In [1]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [2]:
# Get a temp cortex and preload some data into it.
core = await getTempCoreCmdr()
q = '[inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com inet:ipv4=1.2.3.4 inet:ipv4=5.6.7.8]'
# This runs the query via the CLI, rips out the nodes, makes sure we got 3 nodes on the output :)
podes = await core.eval(q, num=5, cmdr=True)
# print(f'I got {len(podes)} podes!')
# This runs the query directly, no CLI output
# newpodes = await core.eval(q, num=4, cmdr=False)
# print(f'I got {len(newpodes)} podes the second time!!')
# await core.fini()

cli> storm [inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com inet:ipv4=1.2.3.4 inet:ipv4=5.6.7.8]

inet:fqdn=woot.com
        .created = 2019/01/03 22:55:57.797
        :domain = com
        :host = woot
        :issuffix = False
        :iszone = True
        :zone = woot.com
inet:fqdn=vertex.link
        .created = 2019/01/03 22:55:57.800
        :domain = link
        :host = vertex
        :issuffix = False
        :iszone = True
        :zone = vertex.link
inet:fqdn=google.com
        .created = 2019/01/03 22:55:57.802
        :domain = com
        :host = google
        :issuffix = False
        :iszone = True
        :zone = google.com
inet:ipv4=1.2.3.4
        .created = 2019/01/03 22:55:57.805
        :asn = 0
        :loc = ??
        :type = unicast
inet:ipv4=5.6.7.8
        .created = 2019/01/03 22:55:57.808
        :asn = 0
        :loc = ??
        :type = unicast
complete. 5 nodes in 22 ms (227/sec).


In [3]:
# Use previous temp cortex, define and print test query
q = '<query> '
q1 = '.created '
q2 = '+inet:fqdn'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=5, cmdr=False)

<query> +inet:fqdn


In [4]:
# Use previous temp cortex, define and print test query
q = '<query> '
q1 = 'inet:fqdn'
q2 = '-inet:fqdn=google.com'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=4, cmdr=False)

<query> -inet:fqdn=google.com


In [5]:
# Make some SOA records:
q = '[inet:dns:soa="*" :fqdn=google.com :ns=ns1.google.com]'
q1 = '[inet:dns:soa="*" :fqdn=woot.com :ns=ns1.woot.com]'
q2 = '[inet:dns:soa="*" :fqdn=vertex.link :email=admin@vertex.link]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [inet:dns:soa="*" :fqdn=google.com :ns=ns1.google.com]

inet:dns:soa=3e99debd00b8708be79e35f5c30977e2
        .created = 2019/01/03 22:55:57.878
        :fqdn = google.com
        :ns = ns1.google.com
complete. 1 nodes in 11 ms (90/sec).
cli> storm [inet:dns:soa="*" :fqdn=woot.com :ns=ns1.woot.com]

inet:dns:soa=19f6ea4aaff900dcef2f89c5471d5a26
        .created = 2019/01/03 22:55:57.894
        :fqdn = woot.com
        :ns = ns1.woot.com
complete. 1 nodes in 10 ms (100/sec).
cli> storm [inet:dns:soa="*" :fqdn=vertex.link :email=admin@vertex.link]

inet:dns:soa=88a35c0caed2679c282d0bb6f7e00c46
        .created = 2019/01/03 22:55:57.910
        :email = admin@vertex.link
        :fqdn = vertex.link
complete. 1 nodes in 10 ms (100/sec).


In [6]:
# Define and print test query
q = '<query> '
q1 = 'inet:dns:soa '
q2 = '-inet:dns:soa:email'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> -inet:dns:soa:email


In [7]:
# Define and print test query
q = '<query> '
q1 = 'inet:dns:soa '
q2 = '-:email'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> -:email


In [8]:
# Make some subdomains:
q = '[inet:fqdn=www.woot.com inet:fqdn=mail.vertex.link inet:fqdn=code.google.com]'
# Run the query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:fqdn=www.woot.com inet:fqdn=mail.vertex.link inet:fqdn=code.google.com]

inet:fqdn=www.woot.com
        .created = 2019/01/03 22:55:57.974
        :domain = woot.com
        :host = www
        :issuffix = False
        :iszone = False
        :zone = woot.com
inet:fqdn=mail.vertex.link
        .created = 2019/01/03 22:55:57.976
        :domain = vertex.link
        :host = mail
        :issuffix = False
        :iszone = False
        :zone = vertex.link
inet:fqdn=code.google.com
        .created = 2019/01/03 22:55:57.978
        :domain = google.com
        :host = code
        :issuffix = False
        :iszone = False
        :zone = google.com
complete. 3 nodes in 15 ms (200/sec).


In [9]:
# Define and print test query
q = '<query> '
q1 = 'inet:fqdn '
q2 = '+inet:fqdn:iszone=1'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<query> +inet:fqdn:iszone=1


In [10]:
# Define and print test query
q = '<query> '
q1 = 'inet:fqdn '
q2 = '+:iszone=1'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<query> +:iszone=1


In [11]:
# Modify some domains
q = 'inet:fqdn=google.com [.seen=("2014/07/25 19:29:19.000","2019/01/02 12:29:45.500")]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm inet:fqdn=google.com [.seen=("2014/07/25 19:29:19.000","2019/01/02 12:29:45.500")]

inet:fqdn=google.com
        .created = 2019/01/03 22:55:57.802
        .seen = ('2014/07/25 19:29:19.000', '2019/01/02 12:29:45.500')
        :domain = com
        :host = google
        :issuffix = False
        :iszone = True
        :zone = google.com
complete. 1 nodes in 10 ms (100/sec).


In [12]:
# Define and print test query
q = '<query> '
q1 = 'inet:fqdn '
q2 = '+inet:fqdn.seen'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)

<query> +inet:fqdn.seen


In [13]:
# Define and print test query
q = '<query> '
q1 = 'inet:fqdn '
q2 = '+.seen'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)

<query> +.seen


In [14]:
# Make some nodes
q = '[inet:ipv4=54.38.219.150 inet:ipv4=151.242.192.84 +#cno.infra.anon.tor]'
# Run the query and test
podes = await core.eval(q, num=2, cmdr=True)

cli> storm [inet:ipv4=54.38.219.150 inet:ipv4=151.242.192.84 +#cno.infra.anon.tor]

inet:ipv4=54.38.219.150
        .created = 2019/01/03 22:55:58.097
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
inet:ipv4=151.242.192.84
        .created = 2019/01/03 22:55:58.102
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
complete. 2 nodes in 16 ms (125/sec).


In [15]:
# Define and print test query
q = '<query> '
q1 = 'inet:ipv4 '
q2 = '-#cno.infra.anon.tor'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> -#cno.infra.anon.tor


In [16]:
# Close cortex because done
await core.fini()

0

In [17]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [18]:
# Get a temp cortex and preload some data into it.
core = await getTempCoreCmdr()
q = '[inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com inet:ipv4=1.2.3.4 inet:ipv4=5.6.7.8]'
# This runs the query via the CLI, rips out the nodes, makes sure we got 3 nodes on the output :)
podes = await core.eval(q, num=5, cmdr=True)
# print(f'I got {len(podes)} podes!')
# This runs the query directly, no CLI output
# newpodes = await core.eval(q, num=4, cmdr=False)
# print(f'I got {len(newpodes)} podes the second time!!')
# await core.fini()

cli> storm [inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com inet:ipv4=1.2.3.4 inet:ipv4=5.6.7.8]

inet:fqdn=woot.com
        .created = 2019/01/03 22:55:58.371
        :domain = com
        :host = woot
        :issuffix = False
        :iszone = True
        :zone = woot.com
inet:fqdn=vertex.link
        .created = 2019/01/03 22:55:58.374
        :domain = link
        :host = vertex
        :issuffix = False
        :iszone = True
        :zone = vertex.link
inet:fqdn=google.com
        .created = 2019/01/03 22:55:58.376
        :domain = com
        :host = google
        :issuffix = False
        :iszone = True
        :zone = google.com
inet:ipv4=1.2.3.4
        .created = 2019/01/03 22:55:58.379
        :asn = 0
        :loc = ??
        :type = unicast
inet:ipv4=5.6.7.8
        .created = 2019/01/03 22:55:58.381
        :asn = 0
        :loc = ??
        :type = unicast
complete. 5 nodes in 23 ms (217/sec).


