In [1]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [2]:
# Get a temp cortex and preload some data into it.
core = await getTempCoreCmdr()
q = '[inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com]'
# This runs the query via the CLI, rips out the nodes, makes sure we got 3 nodes on the output :)
podes = await core.eval(q, num=3, cmdr=True)
# print(f'I got {len(podes)} podes!')
# This runs the query directly, no CLI output
# newpodes = await core.eval(q, num=4, cmdr=False)
# print(f'I got {len(newpodes)} podes the second time!!')
# await core.fini()

cli> storm [inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com]

inet:fqdn=woot.com
        .created = 2019/01/07 22:02:54.350
        :domain = com
        :host = woot
        :issuffix = False
        :iszone = True
        :zone = woot.com
inet:fqdn=vertex.link
        .created = 2019/01/07 22:02:54.353
        :domain = link
        :host = vertex
        :issuffix = False
        :iszone = True
        :zone = vertex.link
inet:fqdn=google.com
        .created = 2019/01/07 22:02:54.355
        :domain = com
        :host = google
        :issuffix = False
        :iszone = True
        :zone = google.com
complete. 3 nodes in 16 ms (187/sec).


In [3]:
# Use previous temp cortex, define and print test query
q = 'inet:fqdn'
print(q)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q, num=5, cmdr=False)

inet:fqdn


In [4]:
# Make some mutexes
q = '[it:dev:mutex="!@ADS@#$" it:dev:mutex="***MUTEX***" it:dev:mutex="***MUTEX***_SAIR"]'
# Run the query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [it:dev:mutex="!@ADS@#$" it:dev:mutex="***MUTEX***" it:dev:mutex="***MUTEX***_SAIR"]

it:dev:mutex=!@ADS@#$
        .created = 2019/01/07 22:02:54.395
it:dev:mutex=***MUTEX***
        .created = 2019/01/07 22:02:54.396
it:dev:mutex=***MUTEX***_SAIR
        .created = 2019/01/07 22:02:54.396
complete. 3 nodes in 11 ms (272/sec).


In [5]:
# Define and print test query
q = 'it:dev:mutex'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

it:dev:mutex


In [6]:
# Define and print test query
q = 'inet:fqdn = google.com'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

inet:fqdn = google.com


In [7]:
# Make a hash
q = '[hash:md5=d41d8cd98f00b204e9800998ecf8427e]'
# Run query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [hash:md5=d41d8cd98f00b204e9800998ecf8427e]

hash:md5=d41d8cd98f00b204e9800998ecf8427e
        .created = 2019/01/07 22:02:54.447
complete. 1 nodes in 9 ms (111/sec).


In [8]:
# Define and print test query
q = 'hash:md5 = d41d8cd98f00b204e9800998ecf8427e'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

hash:md5 = d41d8cd98f00b204e9800998ecf8427e


In [9]:
# Make a DNS A node:
q = '[ inet:dns:a=(woot.com,1.2.3.4)]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [ inet:dns:a=(woot.com,1.2.3.4)]

inet:dns:a=('woot.com', '1.2.3.4')
        .created = 2019/01/07 22:02:54.485
        :fqdn = woot.com
        :ipv4 = 1.2.3.4
complete. 1 nodes in 11 ms (90/sec).


In [10]:
# Define and print test query
q = 'inet:dns:a = (woot.com, 1.2.3.4)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

inet:dns:a = (woot.com, 1.2.3.4)


In [11]:
# Make an org node:
q = '[ou:org=2f92bc913918f6598bcf310972ebf32e :alias=vertex :name="the vertex project llc" :url=http://www.vertex.link :loc=us]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [ou:org=2f92bc913918f6598bcf310972ebf32e :alias=vertex :name="the vertex project llc" :url=http://www.vertex.link :loc=us]

ou:org=2f92bc913918f6598bcf310972ebf32e
        .created = 2019/01/07 22:02:54.530
        :alias = vertex
        :loc = us
        :name = the vertex project llc
        :url = http://www.vertex.link
complete. 1 nodes in 13 ms (76/sec).


