In [1]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [2]:
# Get a temp cortex and preload some data into it.
core = await getTempCoreCmdr()
q = '[inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com]'
# This runs the query via the CLI, rips out the nodes, makes sure we got 3 nodes on the output :)
podes = await core.eval(q, num=3, cmdr=True)
# print(f'I got {len(podes)} podes!')
# This runs the query directly, no CLI output
# newpodes = await core.eval(q, num=4, cmdr=False)
# print(f'I got {len(newpodes)} podes the second time!!')
# await core.fini()

cli> storm [inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com]

inet:fqdn=woot.com
        .created = 2019/01/02 22:55:47.124
        :domain = com
        :host = woot
        :issuffix = False
        :iszone = True
        :zone = woot.com
inet:fqdn=vertex.link
        .created = 2019/01/02 22:55:47.127
        :domain = link
        :host = vertex
        :issuffix = False
        :iszone = True
        :zone = vertex.link
inet:fqdn=google.com
        .created = 2019/01/02 22:55:47.129
        :domain = com
        :host = google
        :issuffix = False
        :iszone = True
        :zone = google.com
complete. 3 nodes in 17 ms (176/sec).


In [3]:
# Use previous temp cortex, define and print test query
q = 'inet:fqdn'
print(q)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q, num=5, cmdr=False)

inet:fqdn


In [4]:
# Make some mutexes
q = '[it:dev:mutex="!@ADS@#$" it:dev:mutex="***MUTEX***" it:dev:mutex="***MUTEX***_SAIR"]'
# Run the query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [it:dev:mutex="!@ADS@#$" it:dev:mutex="***MUTEX***" it:dev:mutex="***MUTEX***_SAIR"]

it:dev:mutex=!@ADS@#$
        .created = 2019/01/02 22:55:47.177
it:dev:mutex=***MUTEX***
        .created = 2019/01/02 22:55:47.178
it:dev:mutex=***MUTEX***_SAIR
        .created = 2019/01/02 22:55:47.179
complete. 3 nodes in 14 ms (214/sec).


In [5]:
# Define and print test query
q = 'it:dev:mutex'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

it:dev:mutex


In [6]:
# Define and print test query
q = 'inet:fqdn = google.com'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

inet:fqdn = google.com


In [7]:
# Make a hash
q = '[hash:md5=d41d8cd98f00b204e9800998ecf8427e]'
# Run query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [hash:md5=d41d8cd98f00b204e9800998ecf8427e]

hash:md5=d41d8cd98f00b204e9800998ecf8427e
        .created = 2019/01/02 22:55:47.230
complete. 1 nodes in 11 ms (90/sec).


In [8]:
# Define and print test query
q = 'hash:md5 = d41d8cd98f00b204e9800998ecf8427e'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

hash:md5 = d41d8cd98f00b204e9800998ecf8427e


In [9]:
# Make a DNS A node:
q = '[ inet:dns:a=(woot.com,1.2.3.4)]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [ inet:dns:a=(woot.com,1.2.3.4)]

inet:dns:a=('woot.com', '1.2.3.4')
        .created = 2019/01/02 22:55:47.265
        :fqdn = woot.com
        :ipv4 = 1.2.3.4
complete. 1 nodes in 10 ms (100/sec).


In [10]:
# Define and print test query
q = 'inet:dns:a = (woot.com, 1.2.3.4)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

inet:dns:a = (woot.com, 1.2.3.4)


In [11]:
# Make an org node:
q = '[ou:org=2f92bc913918f6598bcf310972ebf32e :alias=vertex :name="the vertex project llc" :url=http://www.vertex.link :loc=us]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [ou:org=2f92bc913918f6598bcf310972ebf32e :alias=vertex :name="the vertex project llc" :url=http://www.vertex.link :loc=us]

ou:org=2f92bc913918f6598bcf310972ebf32e
        .created = 2019/01/02 22:55:47.317
        :alias = vertex
        :loc = us
        :name = the vertex project llc
        :url = http://www.vertex.link
complete. 1 nodes in 15 ms (66/sec).


In [12]:
# Define and print test query
q = 'ou:org=2f92bc913918f6598bcf310972ebf32e'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

ou:org=2f92bc913918f6598bcf310972ebf32e


In [13]:
# Make a has node:
q = '[has=((ps:person,12af06294ddf1a0ac8d6da34e1dabee4),(inet:email, bob.smith@gmail.com))]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [has=((ps:person,12af06294ddf1a0ac8d6da34e1dabee4),(inet:email, bob.smith@gmail.com))]

has=((ps:person, "12af06294ddf1a0ac8d6da34e1dabee4"), (inet:email, "bob.smith@gmail.com"))
        .created = 2019/01/02 22:55:47.374
        :n1 = ('ps:person', '12af06294ddf1a0ac8d6da34e1dabee4')
        :n1:form = ps:person
        :n2 = ('inet:email', 'bob.smith@gmail.com')
        :n2:form = inet:email
complete. 1 nodes in 15 ms (66/sec).