In [19]:
# Define and print test query
q = '<query> '
q1 = 'inet:fqdn '
q2 = '+inet:fqdn != google.com'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=4, cmdr=False)

<query> +inet:fqdn != google.com


In [20]:
# Make some WHOIS records
q = '[inet:whois:rec=(woot.com,2015/09/30) :text="domain name: woot.com"]'
q1 = '[inet:whois:rec=(woot.com,2016/12/31) :text="domain name: woot.com"]'
q2 = '[inet:whois:rec=(woot.com,2017/01/01) :text="domain name: woot.com"]'
q3 = '[inet:whois:rec=(woot.com,2017/10/30) :text="domain name: woot.com"]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [inet:whois:rec=(woot.com,2015/09/30) :text="domain name: woot.com"]

inet:whois:rec=('woot.com', '2015/09/30 00:00:00.000')
        .created = 2019/01/03 22:55:58.423
        :asof = 2015/09/30 00:00:00.000
        :fqdn = woot.com
        :registrant = ??
        :registrar = ??
        :text = domain name: woot.com
complete. 1 nodes in 11 ms (90/sec).
cli> storm [inet:whois:rec=(woot.com,2016/12/31) :text="domain name: woot.com"]

inet:whois:rec=('woot.com', '2016/12/31 00:00:00.000')
        .created = 2019/01/03 22:55:58.439
        :asof = 2016/12/31 00:00:00.000
        :fqdn = woot.com
        :registrant = ??
        :registrar = ??
        :text = domain name: woot.com
complete. 1 nodes in 10 ms (100/sec).
cli> storm [inet:whois:rec=(woot.com,2017/01/01) :text="domain name: woot.com"]

inet:whois:rec=('woot.com', '2017/01/01 00:00:00.000')
        .created = 2019/01/03 22:55:58.456
        :asof = 2017/01/01 00:00:00.000
        :fqdn = woot.com
        :registrant

In [21]:
# Define and print test query
q = '<query> '
q1 = 'inet:whois:rec '
q2 = '+inet:whois:rec:asof < 2017/01/01'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +inet:whois:rec:asof < 2017/01/01


In [22]:
# Define and print test query
q = '<query> '
q1 = 'inet:whois:rec '
q2 = '+:asof < 2017/01/01'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +:asof < 2017/01/01


In [23]:
# Make some files
q = '[file:bytes=sha256:68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c :size=4096]'
q1 = '[file:bytes=sha256:809fa843160f6d4d7fca42ec1edfc1dd5dc1eef79f85cacc93bf20a69187c51c :size=1024]'
q2 = '[file:bytes=sha256:0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81 :size=16384]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [file:bytes=sha256:68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c :size=4096]

file:bytes=sha256:68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c
        .created = 2019/01/03 22:55:58.567
        :mime = ??
        :sha256 = 68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c
        :size = 4096
complete. 1 nodes in 12 ms (83/sec).
cli> storm [file:bytes=sha256:809fa843160f6d4d7fca42ec1edfc1dd5dc1eef79f85cacc93bf20a69187c51c :size=1024]

file:bytes=sha256:809fa843160f6d4d7fca42ec1edfc1dd5dc1eef79f85cacc93bf20a69187c51c
        .created = 2019/01/03 22:55:58.595
        :mime = ??
        :sha256 = 809fa843160f6d4d7fca42ec1edfc1dd5dc1eef79f85cacc93bf20a69187c51c
        :size = 1024
complete. 1 nodes in 15 ms (66/sec).
cli> storm [file:bytes=sha256:0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81 :size=16384]

file:bytes=sha256:0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81
        .created = 2

In [24]:
# Define and print test query
q = '<query> '
q1 = 'file:bytes '
q2 = '-file:bytes:size > 4096'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> -file:bytes:size > 4096


In [25]:
# Define and print test query
q = '<query> '
q1 = 'file:bytes '
q2 = '-:size > 4096'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> -:size > 4096


In [26]:
# Make some WHOIS records
q = '[inet:whois:rec=(hurr.com,2018/12/30) :created="2018/01/01 12:00"]'
q1 = '[inet:whois:rec=(derp.com,2018/12/30) :created="2016/05/13 09:37"]'
q2 = '[inet:whois:rec=(umwut.com,2018/12/30) :created="2018/08/17 19:42"]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [inet:whois:rec=(hurr.com,2018/12/30) :created="2018/01/01 12:00"]

inet:whois:rec=('hurr.com', '2018/12/30 00:00:00.000')
        .created = 2019/01/03 22:55:58.692
        :asof = 2018/12/30 00:00:00.000
        :created = 2018/01/01 12:00:00.000
        :fqdn = hurr.com
        :registrant = ??
        :registrar = ??
complete. 1 nodes in 13 ms (76/sec).
cli> storm [inet:whois:rec=(derp.com,2018/12/30) :created="2016/05/13 09:37"]

inet:whois:rec=('derp.com', '2018/12/30 00:00:00.000')
        .created = 2019/01/03 22:55:58.711
        :asof = 2018/12/30 00:00:00.000
        :created = 2016/05/13 09:37:00.000
        :fqdn = derp.com
        :registrant = ??
        :registrar = ??
complete. 1 nodes in 11 ms (90/sec).
cli> storm [inet:whois:rec=(umwut.com,2018/12/30) :created="2018/08/17 19:42"]

inet:whois:rec=('umwut.com', '2018/12/30 00:00:00.000')
        .created = 2019/01/03 22:55:58.726
        :asof = 2018/12/30 00:00:00.000
        :created = 2018/08/17 19:42:00.

In [27]:
# Define and print test query
q = '<query> '
q1 = 'inet:whois:rec '
q2 = '+inet:whois:rec:created <= "2018/01/01 12:00"'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +inet:whois:rec:created <= "2018/01/01 12:00"


In [28]:
# Define and print test query
q = '<query> '
q1 = 'inet:whois:rec '
q2 = '+:created <= "2018/01/01 12:00"'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +:created <= "2018/01/01 12:00"


In [29]:
# Make some person nodes
q = '[ps:person="*" :dob=1980/01/01]'
q1 = '[ps:person="*" :dob=1975/01/19]'
q2 = '[ps:person="*" :dob=1987/06/12]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [ps:person="*" :dob=1980/01/01]

ps:person=00d7d2f4d3644d2a784659321d48b017
        .created = 2019/01/03 22:55:58.788
        :dob = 1980/01/01 00:00:00.000
complete. 1 nodes in 9 ms (111/sec).
cli> storm [ps:person="*" :dob=1975/01/19]

ps:person=03df2185c89221cf9c4c9d9e0c9f14b8
        .created = 2019/01/03 22:55:58.803
        :dob = 1975/01/19 00:00:00.000
complete. 1 nodes in 7 ms (142/sec).
cli> storm [ps:person="*" :dob=1987/06/12]

ps:person=ee3bd97c109834759c0e6c2e62b78407
        .created = 2019/01/03 22:55:58.819
        :dob = 1987/06/12 00:00:00.000
complete. 1 nodes in 10 ms (100/sec).