In [12]:
# Define and print test query
q = 'ou:org=2f92bc913918f6598bcf310972ebf32e'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

ou:org=2f92bc913918f6598bcf310972ebf32e


In [13]:
# Make a has node:
q = '[has=((ps:person,12af06294ddf1a0ac8d6da34e1dabee4),(inet:email, bob.smith@gmail.com))]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [has=((ps:person,12af06294ddf1a0ac8d6da34e1dabee4),(inet:email, bob.smith@gmail.com))]

has=((ps:person, "12af06294ddf1a0ac8d6da34e1dabee4"), (inet:email, "bob.smith@gmail.com"))
        .created = 2019/01/07 22:02:54.576
        :n1 = ('ps:person', '12af06294ddf1a0ac8d6da34e1dabee4')
        :n1:form = ps:person
        :n2 = ('inet:email', 'bob.smith@gmail.com')
        :n2:form = inet:email
complete. 1 nodes in 15 ms (66/sec).


In [14]:
# Define and print test query
q = 'has=((ps:person,12af06294ddf1a0ac8d6da34e1dabee4),(inet:email, bob.smith@gmail.com))'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

has=((ps:person,12af06294ddf1a0ac8d6da34e1dabee4),(inet:email, bob.smith@gmail.com))


In [15]:
# Define and print test query
q = 'woot.com'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

woot.com


In [16]:
# Make some SOA nodes:
q = '[inet:dns:soa=f511705bb7ba9147b5d1b2058309a53e :email=18929733163@189.cn :fqdn=linvpn11.com]'
q2 = '[inet:dns:soa=6b3bb9decf6f1593476b10937d4783db :ns=ns1.vpntunnel.se :fqdn=vpntunnel.se]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [inet:dns:soa=f511705bb7ba9147b5d1b2058309a53e :email=18929733163@189.cn :fqdn=linvpn11.com]

inet:dns:soa=f511705bb7ba9147b5d1b2058309a53e
        .created = 2019/01/07 22:02:54.645
        :email = 18929733163@189.cn
        :fqdn = linvpn11.com
complete. 1 nodes in 21 ms (47/sec).
cli> storm [inet:dns:soa=6b3bb9decf6f1593476b10937d4783db :ns=ns1.vpntunnel.se :fqdn=vpntunnel.se]

inet:dns:soa=6b3bb9decf6f1593476b10937d4783db
        .created = 2019/01/07 22:02:54.675
        :fqdn = vpntunnel.se
        :ns = ns1.vpntunnel.se
complete. 1 nodes in 19 ms (52/sec).


In [17]:
# Define and print test query
q = 'inet:dns:soa:email'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

inet:dns:soa:email


In [18]:
# Define and print test query
q = 'ou:org:alias = vertex'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

ou:org:alias = vertex


In [19]:
# Make some DNS A nodes:
q = '[inet:dns:a=(blackcake.net,52.4.209.250) inet:dns:a=(blackcake.net,67.215.66.149) inet:dns:a=(blackcake.net,0.0.0.0)]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:dns:a=(blackcake.net,52.4.209.250) inet:dns:a=(blackcake.net,67.215.66.149) inet:dns:a=(blackcake.net,0.0.0.0)]

inet:dns:a=('blackcake.net', '52.4.209.250')
        .created = 2019/01/07 22:02:54.759
        :fqdn = blackcake.net
        :ipv4 = 52.4.209.250
inet:dns:a=('blackcake.net', '67.215.66.149')
        .created = 2019/01/07 22:02:54.760
        :fqdn = blackcake.net
        :ipv4 = 67.215.66.149
inet:dns:a=('blackcake.net', '0.0.0.0')
        .created = 2019/01/07 22:02:54.762
        :fqdn = blackcake.net
        :ipv4 = 0.0.0.0
complete. 3 nodes in 14 ms (214/sec).


