- http://www.bind9.net/BIND-FAQ
See the current rules directory: