does searching by otype=hash work?

[giovino]

You can see a md5 in this query result:

cif -q 353f3b54de9ecfd82c63a2aeaf1c3b9c
tlp  |group   |reporttime          |observable                      |cc|asn|confidence|tags  |description|rdata|provider      |altid_tlp|altid
amber|everyone|2015-11-10T18:04:59Z|353f3b54de9ecfd82c63a2aeaf1c3b9c|  |   |25        |search|           |     |root@localhost|         |     
amber|everyone|2015-11-10T18:05:04Z|353f3b54de9ecfd82c63a2aeaf1c3b9c|  |   |25        |search|           |     |root@localhost|         |   

but you don't see it when querying by otype hash.

cif -v --otype hash -c 5
[2015-11-10T13:12:22,714Z][INFO]: starting up client...
[2015-11-10T13:12:22,714Z][INFO]: running search...
[2015-11-10T13:12:23,210Z][INFO]: status: 200
[2015-11-10T13:12:23,211Z][INFO]: no results found...

If it isn't suppose to work, we may want to add a "unsupported otype" to the client.

[wesyoung]

what does:

$ cif -v --otype md5 -c 5

result in?

ref: https://github.com/csirtgadgets/massive-octo-spice/blob/develop/src/lib/CIF/Plugin/Hash.pm#L32

the resolved otype should show up as one of those iirc...

[giovino]

sadly i even had some of this doc'd but forgot about it.

I expanded on it here and maybe made it a little more clear.

https://github.com/csirtgadgets/massive-octo-spice/wiki/Introducing-the-CIF-client#by-observable-type.

I'm closing this issue as I think it is done.