In [20]:
# Define and print test query
q = 'inet:dns:a:fqdn = blackcake.net'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

inet:dns:a:fqdn = blackcake.net


In [21]:
# Make some file nodes:
q = '[file:bytes=sha256:e4f8ce133d5c42e6c3adc09c120c2ec483a57e6839c6d9ee39e0b294102b867f :mime:pe:compiled=19920619222217]'
q2 = '[file:bytes=sha256:a2dc8c1327a184013f1e188258813776e052ac7a68c96c058a723cac28c97bdd :mime:pe:compiled=19920619222217]'
q3 = '[file:bytes=sha256:6119c92f5b5cb2cd953925e17ceb4a02a9007029dd27a35d44b116ff9718f814 :mime:pe:compiled=19700101032545]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [file:bytes=sha256:e4f8ce133d5c42e6c3adc09c120c2ec483a57e6839c6d9ee39e0b294102b867f :mime:pe:compiled=19920619222217]

file:bytes=sha256:e4f8ce133d5c42e6c3adc09c120c2ec483a57e6839c6d9ee39e0b294102b867f
        .created = 2019/01/07 22:02:54.827
        :mime = ??
        :mime:pe:compiled = 1992/06/19 22:22:17.000
        :sha256 = e4f8ce133d5c42e6c3adc09c120c2ec483a57e6839c6d9ee39e0b294102b867f
complete. 1 nodes in 12 ms (83/sec).
cli> storm [file:bytes=sha256:a2dc8c1327a184013f1e188258813776e052ac7a68c96c058a723cac28c97bdd :mime:pe:compiled=19920619222217]

file:bytes=sha256:a2dc8c1327a184013f1e188258813776e052ac7a68c96c058a723cac28c97bdd
        .created = 2019/01/07 22:02:54.850
        :mime = ??
        :mime:pe:compiled = 1992/06/19 22:22:17.000
        :sha256 = a2dc8c1327a184013f1e188258813776e052ac7a68c96c058a723cac28c97bdd
complete. 1 nodes in 10 ms (100/sec).
cli> storm [file:bytes=sha256:6119c92f5b5cb2cd953925e17ceb4a02a9007029dd27a35d44b116ff9718f814 :mime:pe:c

In [22]:
# Define and print test query
q = 'file:bytes:mime:pe:compiled = "1992/06/19 22:22:17"'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

file:bytes:mime:pe:compiled = "1992/06/19 22:22:17"


In [23]:
# Make some tagged nodes:
q = '[inet:ipv4=54.38.219.150 inet:ipv4=151.242.192.84 inet:ipv4=217.83.101.150 +#cno.infra.anon.tor]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:ipv4=54.38.219.150 inet:ipv4=151.242.192.84 inet:ipv4=217.83.101.150 +#cno.infra.anon.tor]

inet:ipv4=54.38.219.150
        .created = 2019/01/07 22:02:54.920
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
inet:ipv4=151.242.192.84
        .created = 2019/01/07 22:02:54.927
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
inet:ipv4=217.83.101.150
        .created = 2019/01/07 22:02:54.929
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
complete. 3 nodes in 21 ms (142/sec).


In [24]:
# Define and print test query
q = '#cno.infra.anon.tor'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

#cno.infra.anon.tor


In [25]:
# Close cortex for next section
await core.fini()

0

In [26]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [27]:
# Get a newtemp cortex to start fresh and preload some WHOIS records into it.
core = await getTempCoreCmdr()
q = '[inet:whois:rec=(vicp.hk,"2007/12/20 00:00:00.000") :created = "2013/01/26 00:00:00.000" :registrant = "shanghai beiruixinxijishu" :text = "domain name: vicp.hk"]'
q2 = '[inet:whois:rec=(lkqd.net,"2018/05/30 09:24:19.000") :created = "2014/06/01 21:05:25.000" :registrar = godaddy :text = "domain name: lkqd.net"]'
# Run the query via the CLI, rips out the nodes, makes sure we got 3 nodes on the output :)
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
# print(f'I got {len(podes)} podes!')
# This runs the query directly, no CLI output
# newpodes = await core.eval(q, num=4, cmdr=False)
# print(f'I got {len(newpodes)} podes the second time!!')
# await core.fini()