In [14]:
# Define and print test query
q = 'has=((ps:person,12af06294ddf1a0ac8d6da34e1dabee4),(inet:email, bob.smith@gmail.com))'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

has=((ps:person,12af06294ddf1a0ac8d6da34e1dabee4),(inet:email, bob.smith@gmail.com))


In [15]:
# Define and print test query
q = 'woot.com'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

woot.com


In [16]:
# Make some SOA nodes:
q = '[inet:dns:soa=f511705bb7ba9147b5d1b2058309a53e :email=18929733163@189.cn :fqdn=linvpn11.com]'
q2 = '[inet:dns:soa=6b3bb9decf6f1593476b10937d4783db :ns=ns1.vpntunnel.se :fqdn=vpntunnel.se]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [inet:dns:soa=f511705bb7ba9147b5d1b2058309a53e :email=18929733163@189.cn :fqdn=linvpn11.com]

inet:dns:soa=f511705bb7ba9147b5d1b2058309a53e
        .created = 2019/01/02 22:55:47.432
        :email = 18929733163@189.cn
        :fqdn = linvpn11.com
complete. 1 nodes in 17 ms (58/sec).
cli> storm [inet:dns:soa=6b3bb9decf6f1593476b10937d4783db :ns=ns1.vpntunnel.se :fqdn=vpntunnel.se]

inet:dns:soa=6b3bb9decf6f1593476b10937d4783db
        .created = 2019/01/02 22:55:47.455
        :fqdn = vpntunnel.se
        :ns = ns1.vpntunnel.se
complete. 1 nodes in 14 ms (71/sec).


In [17]:
# Define and print test query
q = 'inet:dns:soa:email'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

inet:dns:soa:email


In [18]:
# Define and print test query
q = 'ou:org:alias = vertex'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

ou:org:alias = vertex


In [19]:
# Make some DNS A nodes:
q = '[inet:dns:a=(blackcake.net,52.4.209.250) inet:dns:a=(blackcake.net,67.215.66.149) inet:dns:a=(blackcake.net,0.0.0.0)]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:dns:a=(blackcake.net,52.4.209.250) inet:dns:a=(blackcake.net,67.215.66.149) inet:dns:a=(blackcake.net,0.0.0.0)]

inet:dns:a=('blackcake.net', '52.4.209.250')
        .created = 2019/01/02 22:55:47.533
        :fqdn = blackcake.net
        :ipv4 = 52.4.209.250
inet:dns:a=('blackcake.net', '67.215.66.149')
        .created = 2019/01/02 22:55:47.535
        :fqdn = blackcake.net
        :ipv4 = 67.215.66.149
inet:dns:a=('blackcake.net', '0.0.0.0')
        .created = 2019/01/02 22:55:47.536
        :fqdn = blackcake.net
        :ipv4 = 0.0.0.0
complete. 3 nodes in 16 ms (187/sec).


In [20]:
# Define and print test query
q = 'inet:dns:a:fqdn = blackcake.net'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

inet:dns:a:fqdn = blackcake.net


In [21]:
# Make some file nodes:
q = '[file:bytes=sha256:e4f8ce133d5c42e6c3adc09c120c2ec483a57e6839c6d9ee39e0b294102b867f :mime:pe:compiled=19920619222217]'
q2 = '[file:bytes=sha256:a2dc8c1327a184013f1e188258813776e052ac7a68c96c058a723cac28c97bdd :mime:pe:compiled=19920619222217]'
q3 = '[file:bytes=sha256:6119c92f5b5cb2cd953925e17ceb4a02a9007029dd27a35d44b116ff9718f814 :mime:pe:compiled=19700101032545]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [file:bytes=sha256:e4f8ce133d5c42e6c3adc09c120c2ec483a57e6839c6d9ee39e0b294102b867f :mime:pe:compiled=19920619222217]

file:bytes=sha256:e4f8ce133d5c42e6c3adc09c120c2ec483a57e6839c6d9ee39e0b294102b867f
        .created = 2019/01/02 22:55:47.587
        :mime = ??
        :mime:pe:compiled = 1992/06/19 22:22:17.000
        :sha256 = e4f8ce133d5c42e6c3adc09c120c2ec483a57e6839c6d9ee39e0b294102b867f
complete. 1 nodes in 8 ms (125/sec).
cli> storm [file:bytes=sha256:a2dc8c1327a184013f1e188258813776e052ac7a68c96c058a723cac28c97bdd :mime:pe:compiled=19920619222217]