In [30]:
# Define and print test query
q = '<query> '
q1 = 'ps:person '
q2 = '+ps:person:dob >= 1980/01/01'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +ps:person:dob >= 1980/01/01


In [31]:
# Define and print test query
q = '<query> '
q1 = 'ps:person '
q2 = '+:dob >= 1980/01/01'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +:dob >= 1980/01/01


In [32]:
# Close cortex because done
await core.fini()

0

In [33]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [34]:
# Get a temp cortex and preload some data into it.
core = await getTempCoreCmdr()
q = '[it:dev:mutex="NetBotServer Is Running!" it:dev:mutex="Netbot2012 Is Running!" it:dev:mutex="***MUTEX***"]'
# This runs the query via the CLI, rips out the nodes, makes sure we got 3 nodes on the output :)
podes = await core.eval(q, num=3, cmdr=True)
# print(f'I got {len(podes)} podes!')
# This runs the query directly, no CLI output
# newpodes = await core.eval(q, num=4, cmdr=False)
# print(f'I got {len(newpodes)} podes the second time!!')
# await core.fini()

cli> storm [it:dev:mutex="NetBotServer Is Running!" it:dev:mutex="Netbot2012 Is Running!" it:dev:mutex="***MUTEX***"]

it:dev:mutex=NetBotServer Is Running!
        .created = 2019/01/03 22:55:59.156
it:dev:mutex=Netbot2012 Is Running!
        .created = 2019/01/03 22:55:59.158
it:dev:mutex=***MUTEX***
        .created = 2019/01/03 22:55:59.159
complete. 3 nodes in 15 ms (200/sec).


In [35]:
# Define and print test query
q = '<query> '
q1 = 'it:dev:mutex '
q2 = '+it:dev:mutex ~= "^Net"'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +it:dev:mutex ~= "^Net"


In [36]:
# Make some user nodes
q = '[inet:user=pinky inet:user=pinkydinky inet:user=brain inet:user=inkypinky]'
# Run the query and test
podes = await core.eval(q, num=4, cmdr=True)

cli> storm [inet:user=pinky inet:user=pinkydinky inet:user=brain inet:user=inkypinky]

inet:user=pinky
        .created = 2019/01/03 22:55:59.207
inet:user=pinkydinky
        .created = 2019/01/03 22:55:59.207
inet:user=brain
        .created = 2019/01/03 22:55:59.208
inet:user=inkypinky
        .created = 2019/01/03 22:55:59.208
complete. 4 nodes in 10 ms (400/sec).


In [37]:
# Define and print test query
q = '<query> '
q1 = 'inet:user '
q2 = '+inet:user ^= pinky'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +inet:user ^= pinky


In [38]:
# Make some orgs:
q = '[ou:org="*" :name="International House of Pancakes"]'
q1 = '[ou:org="*" :name="International Society of Funny Walks"]'
q2 = '[ou:org="*" :name="Interrogators Anonymous"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [ou:org="*" :name="International House of Pancakes"]

ou:org=560baaa9f9a88758c71c0dbaf3274918
        .created = 2019/01/03 22:55:59.258
        :name = international house of pancakes
complete. 1 nodes in 10 ms (100/sec).
cli> storm [ou:org="*" :name="International Society of Funny Walks"]

ou:org=b0496c25b65b5a40efae81efd7b70fde
        .created = 2019/01/03 22:55:59.272
        :name = international society of funny walks
complete. 1 nodes in 7 ms (142/sec).
cli> storm [ou:org="*" :name="Interrogators Anonymous"]

ou:org=9dfde1146bc746a765525e925c217cc2
        .created = 2019/01/03 22:55:59.283
        :name = interrogators anonymous
complete. 1 nodes in 9 ms (111/sec).


In [39]:
# Define and print test query
q = '<query> '
q1 = 'ou:org '
q2 = '+ou:org:name ^= international'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +ou:org:name ^= international


In [40]:
# Define and print test query
q = '<query> '
q1 = 'ou:org '
q2 = '+:name ^= international'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +:name ^= international


In [41]:
# Make some DNS A records:
q = '[inet:dns:a=(woot.com,1.2.3.4) .seen=(2018/06/12,2018/07/02)]'
q1 = '[inet:dns:a=(woot.com,5.6.7.8) .seen=(2018/10/01,2018/11/13)]'
q2 = '[inet:dns:a=(woot.com,8.8.8.8) .seen=(2018/07/24,2018/07/25)]'
q3 = '[inet:dns:a=(woot.com,12.34.56.78) .seen=(2018/08/01,2018/08/15)]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [inet:dns:a=(woot.com,1.2.3.4) .seen=(2018/06/12,2018/07/02)]

inet:dns:a=('woot.com', '1.2.3.4')
        .created = 2019/01/03 22:55:59.339
        .seen = ('2018/06/12 00:00:00.000', '2018/07/02 00:00:00.000')
        :fqdn = woot.com
        :ipv4 = 1.2.3.4
complete. 1 nodes in 12 ms (83/sec).
cli> storm [inet:dns:a=(woot.com,5.6.7.8) .seen=(2018/10/01,2018/11/13)]

inet:dns:a=('woot.com', '5.6.7.8')
        .created = 2019/01/03 22:55:59.356
        .seen = ('2018/10/01 00:00:00.000', '2018/11/13 00:00:00.000')
        :fqdn = woot.com
        :ipv4 = 5.6.7.8
complete. 1 nodes in 11 ms (90/sec).
cli> storm [inet:dns:a=(woot.com,8.8.8.8) .seen=(2018/07/24,2018/07/25)]

inet:dns:a=('woot.com', '8.8.8.8')
        .created = 2019/01/03 22:55:59.371
        .seen = ('2018/07/24 00:00:00.000', '2018/07/25 00:00:00.000')
        :fqdn = woot.com
        :ipv4 = 8.8.8.8
complete. 1 nodes in 10 ms (100/sec).
cli> storm [inet:dns:a=(woot.com,12.34.56.78) .seen=(2018/08/01,2018/08/

In [42]:
# Define and print test query
q = '<query> '
q1 = 'inet:dns:a:fqdn=woot.com '
q2 = '+inet:dns:a.seen@=(2018/07/01, 2018/08/01)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +inet:dns:a.seen@=(2018/07/01, 2018/08/01)


In [43]:
# Define and print test query
q = '<query> '
q1 = 'inet:dns:a:fqdn=woot.com '
q2 = '+.seen@=(2018/07/01, 2018/08/01)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +.seen@=(2018/07/01, 2018/08/01)


In [44]:
# Make some tagged Tor nodes:
q = '[inet:ipv4=54.38.219.150 +#cno.infra.anon.tor=(2016/05/24,2016/07/01)]'
q1 = '[inet:ipv4=151.242.192.84 +#cno.infra.anon.tor=(2016/08/26,2016/09/23)]'
q2 = '[inet:ipv4=217.83.101.150 +#cno.infra.anon.tor=(2016/12/15,2017/01/06)]'
q3 = '[inet:ipv4=186.94.132.148 +#cno.infra.anon.tor=(2016/08/02,2016/08/10)]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [inet:ipv4=54.38.219.150 +#cno.infra.anon.tor=(2016/05/24,2016/07/01)]

inet:ipv4=54.38.219.150
        .created = 2019/01/03 22:55:59.472
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor = (2016/05/24 00:00:00.000, 2016/07/01 00:00:00.000)
complete. 1 nodes in 13 ms (76/sec).
cli> storm [inet:ipv4=151.242.192.84 +#cno.infra.anon.tor=(2016/08/26,2016/09/23)]

inet:ipv4=151.242.192.84
        .created = 2019/01/03 22:55:59.497
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor = (2016/08/26 00:00:00.000, 2016/09/23 00:00:00.000)
complete. 1 nodes in 11 ms (90/sec).
cli> storm [inet:ipv4=217.83.101.150 +#cno.infra.anon.tor=(2016/12/15,2017/01/06)]

inet:ipv4=217.83.101.150
        .created = 2019/01/03 22:55:59.512
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor = (2016/12/15 00:00:00.000, 2017/01/06 00:00:00.000)
complete. 1 nodes in 13 ms (76/sec).
cli> storm [ine