cli> storm [inet:whois:rec=(vicp.hk,"2007/12/20 00:00:00.000") :created = "2013/01/26 00:00:00.000" :registrant = "shanghai beiruixinxijishu" :text = "domain name: vicp.hk"]

inet:whois:rec=('vicp.hk', '2007/12/20 00:00:00.000')
        .created = 2019/01/07 22:02:55.248
        :asof = 2007/12/20 00:00:00.000
        :created = 2013/01/26 00:00:00.000
        :fqdn = vicp.hk
        :registrant = shanghai beiruixinxijishu
        :registrar = ??
        :text = domain name: vicp.hk
complete. 1 nodes in 12 ms (83/sec).
cli> storm [inet:whois:rec=(lkqd.net,"2018/05/30 09:24:19.000") :created = "2014/06/01 21:05:25.000" :registrar = godaddy :text = "domain name: lkqd.net"]

inet:whois:rec=('lkqd.net', '2018/05/30 09:24:19.000')
        .created = 2019/01/07 22:02:55.271
        :asof = 2018/05/30 09:24:19.000
        :created = 2014/06/01 21:05:25.000
        :fqdn = lkqd.net
        :registrant = ??
        :registrar = godaddy
        :text = domain name: lkqd.net
complete. 1 nodes in 

In [28]:
# Define and print test query
q = 'inet:whois:rec:created < 2014/06/01'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

inet:whois:rec:created < 2014/06/01


In [29]:
# Make some files:
q = '[file:bytes=sha256:14c2e63dced9ca20e368e056644a6b56f5678b2d3824945563e57255e85135a3 :size=1048592]'
q2 = '[file:bytes=sha256:8146e9d7fe580ebc04331af87fba7cb344094c0a60482f420b566f2df2a22229 :size=1048592]'
q3 = '[file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 :size=0]'
q4 = '[file:bytes=sha256:36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068 :size=1]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)
podes = await core.eval(q4, num=1, cmdr=True)

cli> storm [file:bytes=sha256:14c2e63dced9ca20e368e056644a6b56f5678b2d3824945563e57255e85135a3 :size=1048592]

file:bytes=sha256:14c2e63dced9ca20e368e056644a6b56f5678b2d3824945563e57255e85135a3
        .created = 2019/01/07 22:02:55.317
        :mime = ??
        :sha256 = 14c2e63dced9ca20e368e056644a6b56f5678b2d3824945563e57255e85135a3
        :size = 1048592
complete. 1 nodes in 10 ms (100/sec).
cli> storm [file:bytes=sha256:8146e9d7fe580ebc04331af87fba7cb344094c0a60482f420b566f2df2a22229 :size=1048592]

file:bytes=sha256:8146e9d7fe580ebc04331af87fba7cb344094c0a60482f420b566f2df2a22229
        .created = 2019/01/07 22:02:55.334
        :mime = ??
        :sha256 = 8146e9d7fe580ebc04331af87fba7cb344094c0a60482f420b566f2df2a22229
        :size = 1048592
complete. 1 nodes in 9 ms (111/sec).
cli> storm [file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 :size=0]

file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        .cr

In [30]:
# Define and print test query
q = 'file:bytes:size > 1048576'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

file:bytes:size > 1048576


In [31]:
# Make some people:
q = '[ps:person="*" :dob=1974/05/14]'
q2 = '[ps:person="*" :dob=1982/04/27]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [ps:person="*" :dob=1974/05/14]

ps:person=7f25d8d1d6e3d035ee997df0d9aeb075
        .created = 2019/01/07 22:02:55.407
        :dob = 1974/05/14 00:00:00.000
complete. 1 nodes in 7 ms (142/sec).
cli> storm [ps:person="*" :dob=1982/04/27]

ps:person=9d63ab2ed828930e3ffa66c26d6204cf
        .created = 2019/01/07 22:02:55.424
        :dob = 1982/04/27 00:00:00.000
complete. 1 nodes in 8 ms (125/sec).