file:bytes=sha256:a2dc8c1327a184013f1e188258813776e052ac7a68c96c058a723cac28c97bdd
        .created = 2019/01/02 22:55:47.604
        :mime = ??
        :mime:pe:compiled = 1992/06/19 22:22:17.000
        :sha256 = a2dc8c1327a184013f1e188258813776e052ac7a68c96c058a723cac28c97bdd
complete. 1 nodes in 9 ms (111/sec).
cli> storm [file:bytes=sha256:6119c92f5b5cb2cd953925e17ceb4a02a9007029dd27a35d44b116ff9718f814 :mime:pe:co

In [22]:
# Define and print test query
q = 'file:bytes:mime:pe:compiled = "1992/06/19 22:22:17"'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

file:bytes:mime:pe:compiled = "1992/06/19 22:22:17"


In [23]:
# Make some tagged nodes:
q = '[inet:ipv4=54.38.219.150 inet:ipv4=151.242.192.84 inet:ipv4=217.83.101.150 +#cno.infra.anon.tor]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:ipv4=54.38.219.150 inet:ipv4=151.242.192.84 inet:ipv4=217.83.101.150 +#cno.infra.anon.tor]

inet:ipv4=54.38.219.150
        .created = 2019/01/02 22:55:47.688
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
inet:ipv4=151.242.192.84
        .created = 2019/01/02 22:55:47.691
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
inet:ipv4=217.83.101.150
        .created = 2019/01/02 22:55:47.692
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
complete. 3 nodes in 16 ms (187/sec).


In [24]:
# Define and print test query
q = '#cno.infra.anon.tor'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

#cno.infra.anon.tor


In [25]:
# Close cortex for next section
await core.fini()

0

In [26]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [27]:
# Get a newtemp cortex to start fresh and preload some WHOIS records into it.
core = await getTempCoreCmdr()
q = '[inet:whois:rec=(vicp.hk,"2007/12/20 00:00:00.000") :created = "2013/01/26 00:00:00.000" :registrant = "shanghai beiruixinxijishu" :text = "domain name: vicp.hk"]'
q2 = '[inet:whois:rec=(lkqd.net,"2018/05/30 09:24:19.000") :created = "2014/06/01 21:05:25.000" :registrar = godaddy :text = "domain name: lkqd.net"]'
# Run the query via the CLI, rips out the nodes, makes sure we got 3 nodes on the output :)
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
# print(f'I got {len(podes)} podes!')
# This runs the query directly, no CLI output
# newpodes = await core.eval(q, num=4, cmdr=False)
# print(f'I got {len(newpodes)} podes the second time!!')
# await core.fini()

cli> storm [inet:whois:rec=(vicp.hk,"2007/12/20 00:00:00.000") :created = "2013/01/26 00:00:00.000" :registrant = "shanghai beiruixinxijishu" :text = "domain name: vicp.hk"]

inet:whois:rec=('vicp.hk', '2007/12/20 00:00:00.000')
        .created = 2019/01/02 22:55:47.965
        :asof = 2007/12/20 00:00:00.000
        :created = 2013/01/26 00:00:00.000
        :fqdn = vicp.hk
        :registrant = shanghai beiruixinxijishu
        :registrar = ??
        :text = domain name: vicp.hk
complete. 1 nodes in 12 ms (83/sec).
cli> storm [inet:whois:rec=(lkqd.net,"2018/05/30 09:24:19.000") :created = "2014/06/01 21:05:25.000" :registrar = godaddy :text = "domain name: lkqd.net"]

inet:whois:rec=('lkqd.net', '2018/05/30 09:24:19.000')
        .created = 2019/01/02 22:55:47.981
        :asof = 2018/05/30 09:24:19.000
        :created = 2014/06/01 21:05:25.000
        :fqdn = lkqd.net
        :registrant = ??
        :registrar = godaddy
        :text = domain name: lkqd.net
complete. 1 nodes in 

