Introducing the CIF client
The primary way you will interact with your CIF installation is CIF CLI client [usually] installed at /usr/local/bin/cif.
Note: an SSH server is not installed by default by the CIF installer. You may want install an SSH server to allow you to interact with your CIF server remotely.
This first thing you'll want to do is get familiar with the CIF client by reading the help:
$ /usr/local/bin/cif -h
...
Here are many examples on how to use the CIF client:
$ cif -q 130.201.0.2
$ cif -q 130.201.0.0/16
$ cif -q 2001:4860:4860::8888
$ cif -q google.com
$ cif -q plus.google.com
$ cif -q 'http://www.google.com'
$ cif -q 'https://www.google.com/search?12345.html'
$ cif -q de305d54-75b4-431b-adb2-eb6b9e546013 # uuid
$ cif -q 3b6a927c890f067ad524baac9d751480 # md5
$ cif -q 57c64d62e79a5b9829e5a902e4a3fb22ff618d89 # sha1
$ cif -q b712dfc617a327ce948e3341fa4d3f759988c299fcdbc80630f8b3c2c5408be2 # sha256
Query or filter by observable type
$ cif --otype ipv4 # ipv4 address
$ cif --otype ipv6 # ipv6 address
$ cif --otype fqdn # fully qualified domain address
$ cif --otype url # url address
$ cif --otype email # email address
$ cif --otype md5 # md5 hash
$ cif --otype sha1 # sha1 hash
$ cif --otype sha256 # sha256 hash
$ cif --otype sha512 # sha512 hash
$ cif --otype uuid # uuid hash
Query or filter by tags
CIF ships with a handful of tags but you can add your own to any data you ingest in CIF. A few examples:
$ cif --tags malware
$ cif --tags botnet
$ cif --tags phishing
$ cif --tags scanner
$ cif --tags zeus
$ cif --tags hijacked
Query or filter by country code. A few examples:
$ cif --cc US
$ cif --cc CN
$ cif --cc JP
Query or filter by ASN. A few examples:
$ cif --asn 36351
$ cif --asn 199789
Query of filter by provider, providers are specified at ingest. A few examples:
$ cif --provider spamhaus.org
$ cif --provider dshield.org
$ cif --provider dragonresearchgroup.org
Query of filter by confidence, confidence is specified at ingest. A few examples:
$ cif --otype ipv4 -c 95
$ cif --otype fqdn -c 85
$ cif --otype url -c 65
Query of filter by application, application is specified at ingest. A few examples:
$ cif --otype ipv4 --application ssh
$ cif --otype fqdn --application http
Query of filter by rdata. A few examples:
$ cif --rdata ns1.pixelshouse.com
$ cif --rdata ns577.hostgator.com
$ cif --rdata google.com
Query of filter by group, groups are specified at ingest. Example:
$ cif --otype fqdn --group everyone
$ cif --otype url --group group1,group2,everyone
The CIF client can supports several different output formats:
$ cif -q google.com -f table
$ cif -q google.com -f json
$ cif -q google.com -f csv
$ cif -q google.com -f snort
$ cif -q google.com -f bro
$ cif -q google.com -f bind
$ cif -q google.com -f html
Limit the number of results returned by CIF. A few examples:
$ cif --cc us --limit 5
$ cif --application http -l 5
$ cif --otype fqdn -l 3
CIF has many filters that allow you to filter your queries by time.
- Lasttime - specify filter based on lasttime timestmap (less than)
cif --otype url --lasttime 2015-04-07T00:00Z
- Firsttime - specify filter based on firsttime timestmap (greater than)
cif --otype url --firsttime 2015-04-07T00:00Z
- Reporttime - specify filter based on reporttime timestmap (greater than)
cif --otype url --reporttime 2015-04-07T00:00Z
- Reporttime-end - specify filter based on reporttime timestmap (less than)
cif --otype url --reporttime-end 2015-04-07T00:00Z
- Today - auto-sets reporttime to today, 00:00:00Z (UTC)
cif --otype url --today
- Last hour - auto-sets reporttime to the beginning of the previous full hour and reporttimeend to end of previous full hour
cif --otype url --last-hour