In [32]:
# Define and print test query
q = 'ps:person:dob <= 1980/01/01'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

ps:person:dob <= 1980/01/01


In [33]:
# Make some WHOIS records:
q = '[inet:whois:rec=(showustime.com, 2018/12/02) inet:whois:rec=(videosync.info,2018/12/02) inet:whois:rec=(earthsolution.org,1999/11/29)]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:whois:rec=(showustime.com, 2018/12/02) inet:whois:rec=(videosync.info,2018/12/02) inet:whois:rec=(earthsolution.org,1999/11/29)]

inet:whois:rec=('showustime.com', '2018/12/02 00:00:00.000')
        .created = 2019/01/07 22:02:55.466
        :asof = 2018/12/02 00:00:00.000
        :fqdn = showustime.com
        :registrant = ??
        :registrar = ??
inet:whois:rec=('videosync.info', '2018/12/02 00:00:00.000')
        .created = 2019/01/07 22:02:55.470
        :asof = 2018/12/02 00:00:00.000
        :fqdn = videosync.info
        :registrant = ??
        :registrar = ??
inet:whois:rec=('earthsolution.org', '1999/11/29 00:00:00.000')
        .created = 2019/01/07 22:02:55.474
        :asof = 1999/11/29 00:00:00.000
        :fqdn = earthsolution.org
        :registrant = ??
        :registrar = ??
complete. 3 nodes in 19 ms (157/sec).


In [34]:
# Define and print test query
q = 'inet:whois:rec:asof >= "2018/12/01 12:00"'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

inet:whois:rec:asof >= "2018/12/01 12:00"


In [35]:
# Close cortex for next section
await core.fini()

0

In [2]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [3]:
# Get a newtemp cortex to start fresh.
core = await getTempCoreCmdr()
# Make some files:
q = '[file:bytes=sha256:cebb47280cd00814e1c085c5bc3fbac0e9f91168999091f199a1b1d209edd814 :mime:pe:pdbpath="d:/my documents/visual studio projects/rouji/svcmain.pdb"]'
q2 = '[file:bytes=sha256:56d9ed457136c85fba55cdd5ee3b7c21cb25ce0b1d7053d397cf4756fa7a422f :mime:pe:pdbpath="c:/users/milad/desktop/end crypter vb.net/tekide/obj/debug/tekide.pdb"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [file:bytes=sha256:cebb47280cd00814e1c085c5bc3fbac0e9f91168999091f199a1b1d209edd814 :mime:pe:pdbpath="d:/my documents/visual studio projects/rouji/svcmain.pdb"]

file:bytes=sha256:cebb47280cd00814e1c085c5bc3fbac0e9f91168999091f199a1b1d209edd814
        .created = 2019/01/07 22:09:34.836
        :mime = ??
        :mime:pe:pdbpath = d:/my documents/visual studio projects/rouji/svcmain.pdb
        :sha256 = cebb47280cd00814e1c085c5bc3fbac0e9f91168999091f199a1b1d209edd814
complete. 1 nodes in 12 ms (83/sec).
cli> storm [file:bytes=sha256:56d9ed457136c85fba55cdd5ee3b7c21cb25ce0b1d7053d397cf4756fa7a422f :mime:pe:pdbpath="c:/users/milad/desktop/end crypter vb.net/tekide/obj/debug/tekide.pdb"]

file:bytes=sha256:56d9ed457136c85fba55cdd5ee3b7c21cb25ce0b1d7053d397cf4756fa7a422f
        .created = 2019/01/07 22:09:34.852
        :mime = ??
        :mime:pe:pdbpath = c:/users/milad/desktop/end crypter vb.net/tekide/obj/debug/tekide.pdb
        :sha256 = 56d9ed457136c85fba55cdd5ee3b7c21

In [4]:
# Define and print test query
q = 'file:bytes:mime:pe:pdbpath ~= "rouji"'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

file:bytes:mime:pe:pdbpath ~= "rouji"