In [28]:
# Define and print test query
q = 'inet:whois:rec:created < 2014/06/01'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

inet:whois:rec:created < 2014/06/01


In [29]:
# Make some files:
q = '[file:bytes=sha256:14c2e63dced9ca20e368e056644a6b56f5678b2d3824945563e57255e85135a3 :size=1048592]'
q2 = '[file:bytes=sha256:8146e9d7fe580ebc04331af87fba7cb344094c0a60482f420b566f2df2a22229 :size=1048592]'
q3 = '[file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 :size=0]'
q4 = '[file:bytes=sha256:36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068 :size=1]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)
podes = await core.eval(q4, num=1, cmdr=True)

cli> storm [file:bytes=sha256:14c2e63dced9ca20e368e056644a6b56f5678b2d3824945563e57255e85135a3 :size=1048592]

file:bytes=sha256:14c2e63dced9ca20e368e056644a6b56f5678b2d3824945563e57255e85135a3
        .created = 2019/01/02 22:55:48.020
        :mime = ??
        :sha256 = 14c2e63dced9ca20e368e056644a6b56f5678b2d3824945563e57255e85135a3
        :size = 1048592
complete. 1 nodes in 13 ms (76/sec).
cli> storm [file:bytes=sha256:8146e9d7fe580ebc04331af87fba7cb344094c0a60482f420b566f2df2a22229 :size=1048592]

file:bytes=sha256:8146e9d7fe580ebc04331af87fba7cb344094c0a60482f420b566f2df2a22229
        .created = 2019/01/02 22:55:48.036
        :mime = ??
        :sha256 = 8146e9d7fe580ebc04331af87fba7cb344094c0a60482f420b566f2df2a22229
        :size = 1048592
complete. 1 nodes in 8 ms (125/sec).
cli> storm [file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 :size=0]

file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        .cre

In [30]:
# Define and print test query
q = 'file:bytes:size > 1048576'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

file:bytes:size > 1048576


In [31]:
# Make some people:
q = '[ps:person="*" :dob=1974/05/14]'
q2 = '[ps:person="*" :dob=1982/04/27]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [ps:person="*" :dob=1974/05/14]

ps:person=d44e0a2e379aa04756ae7fe33cd6c6df
        .created = 2019/01/02 22:55:48.107
        :dob = 1974/05/14 00:00:00.000
complete. 1 nodes in 7 ms (142/sec).
cli> storm [ps:person="*" :dob=1982/04/27]

ps:person=c914b035af069f8e3ca3f375925564bb
        .created = 2019/01/02 22:55:48.121
        :dob = 1982/04/27 00:00:00.000
complete. 1 nodes in 8 ms (125/sec).


In [32]:
# Define and print test query
q = 'ps:person:dob <= 1980/01/01'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

ps:person:dob <= 1980/01/01


In [33]:
# Make some WHOIS records:
q = '[inet:whois:rec=(showustime.com, 2018/12/02) inet:whois:rec=(videosync.info,2018/12/02) inet:whois:rec=(earthsolution.org,1999/11/29)]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:whois:rec=(showustime.com, 2018/12/02) inet:whois:rec=(videosync.info,2018/12/02) inet:whois:rec=(earthsolution.org,1999/11/29)]

inet:whois:rec=('showustime.com', '2018/12/02 00:00:00.000')
        .created = 2019/01/02 22:55:48.172
        :asof = 2018/12/02 00:00:00.000
        :fqdn = showustime.com
        :registrant = ??
        :registrar = ??
inet:whois:rec=('videosync.info', '2018/12/02 00:00:00.000')
        .created = 2019/01/02 22:55:48.180
        :asof = 2018/12/02 00:00:00.000
        :fqdn = videosync.info
        :registrant = ??
        :registrar = ??
inet:whois:rec=('earthsolution.org', '1999/11/29 00:00:00.000')
        .created = 2019/01/02 22:55:48.185
        :asof = 1999/11/29 00:00:00.000
        :fqdn = earthsolution.org
        :registrant = ??
        :registrar = ??
complete. 3 nodes in 27 ms (111/sec).


In [34]:
# Define and print test query
q = 'inet:whois:rec:asof >= "2018/12/01 12:00"'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

inet:whois:rec:asof >= "2018/12/01 12:00"


In [35]:
# Close cortex for next section
await core.fini()