In [45]:
# Define and print test query
q = '<query> '
q1 = 'inet:ipv4 '
q2 = '+#cno.infra.anon.tor@=(2016/06/01, 2016/09/30)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<query> +#cno.infra.anon.tor@=(2016/06/01, 2016/09/30)


In [46]:
# Make some DNS request nodes:
q = '[inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2017/11/12 11:23"]'
q1 = '[inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2017/11/12 14:00"]'
q2 = '[inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2017/11/14 09:30"]'
q3 = '[inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2017/11/15 23:38"]'
q4 = '[inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2017/11/13 08:15"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)
podes = await core.eval(q4, num=1, cmdr=True)

cli> storm [inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2017/11/12 11:23"]

inet:dns:request=a18c8ab6cd5d7445c34eaad451dae964
        .created = 2019/01/03 22:55:59.589
        :query = ('tcp://8.8.8.8', 'woot.com', '1')
        :query:name = woot.com
        :query:name:fqdn = woot.com
        :query:type = 1
        :time = 2017/11/12 11:23:00.000
complete. 1 nodes in 13 ms (76/sec).
cli> storm [inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2017/11/12 14:00"]

inet:dns:request=be15d64d157304a2e4842d35db84d0c6
        .created = 2019/01/03 22:55:59.608
        :query = ('tcp://8.8.8.8', 'woot.com', '1')
        :query:name = woot.com
        :query:name:fqdn = woot.com
        :query:type = 1
        :time = 2017/11/12 14:00:00.000
complete. 1 nodes in 9 ms (111/sec).
cli> storm [inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2017/11/14 09:30"]

inet:dns:request=cc5260637b9fb6f2e62d4b6793388991
        .created = 2019/01/03 22:55:59.624

In [47]:
# Define and print test query
q = '<query> '
q1 = 'inet:dns:request '
q2 = '+inet:dns:request:time@=("2017/11/12 14:00:00", "2017/11/14 09:30:00")'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +inet:dns:request:time@=("2017/11/12 14:00:00", "2017/11/14 09:30:00")


In [48]:
# Define and print test query
q = '<query> '
q1 = 'inet:dns:request '
q2 = '+:time@=("2017/11/12 14:00:00", "2017/11/14 09:30:00")'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +:time@=("2017/11/12 14:00:00", "2017/11/14 09:30:00")


In [49]:
# Make some moar DNS A records:
q = '[inet:dns:a=(woot.com,4.3.2.1) .seen=(2017/08/19,2017/12/06)]'
q1 = '[inet:dns:a=(woot.com,8.7.6.5) .seen=("2017/12/01 00:00:00", "2017/12/01 23:59:59")]'
q2 = '[inet:dns:a=(woot.com,78.56.34.12) .seen=(2017/12/02,2018/08/15)]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [inet:dns:a=(woot.com,4.3.2.1) .seen=(2017/08/19,2017/12/06)]

inet:dns:a=('woot.com', '4.3.2.1')
        .created = 2019/01/03 22:55:59.702
        .seen = ('2017/08/19 00:00:00.000', '2017/12/06 00:00:00.000')
        :fqdn = woot.com
        :ipv4 = 4.3.2.1
complete. 1 nodes in 10 ms (100/sec).
cli> storm [inet:dns:a=(woot.com,8.7.6.5) .seen=("2017/12/01 00:00:00", "2017/12/01 23:59:59")]

inet:dns:a=('woot.com', '8.7.6.5')
        .created = 2019/01/03 22:55:59.717
        .seen = ('2017/12/01 00:00:00.000', '2017/12/01 23:59:59.000')
        :fqdn = woot.com
        :ipv4 = 8.7.6.5
complete. 1 nodes in 10 ms (100/sec).
cli> storm [inet:dns:a=(woot.com,78.56.34.12) .seen=(2017/12/02,2018/08/15)]

inet:dns:a=('woot.com', '78.56.34.12')
        .created = 2019/01/03 22:55:59.736
        .seen = ('2017/12/02 00:00:00.000', '2018/08/15 00:00:00.000')
        :fqdn = woot.com
        :ipv4 = 78.56.34.12
complete. 1 nodes in 13 ms (76/sec).


In [50]:
# Define and print test query
q = '<query> '
q1 = 'inet:dns:a '
q2 = '+inet:dns:a.seen@=2017/12/01'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +inet:dns:a.seen@=2017/12/01


In [51]:
# Define and print test query
q = '<query> '
q1 = 'inet:dns:a '
q2 = '+.seen@=2017/12/01'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +.seen@=2017/12/01


In [52]:
# Make some WHOIS records:
q = '[inet:whois:rec=(ibm.com,2018/03/09) :created="1986/03/19 05:00:00"]'
q1 = '[inet:whois:rec=(vertex.link,2014/08/16) :created="2014/08/15 23:07:48"]'
q2 = '[inet:whois:rec=(google.com,2017/11/08) :created="1997/09/15 00:00:00"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [inet:whois:rec=(ibm.com,2018/03/09) :created="1986/03/19 05:00:00"]

inet:whois:rec=('ibm.com', '2018/03/09 00:00:00.000')
        .created = 2019/01/03 22:55:59.801
        :asof = 2018/03/09 00:00:00.000
        :created = 1986/03/19 05:00:00.000
        :fqdn = ibm.com
        :registrant = ??
        :registrar = ??
complete. 1 nodes in 12 ms (83/sec).
cli> storm [inet:whois:rec=(vertex.link,2014/08/16) :created="2014/08/15 23:07:48"]

inet:whois:rec=('vertex.link', '2014/08/16 00:00:00.000')
        .created = 2019/01/03 22:55:59.824
        :asof = 2014/08/16 00:00:00.000
        :created = 2014/08/15 23:07:48.000
        :fqdn = vertex.link
        :registrant = ??
        :registrar = ??
complete. 1 nodes in 16 ms (62/sec).
cli> storm [inet:whois:rec=(google.com,2017/11/08) :created="1997/09/15 00:00:00"]

inet:whois:rec=('google.com', '2017/11/08 00:00:00.000')
        .created = 2019/01/03 22:55:59.841
        :asof = 2017/11/08 00:00:00.000
        :created = 199

In [53]:
# Define and print test query
q = '<query> '
q1 = 'inet:whois:rec '
q2 = '+inet:whois:rec:created@="1986/03/19 05:00:00"'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)

<query> +inet:whois:rec:created@="1986/03/19 05:00:00"


In [54]:
# Define and print test query
q = '<query> '
q1 = 'inet:whois:rec '
q2 = '+:created@="1986/03/19 05:00:00"'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)

<query> +:created@="1986/03/19 05:00:00"