In [5]:
# Make some users:
q = '[inet:user=pinky inet:user=pinkyboo inet:user=pinkybrain inet:user=pinkydinky]'
# Execute query and test
podes = await core.eval(q, num=4, cmdr=True)

cli> storm [inet:user=pinky inet:user=pinkyboo inet:user=pinkybrain inet:user=pinkydinky]

inet:user=pinky
        .created = 2019/01/07 22:09:40.258
inet:user=pinkyboo
        .created = 2019/01/07 22:09:40.259
inet:user=pinkybrain
        .created = 2019/01/07 22:09:40.259
inet:user=pinkydinky
        .created = 2019/01/07 22:09:40.261
complete. 4 nodes in 14 ms (285/sec).


In [6]:
# Define and print test query
q = 'inet:user^=pinky'
print(q)
# Execute the query and test
podes = await core.eval(q, num=4, cmdr=False)

inet:user^=pinky


In [7]:
# Make some orgs:
q = '[ou:org="*" :name="International House of Pancakes"]'
q1 = '[ou:org="*" :name="International Society of Funny Walks"]'
q2 = '[ou:org="*" :name="Interrogators Anonymous"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [ou:org="*" :name="International House of Pancakes"]

ou:org=bb3c1be95a6c320bb4b3780e036ad135
        .created = 2019/01/07 22:09:43.807
        :name = international house of pancakes
complete. 1 nodes in 21 ms (47/sec).
cli> storm [ou:org="*" :name="International Society of Funny Walks"]

ou:org=29eaa3de7cc189134b93c953a8bac7e1
        .created = 2019/01/07 22:09:43.849
        :name = international society of funny walks
complete. 1 nodes in 14 ms (71/sec).
cli> storm [ou:org="*" :name="Interrogators Anonymous"]

ou:org=591d157e14cdb383653f4a6746a3b28c
        .created = 2019/01/07 22:09:43.877
        :name = interrogators anonymous
complete. 1 nodes in 10 ms (100/sec).


In [8]:
# Define and print test query
q = 'ou:org:name^=international'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

ou:org:name^=international


In [9]:
# Make some nodes:
q = '[inet:ipv4=192.168.0.0/24]'
# Execute query and test
podes = await core.eval(q, num=256, cmdr=True)

cli> storm [inet:ipv4=192.168.0.0/24]

inet:ipv4=192.168.0.0
        .created = 2019/01/07 22:09:48.774
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.1
        .created = 2019/01/07 22:09:48.777
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.2
        .created = 2019/01/07 22:09:48.780
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.3
        .created = 2019/01/07 22:09:48.789
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.4
        .created = 2019/01/07 22:09:48.804
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.5
        .created = 2019/01/07 22:09:48.806
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.6
        .created = 2019/01/07 22:09:48.815
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.7
        .created = 2019/01/07 22:09:48.818
        :asn = 0
        :lo

inet:ipv4=192.168.0.226
        .created = 2019/01/07 22:09:49.153
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.227
        .created = 2019/01/07 22:09:49.154
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.228
        .created = 2019/01/07 22:09:49.155
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.229
        .created = 2019/01/07 22:09:49.158
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.230
        .created = 2019/01/07 22:09:49.160
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.231
        .created = 2019/01/07 22:09:49.160
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.232
        .created = 2019/01/07 22:09:49.162
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.233
        .created = 2019/01/07 22:09:49.162
        :asn = 0
        :loc = ??
        :type = 

In [10]:
# Define and print test query
q = 'inet:ipv4*range=(192.168.0.0, 192.168.0.10)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=11, cmdr=False)

inet:ipv4*range=(192.168.0.0, 192.168.0.10)