0

In [36]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [37]:
# Get a newtemp cortex to start fresh.
core = await getTempCoreCmdr()
# Make some files:
q = '[file:bytes=sha256:cebb47280cd00814e1c085c5bc3fbac0e9f91168999091f199a1b1d209edd814 :mime:pe:pdbpath="d:/my documents/visual studio projects/rouji/svcmain.pdb"]'
q2 = '[file:bytes=sha256:56d9ed457136c85fba55cdd5ee3b7c21cb25ce0b1d7053d397cf4756fa7a422f :mime:pe:pdbpath="c:/users/milad/desktop/end crypter vb.net/tekide/obj/debug/tekide.pdb"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [file:bytes=sha256:cebb47280cd00814e1c085c5bc3fbac0e9f91168999091f199a1b1d209edd814 :mime:pe:pdbpath="d:/my documents/visual studio projects/rouji/svcmain.pdb"]

file:bytes=sha256:cebb47280cd00814e1c085c5bc3fbac0e9f91168999091f199a1b1d209edd814
        .created = 2019/01/02 22:55:48.475
        :mime = ??
        :mime:pe:pdbpath = d:/my documents/visual studio projects/rouji/svcmain.pdb
        :sha256 = cebb47280cd00814e1c085c5bc3fbac0e9f91168999091f199a1b1d209edd814
complete. 1 nodes in 13 ms (76/sec).
cli> storm [file:bytes=sha256:56d9ed457136c85fba55cdd5ee3b7c21cb25ce0b1d7053d397cf4756fa7a422f :mime:pe:pdbpath="c:/users/milad/desktop/end crypter vb.net/tekide/obj/debug/tekide.pdb"]

file:bytes=sha256:56d9ed457136c85fba55cdd5ee3b7c21cb25ce0b1d7053d397cf4756fa7a422f
        .created = 2019/01/02 22:55:48.492
        :mime = ??
        :mime:pe:pdbpath = c:/users/milad/desktop/end crypter vb.net/tekide/obj/debug/tekide.pdb
        :sha256 = 56d9ed457136c85fba55cdd5ee3b7c21

In [38]:
# Define and print test query
q = 'file:bytes:mime:pe:pdbpath ~= "rouji"'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

file:bytes:mime:pe:pdbpath ~= "rouji"


In [39]:
# Make some users:
q = '[inet:user=pinky inet:user=pinkyboo inet:user=pinkybrain inet:user=pinkydinky]'
# Execute query and test
podes = await core.eval(q, num=4, cmdr=True)

cli> storm [inet:user=pinky inet:user=pinkyboo inet:user=pinkybrain inet:user=pinkydinky]

inet:user=pinky
        .created = 2019/01/02 22:55:48.545
inet:user=pinkyboo
        .created = 2019/01/02 22:55:48.546
inet:user=pinkybrain
        .created = 2019/01/02 22:55:48.546
inet:user=pinkydinky
        .created = 2019/01/02 22:55:48.547
complete. 4 nodes in 14 ms (285/sec).


In [40]:
# Define and print test query
q = 'inet:user^=pinky'
print(q)
# Execute the query and test
podes = await core.eval(q, num=4, cmdr=False)

inet:user^=pinky


In [41]:
# Make some orgs:
q = '[ou:org="*" :name="International House of Pancakes"]'
q1 = '[ou:org="*" :name="International Society of Funny Walks"]'
q2 = '[ou:org="*" :name="Interrogators Anonymous"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [ou:org="*" :name="International House of Pancakes"]

ou:org=28b47bb9c4393b07c96978fc2fa08af6
        .created = 2019/01/02 22:55:48.604
        :name = international house of pancakes
complete. 1 nodes in 12 ms (83/sec).
cli> storm [ou:org="*" :name="International Society of Funny Walks"]

ou:org=23ce88e08a2f29e2e64e50cb4124a223
        .created = 2019/01/02 22:55:48.623
        :name = international society of funny walks
complete. 1 nodes in 9 ms (111/sec).
cli> storm [ou:org="*" :name="Interrogators Anonymous"]

ou:org=eea3ca0cba54baa4695e40a2b03c8ff6
        .created = 2019/01/02 22:55:48.636
        :name = interrogators anonymous
complete. 1 nodes in 9 ms (111/sec).


In [42]:
# Define and print test query
q = 'ou:org:name^=international'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

ou:org:name^=international


In [43]:
# Make some nodes:
q = '[inet:ipv4=192.168.0.0/24]'
# Execute query and test
podes = await core.eval(q, num=256, cmdr=True)

cli> storm [inet:ipv4=192.168.0.0/24]

inet:ipv4=192.168.0.0
        .created = 2019/01/02 22:55:48.677
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.1
        .created = 2019/01/02 22:55:48.678
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.2
        .created = 2019/01/02 22:55:48.679
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.3
        .created = 2019/01/02 22:55:48.680
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.4
        .created = 2019/01/02 22:55:48.682
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.5
        .created = 2019/01/02 22:55:48.682
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.6
        .created = 2019/01/02 22:55:48.686
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.7
        .created = 2019/01/02 22:55:48.687
        :asn = 0
        :lo