In [55]:
# Make some nodes:
q = '[inet:whois:email=(vertex.link,me@vertex.link) .seen=(2014/08/16,2016/08/15)]'
q1 = '[inet:whois:email=(syncdomain.info,domains@virustracker.info) .seen=(2013/10/20,2016/10/19)]'
q2 = '[inet:whois:email=(natoint.com,domains@hugedomains.com) .seen=(2018/11/28,2018/11/29)]'
q3 = '[inet:whois:email=(gunsmonitor.com,khanevadehirani.ir@gmail.com) .seen=(2017/05/16,2018/02/01)]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [inet:whois:email=(vertex.link,me@vertex.link) .seen=(2014/08/16,2016/08/15)]

inet:whois:email=('vertex.link', 'me@vertex.link')
        .created = 2019/01/03 22:55:59.919
        .seen = ('2014/08/16 00:00:00.000', '2016/08/15 00:00:00.000')
        :email = me@vertex.link
        :fqdn = vertex.link
complete. 1 nodes in 15 ms (66/sec).
cli> storm [inet:whois:email=(syncdomain.info,domains@virustracker.info) .seen=(2013/10/20,2016/10/19)]

inet:whois:email=('syncdomain.info', 'domains@virustracker.info')
        .created = 2019/01/03 22:55:59.938
        .seen = ('2013/10/20 00:00:00.000', '2016/10/19 00:00:00.000')
        :email = domains@virustracker.info
        :fqdn = syncdomain.info
complete. 1 nodes in 14 ms (71/sec).
cli> storm [inet:whois:email=(natoint.com,domains@hugedomains.com) .seen=(2018/11/28,2018/11/29)]

inet:whois:email=('natoint.com', 'domains@hugedomains.com')
        .created = 2019/01/03 22:55:59.967
        .seen = ('2018/11/28 00:00:00.000', '2018

In [56]:
# Define and print test query
q = '<query> '
q1 = 'inet:whois:email '
q2 = '+inet:whois:email.seen@=(2018/01/01, now)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +inet:whois:email.seen@=(2018/01/01, now)


In [57]:
# Define and print test query
q = '<query> '
q1 = 'inet:whois:email '
q2 = '+.seen@=(2018/01/01, now)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +.seen@=(2018/01/01, now)


In [58]:
# Make some moar DNS request nodes:
q = '[inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2018/10/14 12:23"]'
q1 = '[inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2018/10/15 00:00"]'
q2 = '[inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2018/10/20 23:59"]'
q3 = '[inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2018/10/22 00:00"]'
q4 = '[inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2018/10/18 08:15"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)
podes = await core.eval(q4, num=1, cmdr=True)

cli> storm [inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2018/10/14 12:23"]

inet:dns:request=30d35abd83340786ee6d18405a15ce38
        .created = 2019/01/03 22:56:00.059
        :query = ('tcp://8.8.8.8', 'woot.com', '1')
        :query:name = woot.com
        :query:name:fqdn = woot.com
        :query:type = 1
        :time = 2018/10/14 12:23:00.000
complete. 1 nodes in 8 ms (125/sec).
cli> storm [inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2018/10/15 00:00"]

inet:dns:request=b00feed6a63ace0127cde52dba9e6b55
        .created = 2019/01/03 22:56:00.072
        :query = ('tcp://8.8.8.8', 'woot.com', '1')
        :query:name = woot.com
        :query:name:fqdn = woot.com
        :query:type = 1
        :time = 2018/10/15 00:00:00.000
complete. 1 nodes in 7 ms (142/sec).
cli> storm [inet:dns:request="*" :query=(tcp://8.8.8.8,woot.com,1) :time="2018/10/20 23:59"]

inet:dns:request=63cd599fe4fd8008ab3d0935c9ec8831
        .created = 2019/01/03 22:56:00.086

In [59]:
# Define and print test query
q = '<query> '
q1 = 'inet:dns:request '
q2 = '+inet:dns:request:time@=(2018/10/15, "+ 7 days")'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<query> +inet:dns:request:time@=(2018/10/15, "+ 7 days")


In [60]:
# Define and print test query
q = '<query> '
q1 = 'inet:dns:request '
q2 = '+:time@=(2018/10/15, "+ 7 days")'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<query> +:time@=(2018/10/15, "+ 7 days")


In [61]:
# Make some IPs:
q = '[inet:ipv4=192.168.0.0/24]'
# Execute query and test
podes = await core.eval(q, num=256, cmdr=True)

cli> storm [inet:ipv4=192.168.0.0/24]

inet:ipv4=192.168.0.0
        .created = 2019/01/03 22:56:00.167
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.1
        .created = 2019/01/03 22:56:00.168
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.2
        .created = 2019/01/03 22:56:00.169
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.3
        .created = 2019/01/03 22:56:00.170
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.4
        .created = 2019/01/03 22:56:00.173
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.5
        .created = 2019/01/03 22:56:00.175
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.6
        .created = 2019/01/03 22:56:00.177
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.7
        .created = 2019/01/03 22:56:00.178
        :asn = 0
        :lo

inet:ipv4=192.168.0.70
        .created = 2019/01/03 22:56:00.264
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.71
        .created = 2019/01/03 22:56:00.265
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.72
        .created = 2019/01/03 22:56:00.266
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.73
        .created = 2019/01/03 22:56:00.267
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.74
        .created = 2019/01/03 22:56:00.269
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.75
        .created = 2019/01/03 22:56:00.269
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.76
        .created = 2019/01/03 22:56:00.270
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.77
        .created = 2019/01/03 22:56:00.271
        :asn = 0
        :loc = ??
        :type = private


inet:ipv4=192.168.0.136
        .created = 2019/01/03 22:56:00.375
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.137
        .created = 2019/01/03 22:56:00.376
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.138
        .created = 2019/01/03 22:56:00.381
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.139
        .created = 2019/01/03 22:56:00.382
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.140
        .created = 2019/01/03 22:56:00.387
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.141
        .created = 2019/01/03 22:56:00.388
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.142
        .created = 2019/01/03 22:56:00.391
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.143
        .created = 2019/01/03 22:56:00.392
        :asn = 0
        :loc = ??
        :type = 

inet:ipv4=192.168.0.212
        .created = 2019/01/03 22:56:00.496
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.213
        .created = 2019/01/03 22:56:00.497
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.214
        .created = 2019/01/03 22:56:00.498
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.215
        .created = 2019/01/03 22:56:00.499
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.216
        .created = 2019/01/03 22:56:00.501
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.217
        .created = 2019/01/03 22:56:00.502
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.218
        .created = 2019/01/03 22:56:00.504
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.219
        .created = 2019/01/03 22:56:00.504
        :asn = 0
        :loc = ??
        :type = 

In [62]:
# Define and print test query
q = '<query> '
q1 = 'inet:ipv4 '
q2 = '+inet:ipv4*range=(192.168.0.0, 192.168.0.10)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=11, cmdr=False)

<query> +inet:ipv4*range=(192.168.0.0, 192.168.0.10)


In [63]:
# Make some files
q = '[file:bytes=sha256:809fa843160f6d4d7fca42ec1edfc1dd5dc1eef79f85cacc93bf20a69187c51c :size=1024]'
q1 = '[file:bytes=sha256:36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068 :size=1]'
q2 = '[file:bytes=sha256:ee5629ad60b1f2645144efff4e919e371fcbd51df0edb803a342b0cf57cddce7 :size=65001]'
q3 = '[file:bytes=sha256:e708cd312b2b87c6ecc62fe2d33071380a90e60f6f98cf37f1e178127d2c3241 :size=100002]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [file:bytes=sha256:809fa843160f6d4d7fca42ec1edfc1dd5dc1eef79f85cacc93bf20a69187c51c :size=1024]

file:bytes=sha256:809fa843160f6d4d7fca42ec1edfc1dd5dc1eef79f85cacc93bf20a69187c51c
        .created = 2019/01/03 22:56:00.597
        :mime = ??
        :sha256 = 809fa843160f6d4d7fca42ec1edfc1dd5dc1eef79f85cacc93bf20a69187c51c
        :size = 1024
complete. 1 nodes in 10 ms (100/sec).
cli> storm [file:bytes=sha256:36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068 :size=1]

file:bytes=sha256:36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
        .created = 2019/01/03 22:56:00.613
        :mime = ??
        :sha256 = 36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
        :size = 1
complete. 1 nodes in 6 ms (166/sec).
cli> storm [file:bytes=sha256:ee5629ad60b1f2645144efff4e919e371fcbd51df0edb803a342b0cf57cddce7 :size=65001]

file:bytes=sha256:ee5629ad60b1f2645144efff4e919e371fcbd51df0edb803a342b0cf57cddce7
        .created = 2019/0