In [11]:
# Make some files:
q = '[file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 :size=0]'
q1 = '[file:bytes=sha256:929c3316a91c62170e545986274dc6a36e6560ca5bf85a98e96662a5a3c5edb0 :size=1001]'
q2 = '[file:bytes=sha256:e7db39923c5244bfc96af4593794f8e85eb4b68da4f80c7b67cc887aa1ea4713 :size=5000]'
q3 = '[file:bytes=sha256:e708cd312b2b87c6ecc62fe2d33071380a90e60f6f98cf37f1e178127d2c3241 :size=100002]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 :size=0]

file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        .created = 2019/01/07 22:09:55.258
        :mime = ??
        :sha256 = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        :size = 0
complete. 1 nodes in 18 ms (55/sec).
cli> storm [file:bytes=sha256:929c3316a91c62170e545986274dc6a36e6560ca5bf85a98e96662a5a3c5edb0 :size=1001]

file:bytes=sha256:929c3316a91c62170e545986274dc6a36e6560ca5bf85a98e96662a5a3c5edb0
        .created = 2019/01/07 22:09:55.286
        :mime = ??
        :sha256 = 929c3316a91c62170e545986274dc6a36e6560ca5bf85a98e96662a5a3c5edb0
        :size = 1001
complete. 1 nodes in 11 ms (90/sec).
cli> storm [file:bytes=sha256:e7db39923c5244bfc96af4593794f8e85eb4b68da4f80c7b67cc887aa1ea4713 :size=5000]

file:bytes=sha256:e7db39923c5244bfc96af4593794f8e85eb4b68da4f80c7b67cc887aa1ea4713
        .created = 2019/01/

In [12]:
# Define and print test query
q = 'file:bytes:size*range=(1000,100000)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

file:bytes:size*range=(1000,100000)


In [13]:
# Make some WHOIS records:
q = '[inet:whois:rec=(pe75.com,2013/11/29) :text="domain name: pe75.com"]'
q1 = '[inet:whois:rec=(youipcam.com,2013/11/29) :text="domain name: youipcam.com"]'
q2 = '[inet:whois:rec=(17ti.net,2016/01/01) :text="domain name: 17ti.net"]'
q3 = '[inet:whois:rec=(africawebcast.com,1999/11/19) :text="domain name: africawebcast.com"]'
q4 = '[inet:whois:rec=(teads.tv,2017/03/02) :text="domain name: teads.tv"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)
podes = await core.eval(q4, num=1, cmdr=True)

cli> storm [inet:whois:rec=(pe75.com,2013/11/29) :text="domain name: pe75.com"]

inet:whois:rec=('pe75.com', '2013/11/29 00:00:00.000')
        .created = 2019/01/07 22:09:59.540
        :asof = 2013/11/29 00:00:00.000
        :fqdn = pe75.com
        :registrant = ??
        :registrar = ??
        :text = domain name: pe75.com
complete. 1 nodes in 21 ms (47/sec).
cli> storm [inet:whois:rec=(youipcam.com,2013/11/29) :text="domain name: youipcam.com"]

inet:whois:rec=('youipcam.com', '2013/11/29 00:00:00.000')
        .created = 2019/01/07 22:09:59.563
        :asof = 2013/11/29 00:00:00.000
        :fqdn = youipcam.com
        :registrant = ??
        :registrar = ??
        :text = domain name: youipcam.com
complete. 1 nodes in 9 ms (111/sec).
cli> storm [inet:whois:rec=(17ti.net,2016/01/01) :text="domain name: 17ti.net"]

inet:whois:rec=('17ti.net', '2016/01/01 00:00:00.000')
        .created = 2019/01/07 22:09:59.580
        :asof = 2016/01/01 00:00:00.000
        :fqdn = 17ti.net


In [14]:
# Define and print test query
q = 'inet:whois:rec:asof*range=(2013/11/29, 2016/06/14)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

inet:whois:rec:asof*range=(2013/11/29, 2016/06/14)