inet:ipv4=192.168.0.78
        .created = 2019/01/02 22:55:48.790
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.79
        .created = 2019/01/02 22:55:48.791
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.80
        .created = 2019/01/02 22:55:48.793
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.81
        .created = 2019/01/02 22:55:48.793
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.82
        .created = 2019/01/02 22:55:48.795
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.83
        .created = 2019/01/02 22:55:48.796
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.84
        .created = 2019/01/02 22:55:48.797
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.85
        .created = 2019/01/02 22:55:48.798
        :asn = 0
        :loc = ??
        :type = private


inet:ipv4=192.168.0.146
        .created = 2019/01/02 22:55:48.869
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.147
        .created = 2019/01/02 22:55:48.870
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.148
        .created = 2019/01/02 22:55:48.871
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.149
        .created = 2019/01/02 22:55:48.873
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.150
        .created = 2019/01/02 22:55:48.876
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.151
        .created = 2019/01/02 22:55:48.877
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.152
        .created = 2019/01/02 22:55:48.878
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.153
        .created = 2019/01/02 22:55:48.879
        :asn = 0
        :loc = ??
        :type = 

inet:ipv4=192.168.0.228
        .created = 2019/01/02 22:55:48.970
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.229
        .created = 2019/01/02 22:55:48.971
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.230
        .created = 2019/01/02 22:55:48.972
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.231
        .created = 2019/01/02 22:55:48.975
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.232
        .created = 2019/01/02 22:55:48.978
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.233
        .created = 2019/01/02 22:55:48.980
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.234
        .created = 2019/01/02 22:55:48.982
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=192.168.0.235
        .created = 2019/01/02 22:55:48.983
        :asn = 0
        :loc = ??
        :type = 

In [44]:
# Define and print test query
q = 'inet:ipv4*range=(192.168.0.0, 192.168.0.10)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=11, cmdr=False)

inet:ipv4*range=(192.168.0.0, 192.168.0.10)


In [45]:
# Make some files:
q = '[file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 :size=0]'
q1 = '[file:bytes=sha256:929c3316a91c62170e545986274dc6a36e6560ca5bf85a98e96662a5a3c5edb0 :size=1001]'
q2 = '[file:bytes=sha256:e7db39923c5244bfc96af4593794f8e85eb4b68da4f80c7b67cc887aa1ea4713 :size=5000]'
q3 = '[file:bytes=sha256:e708cd312b2b87c6ecc62fe2d33071380a90e60f6f98cf37f1e178127d2c3241 :size=100002]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 :size=0]

file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        .created = 2019/01/02 22:55:49.090
        :mime = ??
        :sha256 = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        :size = 0
complete. 1 nodes in 11 ms (90/sec).
cli> storm [file:bytes=sha256:929c3316a91c62170e545986274dc6a36e6560ca5bf85a98e96662a5a3c5edb0 :size=1001]

file:bytes=sha256:929c3316a91c62170e545986274dc6a36e6560ca5bf85a98e96662a5a3c5edb0
        .created = 2019/01/02 22:55:49.110
        :mime = ??
        :sha256 = 929c3316a91c62170e545986274dc6a36e6560ca5bf85a98e96662a5a3c5edb0
        :size = 1001
complete. 1 nodes in 10 ms (100/sec).
cli> storm [file:bytes=sha256:e7db39923c5244bfc96af4593794f8e85eb4b68da4f80c7b67cc887aa1ea4713 :size=5000]

file:bytes=sha256:e7db39923c5244bfc96af4593794f8e85eb4b68da4f80c7b67cc887aa1ea4713
        .created = 2019/01

In [46]:
# Define and print test query
q = 'file:bytes:size*range=(1000,100000)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

file:bytes:size*range=(1000,100000)


In [47]:
# Make some WHOIS records:
q = '[inet:whois:rec=(pe75.com,2013/11/29) :text="domain name: pe75.com"]'
q1 = '[inet:whois:rec=(youipcam.com,2013/11/29) :text="domain name: youipcam.com"]'
q2 = '[inet:whois:rec=(17ti.net,2016/01/01) :text="domain name: 17ti.net"]'
q3 = '[inet:whois:rec=(africawebcast.com,1999/11/19) :text="domain name: africawebcast.com"]'
q4 = '[inet:whois:rec=(teads.tv,2017/03/02) :text="domain name: teads.tv"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)
podes = await core.eval(q4, num=1, cmdr=True)

cli> storm [inet:whois:rec=(pe75.com,2013/11/29) :text="domain name: pe75.com"]