In [64]:
# Define and print test query
q = '<query> '
q1 = 'file:bytes '
q2 = '+file:bytes:size*range=(1000, 100000)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +file:bytes:size*range=(1000, 100000)


In [65]:
# Define and print test query
q = '<query> '
q1 = 'file:bytes '
q2 = '+:size*range=(1000, 100000)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +:size*range=(1000, 100000)


In [66]:
# Use WHOIS records created previously
# Define and print test query
q = '<query> '
q1 = 'inet:whois:rec '
q2 = '+inet:whois:rec:asof*range=(2013/11/29, 2016/06/14)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)

<query> +inet:whois:rec:asof*range=(2013/11/29, 2016/06/14)


In [67]:
# Use WHOIS records created previously
# Define and print test query
q = '<query> '
q1 = 'inet:whois:rec '
q2 = '+:asof*range=(2013/11/29, 2016/06/14)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)

<query> +:asof*range=(2013/11/29, 2016/06/14)


In [68]:
# Make some moar IPs
q = '[inet:ipv4=127.0.0.1 inet:ipv4=192.168.0.100 inet:ipv4=255.255.255.254]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:ipv4=127.0.0.1 inet:ipv4=192.168.0.100 inet:ipv4=255.255.255.254]

inet:ipv4=127.0.0.1
        .created = 2019/01/03 22:56:00.767
        :asn = 0
        :loc = ??
        :type = loopback
inet:ipv4=192.168.0.100
        .created = 2019/01/03 22:56:00.305
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=255.255.255.254
        .created = 2019/01/03 22:56:00.768
        :asn = 0
        :loc = ??
        :type = private
complete. 3 nodes in 10 ms (300/sec).


In [69]:
# Define and print test query
q = '<query> '
q1 = 'inet:ipv4 '
q2 = '+inet:ipv4*in=(127.0.0.1, 192.168.0.100, 255.255.255.254)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<query> +inet:ipv4*in=(127.0.0.1, 192.168.0.100, 255.255.255.254)


In [70]:
# Make some files
q = '[file:bytes=sha256:68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c :size=4096]'
q1 = '[file:bytes=sha256:0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81 :size=16384]'
q2 = '[file:bytes=sha256:2e248baca79a14f6a62a6bb962a68f7b6f1dfea4641beb39f8e7f0ec5bb47e36 :size=65536]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [file:bytes=sha256:68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c :size=4096]

file:bytes=sha256:68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c
        .created = 2019/01/03 22:56:00.869
        :mime = ??
        :sha256 = 68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c
        :size = 4096
complete. 1 nodes in 8 ms (125/sec).
cli> storm [file:bytes=sha256:0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81 :size=16384]

file:bytes=sha256:0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81
        .created = 2019/01/03 22:56:00.887
        :mime = ??
        :sha256 = 0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81
        :size = 16384
complete. 1 nodes in 10 ms (100/sec).
cli> storm [file:bytes=sha256:2e248baca79a14f6a62a6bb962a68f7b6f1dfea4641beb39f8e7f0ec5bb47e36 :size=65536]

file:bytes=sha256:2e248baca79a14f6a62a6bb962a68f7b6f1dfea4641beb39f8e7f0ec5bb47e36
        .created 

In [71]:
# Define and print test query
q = '<query> '
q1 = 'file:bytes '
q2 = '+file:bytes:size*in=(4096, 16384, 65536)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<query> +file:bytes:size*in=(4096, 16384, 65536)


In [72]:
# Define and print test query
q = '<query> '
q1 = 'file:bytes '
q2 = '+:size*in=(4096, 16384, 65536)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<query> +:size*in=(4096, 16384, 65536)


In [73]:
# Make some tags
q = '[syn:tag=aaa.foo syn:tag=aaa.foo.bar syn:tag=bbb.ccc.baz syn:tag=aaa.foo.hurr syn:tag=ddd.derp]'
# Execute query and test
podes = await core.eval(q, num=5, cmdr=True)

cli> storm [syn:tag=aaa.foo syn:tag=aaa.foo.bar syn:tag=bbb.ccc.baz syn:tag=aaa.foo.hurr syn:tag=ddd.derp]

syn:tag=aaa.foo
        .created = 2019/01/03 22:56:00.957
        :base = foo
        :depth = 1
        :doc = 
        :title = 
        :up = aaa
syn:tag=aaa.foo.bar
        .created = 2019/01/03 22:56:00.958
        :base = bar
        :depth = 2
        :doc = 
        :title = 
        :up = aaa.foo
syn:tag=bbb.ccc.baz
        .created = 2019/01/03 22:56:00.960
        :base = baz
        :depth = 2
        :doc = 
        :title = 
        :up = bbb.ccc
syn:tag=aaa.foo.hurr
        .created = 2019/01/03 22:56:00.962
        :base = hurr
        :depth = 2
        :doc = 
        :title = 
        :up = aaa.foo
syn:tag=ddd.derp
        .created = 2019/01/03 22:56:00.964
        :base = derp
        :depth = 1
        :doc = 
        :title = 
        :up = ddd
complete. 5 nodes in 17 ms (294/sec).


In [74]:
# Define and print test query
# There are other tags already in the system so num=10
q = '<query> '
q1 = 'syn:tag '
q2 = '-syn:tag:base*in=(foo, bar, baz)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=10, cmdr=False)

<query> -syn:tag:base*in=(foo, bar, baz)


In [75]:
# Define and print test query
# There are other tags already in the system so num=10
q = '<query> '
q1 = 'syn:tag '
q2 = '-:base*in=(foo, bar, baz)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=10, cmdr=False)

<query> -:base*in=(foo, bar, baz)


In [76]:
# Make some geo:place nodes
q = '[geo:place="*" :name="US Social Security Administration" :latlong="47.60501254,-122.33426462"]'
q1 = '[geo:place="*" :name="Seattle University" :latlong="47.60837612,-122.31441833"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)

cli> storm [geo:place="*" :name="US Social Security Administration" :latlong="47.60501254,-122.33426462"]

geo:place=72a0ce67f3b83152dfa126da87d83dd8
        .created = 2019/01/03 22:56:01.014
        :latlong = 47.60501254,-122.33426462
        :name = us social security administration
complete. 1 nodes in 8 ms (125/sec).
cli> storm [geo:place="*" :name="Seattle University" :latlong="47.60837612,-122.31441833"]

geo:place=23ad2a4d377280046e11e87b2f64f53d
        .created = 2019/01/03 22:56:01.026
        :latlong = 47.60837612,-122.31441833
        :name = seattle university
complete. 1 nodes in 6 ms (166/sec).