In [16]:
# Make some DNS requests:
q = '[inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/12/01 00:00:00"]'
q1 = '[inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/11/30 00:00:00"]'
q2 = '[inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/12/01 23:59:59"]'
q3 = '[inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/12/02 00:01:00"]'
q4 = '[inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/11/29 23:59:59"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)
podes = await core.eval(q4, num=1, cmdr=True)

cli> storm [inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/12/01 00:00:00"]

inet:dns:request=f363c0986da5791f585c7eaf55bb76f1
        .created = 2019/01/07 22:10:12.948
        :query = ('tcp://8.8.8.8', 'woot.com', '1')
        :query:name = woot.com
        :query:name:fqdn = woot.com
        :query:type = 1
        :time = 2018/12/01 00:00:00.000
complete. 1 nodes in 37 ms (27/sec).
cli> storm [inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/11/30 00:00:00"]

inet:dns:request=2dd9a3944fd5a1fa095daa662fb7c587
        .created = 2019/01/07 22:10:12.999
        :query = ('tcp://8.8.8.8', 'woot.com', '1')
        :query:name = woot.com
        :query:name:fqdn = woot.com
        :query:type = 1
        :time = 2018/11/30 00:00:00.000
complete. 1 nodes in 8 ms (125/sec).
cli> storm [inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/12/01 23:59:59"]

inet:dns:request=36f38e0ba40082f5c8a33790ca905162
        .created = 2019/01/

In [17]:
# Define and print test query
q = 'inet:dns:request:time*range=(2018/12/01, "+-1 day")'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

inet:dns:request:time*range=(2018/12/01, "+-1 day")


In [None]:
# Make some moar IPs:
q = '[inet:ipv4=127.0.0.1 inet:ipv4=192.168.0.100 inet:ipv4=255.255.255.254]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

In [None]:
# Define and print test query
q = 'inet:ipv4*in=(127.0.0.1, 192.168.0.100, 255.255.255.254)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

In [None]:
# Make some moar files:
q = '[file:bytes=sha256:68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c :size=4096]'
q1 = '[file:bytes=sha256:0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81 :size=16384]'
q2 = '[file:bytes=sha256:2e248baca79a14f6a62a6bb962a68f7b6f1dfea4641beb39f8e7f0ec5bb47e36 :size=65536]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

In [None]:
# Define and print test query
q = 'file:bytes:size*in=(4096, 16384, 65536)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

In [None]:
# Make some tag nodes:
q = '[syn:tag=aaa.foo syn:tag=aaa.bbb.bar syn:tag=ccc.baz syn:tag=aaa.bar.hurr syn:tag=baz.woop]'
# Execute query and test
podes = await core.eval(q, num=5, cmdr=True)

In [None]:
# Define and print test query
q = 'syn:tag:base*in=(foo,bar,baz)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=5, cmdr=False)

In [None]:
# Make some geo:place nodes:
q = '[geo:place=531665e149b54a8a160961f47faab360 :latlong="48.8589878,2.2989958" :loc=fr.paris :name="the american library in paris"]'
q1 = '[geo:place=05d499e9aef335cc9d27be5aeed1ccfe :latlong="59.9124013,10.63733779" :loc=no.lysaker :name="avast software"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)

In [None]:
# Define and print test query
q = 'geo:place:latlong*near=((48.8583701,2.2944813),500m)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

In [None]:
# Make some tagged nodes:
q = '[inet:ipv4=54.38.219.150 inet:ipv4=151.242.192.84 inet:ipv4=217.83.101.150 +#cno.infra.anon.tor]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

In [None]:
# Define and print test query
q = '#cno.infra.anon.tor'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

In [None]:
# Make some moar tagged nodes:
q = '[inet:fqdn=adobeproduct.com inet:fqdn=ntupdateserver.com inet:fqdn=fireeyeupdate.com +#aka.paloalto.thr.oilrig]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

In [None]:
# Define and print test query
q = 'inet:fqdn#aka.paloalto.thr.oilrig'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

In [None]:
# Make some moar tagged nodes:
q = '[syn:tag=aka.feye.thr.apt28 syn:tag=aka.feye.thr.apt29 syn:tag=aka.feye.thr.veles +#aka.feye.cc.ru]'
q1= '[inet:fqdn=scanmalware.info +#aka.feye.thr.apt28]'
q2= '[inet:ipv4=87.245.143.140 +#aka.feye.thr.veles]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

In [None]:
# Define and print test query
q = '##aka.feye.cc.ru'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

In [None]:
# Close cortex because done
await core.fini()