inet:whois:rec=('pe75.com', '2013/11/29 00:00:00.000')
        .created = 2019/01/02 22:55:49.190
        :asof = 2013/11/29 00:00:00.000
        :fqdn = pe75.com
        :registrant = ??
        :registrar = ??
        :text = domain name: pe75.com
complete. 1 nodes in 15 ms (66/sec).
cli> storm [inet:whois:rec=(youipcam.com,2013/11/29) :text="domain name: youipcam.com"]

inet:whois:rec=('youipcam.com', '2013/11/29 00:00:00.000')
        .created = 2019/01/02 22:55:49.211
        :asof = 2013/11/29 00:00:00.000
        :fqdn = youipcam.com
        :registrant = ??
        :registrar = ??
        :text = domain name: youipcam.com
complete. 1 nodes in 12 ms (83/sec).
cli> storm [inet:whois:rec=(17ti.net,2016/01/01) :text="domain name: 17ti.net"]

inet:whois:rec=('17ti.net', '2016/01/01 00:00:00.000')
        .created = 2019/01/02 22:55:49.234
        :asof = 2016/01/01 00:00:00.000
        :fqdn = 17ti.net


In [48]:
# Define and print test query
q = 'inet:whois:rec:asof*range=(2013/11/29, 2016/06/14)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

inet:whois:rec:asof*range=(2013/11/29, 2016/06/14)


In [49]:
# Make some DNS requests:
q = '[inet:dns:request=00000a17dbe261d10ce6ed514872bd37 :time="2018/10/12 00:12:29.062" :query=(tcp://199.68.196.162,download.applemusic.itemdb.com,1)]'
q1 = '[inet:dns:request=0000118df17b43367f0194cd5d281813 :time="2018/10/25 06:43:16.961" :query=(tcp://130.207.54.136,litu.su,1)]'
q2 = '[inet:dns:request=7b4cdc00c38902e5db535bcb5a886958 :time="2018/12/01 00:01:19.409" :query=(tcp://199.68.196.162,1oo7.net,1)]'
q3 = '[inet:dns:request=0f4d548a14b5c55659e2296594e8b5fe :time="2018/12/01 00:08:52.339" :query=(tcp://52.53.250.186,symantecsupport.org,1)]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [inet:dns:request=00000a17dbe261d10ce6ed514872bd37 :time="2018/10/12 00:12:29.062" :query=(tcp://199.68.196.162,download.applemusic.itemdb.com,1)]

inet:dns:request=00000a17dbe261d10ce6ed514872bd37
        .created = 2019/01/02 22:55:49.309
        :query = ('tcp://199.68.196.162', 'download.applemusic.itemdb.com', '1')
        :query:name = download.applemusic.itemdb.com
        :query:name:fqdn = download.applemusic.itemdb.com
        :query:type = 1
        :time = 2018/10/12 00:12:29.062
complete. 1 nodes in 20 ms (50/sec).
cli> storm [inet:dns:request=0000118df17b43367f0194cd5d281813 :time="2018/10/25 06:43:16.961" :query=(tcp://130.207.54.136,litu.su,1)]

inet:dns:request=0000118df17b43367f0194cd5d281813
        .created = 2019/01/02 22:55:49.339
        :query = ('tcp://130.207.54.136', 'litu.su', '1')
        :query:name = litu.su
        :query:name:fqdn = litu.su
        :query:type = 1
        :time = 2018/10/25 06:43:16.961
complete. 1 nodes in 16 ms (62/sec).
cl

In [50]:
# Define and print test query
q = 'inet:dns:request:time*range=(2018/12/01, "+1 day")'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

inet:dns:request:time*range=(2018/12/01, "+1 day")


In [51]:
# Make some moar WHOIS records:
q = '[inet:whois:rec=(habbo.today,2018/10/06) :created="2018/10/03 19:14:33.000" :text="domain name: habbo.today"]'
q1 = '[inet:whois:rec=(wschandler.com,2018/10/04) :created="2018/10/04 00:00:00.000" :text="domain name: wschandler.com"]'
q2 = '[inet:whois:rec=(wschandler.com,2018/10/05) :created="2018/10/04 00:00:00.000" :text="domain name: wschandler.com"]'
q3 = '[inet:whois:rec=(vicp.hk,2007/12/20) :created="2013/01/26 00:00:00.000" :text="domain name: vicp.hk"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [inet:whois:rec=(habbo.today,2018/10/06) :created="2018/10/03 19:14:33.000" :text="domain name: habbo.today"]