In [77]:
# Define and print test query
q = '<query> '
q1 = 'geo:place '
q2 = '+geo:place:latlong*near=((47.6050632,-122.3339756),1km)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)

<query> +geo:place:latlong*near=((47.6050632,-122.3339756),1km)


In [78]:
# Define and print test query
q = '<query> '
q1 = 'geo:place '
q2 = '+:latlong*near=((47.6050632,-122.3339756),1km)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)

<query> +:latlong*near=((47.6050632,-122.3339756),1km)


In [79]:
# Make some tagged file nodes
q = '[file:bytes=sha256:da48960557dfa3aa41b09be150ce662daeb38133d981baea15bbac02fdd9aeeb +#aka.feye.mal.greencat]'
q1 = '[file:bytes=sha256:efce8c3f7dd1ee2b6c40fd84909e5d423bd75a908b546fdba7ef73480eea2871 +#aka.feye.mal.greencat]'
q2 = '[file:bytes=sha256:4b1a437fbe161b0f1dd4d9eca647b4b82f89e810f6eedef0c4f9176c89d0fea6 +#aka.feye.mal.greencat]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [file:bytes=sha256:da48960557dfa3aa41b09be150ce662daeb38133d981baea15bbac02fdd9aeeb +#aka.feye.mal.greencat]

file:bytes=sha256:da48960557dfa3aa41b09be150ce662daeb38133d981baea15bbac02fdd9aeeb
        .created = 2019/01/03 22:56:01.068
        :mime = ??
        :sha256 = da48960557dfa3aa41b09be150ce662daeb38133d981baea15bbac02fdd9aeeb
        #aka.feye.mal.greencat
complete. 1 nodes in 11 ms (90/sec).
cli> storm [file:bytes=sha256:efce8c3f7dd1ee2b6c40fd84909e5d423bd75a908b546fdba7ef73480eea2871 +#aka.feye.mal.greencat]

file:bytes=sha256:efce8c3f7dd1ee2b6c40fd84909e5d423bd75a908b546fdba7ef73480eea2871
        .created = 2019/01/03 22:56:01.084
        :mime = ??
        :sha256 = efce8c3f7dd1ee2b6c40fd84909e5d423bd75a908b546fdba7ef73480eea2871
        #aka.feye.mal.greencat
complete. 1 nodes in 10 ms (100/sec).
cli> storm [file:bytes=sha256:4b1a437fbe161b0f1dd4d9eca647b4b82f89e810f6eedef0c4f9176c89d0fea6 +#aka.feye.mal.greencat]

file:bytes=sha256:4b1a437fbe161b0f1dd4d9eca6

In [80]:
# Define and print test query
q = '<query> '
q1 = 'file:bytes '
q2 = '+#aka.feye.mal.greencat'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<query> +#aka.feye.mal.greencat


In [81]:
# Make some tagged nodes
q = '[inet:fqdn=unwashedsound.com inet:fqdn=korfilms.com inet:fqdn=bls00m.org +#cno.infra.sink.hole]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:fqdn=unwashedsound.com inet:fqdn=korfilms.com inet:fqdn=bls00m.org +#cno.infra.sink.hole]

inet:fqdn=unwashedsound.com
        .created = 2019/01/03 22:56:01.127
        :domain = com
        :host = unwashedsound
        :issuffix = False
        :iszone = True
        :zone = unwashedsound.com
        #cno.infra.sink.hole
inet:fqdn=korfilms.com
        .created = 2019/01/03 22:56:01.130
        :domain = com
        :host = korfilms
        :issuffix = False
        :iszone = True
        :zone = korfilms.com
        #cno.infra.sink.hole
inet:fqdn=bls00m.org
        .created = 2019/01/03 22:56:01.135
        :domain = org
        :host = bls00m
        :issuffix = False
        :iszone = True
        :zone = bls00m.org
        #cno.infra.sink.hole
complete. 3 nodes in 17 ms (176/sec).


In [82]:
# Define and print test query
q = '<query> '
q1 = 'inet:fqdn '
q2 = '-#cno.infra.sink.hole'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=14, cmdr=False)

<query> -#cno.infra.sink.hole


In [83]:
# Close cortex because done
await core.fini()

0

In [84]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [85]:
# Get a temp cortex and amke some file nodes
core = await getTempCoreCmdr()
q = '[file:bytes=sha256:ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283 :size=16384 :mime:pe:compiled="2016/02/04 13:45:39.000"]'
q1 = '[file:bytes=sha256:d066dffb3d0dee40cf81cbcfb6209d09a57de33a079bc644456cd180c5f170b6 :size=16384 :mime:pe:compiled="2012/09/11 08:47:47.000"]'
q2 = '[file:bytes=sha256:e97d2583f858490d14a9c6d77cbc2b08b369fff10aa00d7c306abb41d9348246 :size=16896 :mime:pe:compiled="2017/04/27 03:20:43.000"]'
q3 = '[file:bytes=sha256:ddebee8fe97252203e6c943fb4f9b37ade3d5fefe90edba7a37e4856056f8cd6 :size=73728 :mime:pe:compiled="2016/01/03 15:58:10.000"]'
# This runs the query via the CLI, rips out the nodes, makes sure we got 3 nodes on the output :)
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)
# print(f'I got {len(podes)} podes!')
# This runs the query directly, no CLI output
# newpodes = await core.eval(q, num=4, cmdr=False)
# print(f'I got {len(newpodes)} podes the second time!!')
# await core.fini()

cli> storm [file:bytes=sha256:ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283 :size=16384 :mime:pe:compiled="2016/02/04 13:45:39.000"]

file:bytes=sha256:ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283
        .created = 2019/01/03 22:56:01.428
        :mime = ??
        :mime:pe:compiled = 2016/02/04 13:45:39.000
        :sha256 = ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283
        :size = 16384
complete. 1 nodes in 9 ms (111/sec).
cli> storm [file:bytes=sha256:d066dffb3d0dee40cf81cbcfb6209d09a57de33a079bc644456cd180c5f170b6 :size=16384 :mime:pe:compiled="2012/09/11 08:47:47.000"]

file:bytes=sha256:d066dffb3d0dee40cf81cbcfb6209d09a57de33a079bc644456cd180c5f170b6
        .created = 2019/01/03 22:56:01.441
        :mime = ??
        :mime:pe:compiled = 2012/09/11 08:47:47.000
        :sha256 = d066dffb3d0dee40cf81cbcfb6209d09a57de33a079bc644456cd180c5f170b6
        :size = 16384
complete. 1 nodes in 9 ms (111/sec).
cli> storm [file

In [86]:
# Define and print test query
q = '<query> '
q1 = 'file:bytes '
q2 = '-(file:bytes:size <= 16384 and file:bytes:mime:pe:compiled < 2014/01/01)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<query> -(file:bytes:size <= 16384 and file:bytes:mime:pe:compiled < 2014/01/01)


In [87]:
# Define and print test query
q = '<query> '
q1 = 'file:bytes '
q2 = '-(:size <= 16384 and :mime:pe:compiled < 2014/01/01)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=3, cmdr=False)

<query> -(:size <= 16384 and :mime:pe:compiled < 2014/01/01)


In [88]:
# Make some nodes and tagged nodes
q = '[inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com inet:ipv4=1.2.3.4 inet:ipv4=5.6.7.8]'
q1 = '[inet:fqdn=newsonet.net inet:fqdn=staycools.net +#aka.feye.thr.apt1]'
q2= '[file:bytes=sha256:da48960557dfa3aa41b09be150ce662daeb38133d981baea15bbac02fdd9aeeb file:bytes=sha256:efce8c3f7dd1ee2b6c40fd84909e5d423bd75a908b546fdba7ef73480eea2871 +#aka.feye.thr.apt1]'
# Execute query and test
podes = await core.eval(q, num=5, cmdr=True)
podes = await core.eval(q1, num=2, cmdr=True)
podes = await core.eval(q2, num=2, cmdr=True)

cli> storm [inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com inet:ipv4=1.2.3.4 inet:ipv4=5.6.7.8]

inet:fqdn=woot.com
        .created = 2019/01/03 22:56:01.517
        :domain = com
        :host = woot
        :issuffix = False
        :iszone = True
        :zone = woot.com
inet:fqdn=vertex.link
        .created = 2019/01/03 22:56:01.519
        :domain = link
        :host = vertex
        :issuffix = False
        :iszone = True
        :zone = vertex.link
inet:fqdn=google.com
        .created = 2019/01/03 22:56:01.520
        :domain = com
        :host = google
        :issuffix = False
        :iszone = True
        :zone = google.com
inet:ipv4=1.2.3.4
        .created = 2019/01/03 22:56:01.522
        :asn = 0
        :loc = ??
        :type = unicast
inet:ipv4=5.6.7.8
        .created = 2019/01/03 22:56:01.523
        :asn = 0
        :loc = ??
        :type = unicast
complete. 5 nodes in 16 ms (312/sec).
cli> storm [inet:fqdn=newsonet.net inet:fqdn=staycools.net

In [89]:
# Define and print test query
q = '<query> '
q1 = '.created '
q2 = '+((file:bytes or inet:fqdn) and #aka.feye.thr.apt1)'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=4, cmdr=False)

<query> +((file:bytes or inet:fqdn) and #aka.feye.thr.apt1)


In [90]:
# Make a few more tagged nodes
q = 'inet:fqdn=staycools.net [+#cno.infra.sink.hole]'
q1= '[inet:fqdn=firefoxupdata.com +#aka.feye.thr.apt1]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)

cli> storm inet:fqdn=staycools.net [+#cno.infra.sink.hole]

inet:fqdn=staycools.net
        .created = 2019/01/03 22:56:01.540
        :domain = net
        :host = staycools
        :issuffix = False
        :iszone = True
        :zone = staycools.net
        #aka.feye.thr.apt1
        #cno.infra.sink.hole
complete. 1 nodes in 11 ms (90/sec).
cli> storm [inet:fqdn=firefoxupdata.com +#aka.feye.thr.apt1]

inet:fqdn=firefoxupdata.com
        .created = 2019/01/03 22:56:01.606
        :domain = com
        :host = firefoxupdata
        :issuffix = False
        :iszone = True
        :zone = firefoxupdata.com
        #aka.feye.thr.apt1
complete. 1 nodes in 8 ms (125/sec).


In [91]:
# Define and print test query
q = '<query> '
q1 = '.created '
q2 = '+((file:bytes or inet:fqdn) and (#aka.feye.thr.apt1 and not #cno.infra.sink.hole))'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=4, cmdr=False)

<query> +((file:bytes or inet:fqdn) and (#aka.feye.thr.apt1 and not #cno.infra.sink.hole))


In [92]:
# Close cortex because done
await core.fini()

0

In [93]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [94]:
# Get a temp cortex and make some nodes
core = await getTempCoreCmdr()
q = '[inet:fqdn=polwizjer.com inet:fqdn=stats.polwizjer.com inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com]'
q1 = '[inet:dns:a=(polwizjer.com,200.74.244.118) inet:dns:a=(stats.polwizjer.com,200.74.244.118)]'
q2 = '[inet:dns:a=(woot.com,107.21.53.159) inet:dns:a=(vertex.link,138.197.64.146) inet:dns:a=(google.com,222.247.47.131)]'
q3 = '[inet:ipv4=200.74.244.118 +#aka.trend.thr.pawnstorm]'
# This runs the query via the CLI, rips out the nodes, makes sure we got 3 nodes on the output :)
podes = await core.eval(q, num=5, cmdr=True)
podes = await core.eval(q1, num=2, cmdr=True)
podes = await core.eval(q2, num=3, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [inet:fqdn=polwizjer.com inet:fqdn=stats.polwizjer.com inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com]

inet:fqdn=polwizjer.com
        .created = 2019/01/03 22:56:01.818
        :domain = com
        :host = polwizjer
        :issuffix = False
        :iszone = True
        :zone = polwizjer.com
inet:fqdn=stats.polwizjer.com
        .created = 2019/01/03 22:56:01.819
        :domain = polwizjer.com
        :host = stats
        :issuffix = False
        :iszone = False
        :zone = polwizjer.com
inet:fqdn=woot.com
        .created = 2019/01/03 22:56:01.820
        :domain = com
        :host = woot
        :issuffix = False
        :iszone = True
        :zone = woot.com
inet:fqdn=vertex.link
        .created = 2019/01/03 22:56:01.823
        :domain = link
        :host = vertex
        :issuffix = False
        :iszone = True
        :zone = vertex.link
inet:fqdn=google.com
        .created = 2019/01/03 22:56:01.824
        :domain = com
        :host = 

In [95]:
# Define and print test query
q = '<query> '
q1 = 'inet:fqdn '
q2 = '+{ -> inet:dns:a:fqdn :ipv4 -> inet:ipv4 +#aka.trend.thr.pawnstorm }'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=2, cmdr=False)

<query> +{ -> inet:dns:a:fqdn :ipv4 -> inet:ipv4 +#aka.trend.thr.pawnstorm }


In [96]:
# Make some moar nodes
q = '[inet:asn=49486 :name="makonix sia"]'
q1 = '[inet:asn=52173 :name="makonix sia"]'
q2 = '[inet:asn=4808 :name="china unicom beijing province network"]'
q3 = '[inet:ipv4=94.100.11.8 inet:ipv4=94.100.6.167 :asn=49486]'
q4 = '[inet:ipv4=185.61.149.70 inet:ipv4=185.86.149.139 :asn=52173]'
q5 = '[inet:ipv4=114.255.13.66 inet:ipv4=123.59.170.35 :asn=4808]'
# This runs the query via the CLI, rips out the nodes, makes sure we got 3 nodes on the output :)
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=2, cmdr=True)
podes = await core.eval(q4, num=2, cmdr=True)
podes = await core.eval(q5, num=2, cmdr=True)

cli> storm [inet:asn=49486 :name="makonix sia"]

inet:asn=49486
        .created = 2019/01/03 22:56:01.908
        :name = makonix sia
complete. 1 nodes in 14 ms (71/sec).
cli> storm [inet:asn=52173 :name="makonix sia"]

inet:asn=52173
        .created = 2019/01/03 22:56:01.926
        :name = makonix sia
complete. 1 nodes in 7 ms (142/sec).
cli> storm [inet:asn=4808 :name="china unicom beijing province network"]

inet:asn=4808
        .created = 2019/01/03 22:56:01.937
        :name = china unicom beijing province network
complete. 1 nodes in 6 ms (166/sec).
cli> storm [inet:ipv4=94.100.11.8 inet:ipv4=94.100.6.167 :asn=49486]

inet:ipv4=94.100.11.8
        .created = 2019/01/03 22:56:01.948
        :asn = 49486
        :loc = ??
        :type = unicast
inet:ipv4=94.100.6.167
        .created = 2019/01/03 22:56:01.948
        :asn = 49486
        :loc = ??
        :type = unicast
complete. 2 nodes in 9 ms (222/sec).
cli> storm [inet:ipv4=185.61.149.70 inet:ipv4=185.86.149.139 :asn=5217

In [97]:
# Define and print test query
q = '<query> '
q1 = 'inet:ipv4 '
q2 = '+{ :asn -> inet:asn +:name^="makonix" }'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=4, cmdr=False)

<query> +{ :asn -> inet:asn +:name^="makonix" }


In [98]:
# Close cortex because done
await core.fini()

0