inet:whois:rec=('habbo.today', '2018/10/06 00:00:00.000')
        .created = 2019/01/02 22:55:49.451
        :asof = 2018/10/06 00:00:00.000
        :created = 2018/10/03 19:14:33.000
        :fqdn = habbo.today
        :registrant = ??
        :registrar = ??
        :text = domain name: habbo.today
complete. 1 nodes in 14 ms (71/sec).
cli> storm [inet:whois:rec=(wschandler.com,2018/10/04) :created="2018/10/04 00:00:00.000" :text="domain name: wschandler.com"]

inet:whois:rec=('wschandler.com', '2018/10/04 00:00:00.000')
        .created = 2019/01/02 22:55:49.472
        :asof = 2018/10/04 00:00:00.000
        :created = 2018/10/04 00:00:00.000
        :fqdn = wschandler.com
        :registrant = ??
        :registrar = ??
        :text = domain name: wschandler.com
complete. 1 nodes in 8 ms (125/sec).
cli> storm [inet:whois:rec=(wschandler.com,2018/10/05) :created

In [52]:
# Define and print test query
q = 'inet:whois:rec:created*range=(2018/09/01, now)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

inet:whois:rec:created*range=(2018/09/01, now)


In [53]:
# Make some moar IPs:
q = '[inet:ipv4=127.0.0.1 inet:ipv4=192.168.0.100 inet:ipv4=255.255.255.254]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:ipv4=127.0.0.1 inet:ipv4=192.168.0.100 inet:ipv4=255.255.255.254]

inet:ipv4=127.0.0.1
        .created = 2019/01/02 22:55:49.570
        :asn = 0
        :loc = ??
        :type = loopback
inet:ipv4=192.168.0.100
        .created = 2019/01/02 22:55:48.818
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=255.255.255.254
        .created = 2019/01/02 22:55:49.571
        :asn = 0
        :loc = ??
        :type = private
complete. 3 nodes in 9 ms (333/sec).


In [54]:
# Define and print test query
q = 'inet:ipv4*in=(127.0.0.1, 192.168.0.100, 255.255.255.254)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

inet:ipv4*in=(127.0.0.1, 192.168.0.100, 255.255.255.254)


In [55]:
# Make some moar files:
q = '[file:bytes=sha256:68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c :size=4096]'
q1 = '[file:bytes=sha256:0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81 :size=16384]'
q2 = '[file:bytes=sha256:2e248baca79a14f6a62a6bb962a68f7b6f1dfea4641beb39f8e7f0ec5bb47e36 :size=65536]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [file:bytes=sha256:68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c :size=4096]

file:bytes=sha256:68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c
        .created = 2019/01/02 22:55:49.621
        :mime = ??
        :sha256 = 68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c
        :size = 4096
complete. 1 nodes in 7 ms (142/sec).
cli> storm [file:bytes=sha256:0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81 :size=16384]

file:bytes=sha256:0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81
        .created = 2019/01/02 22:55:49.637
        :mime = ??
        :sha256 = 0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81
        :size = 16384
complete. 1 nodes in 9 ms (111/sec).
cli> storm [file:bytes=sha256:2e248baca79a14f6a62a6bb962a68f7b6f1dfea4641beb39f8e7f0ec5bb47e36 :size=65536]

file:bytes=sha256:2e248baca79a14f6a62a6bb962a68f7b6f1dfea4641beb39f8e7f0ec5bb47e36
        .created =

In [56]:
# Define and print test query
q = 'file:bytes:size*in=(4096, 16384, 65536)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

file:bytes:size*in=(4096, 16384, 65536)


In [57]:
# Make some tag nodes:
q = '[syn:tag=aaa.foo syn:tag=aaa.bbb.bar syn:tag=ccc.baz syn:tag=aaa.bar.hurr syn:tag=baz.woop]'
# Execute query and test
podes = await core.eval(q, num=5, cmdr=True)

cli> storm [syn:tag=aaa.foo syn:tag=aaa.bbb.bar syn:tag=ccc.baz syn:tag=aaa.bar.hurr syn:tag=baz.woop]

syn:tag=aaa.foo
        .created = 2019/01/02 22:55:49.716
        :base = foo
        :depth = 1
        :doc = 
        :title = 
        :up = aaa
syn:tag=aaa.bbb.bar
        .created = 2019/01/02 22:55:49.717
        :base = bar
        :depth = 2
        :doc = 
        :title = 
        :up = aaa.bbb
syn:tag=ccc.baz
        .created = 2019/01/02 22:55:49.719
        :base = baz
        :depth = 1
        :doc = 
        :title = 
        :up = ccc
syn:tag=aaa.bar.hurr
        .created = 2019/01/02 22:55:49.723
        :base = hurr
        :depth = 2
        :doc = 
        :title = 
        :up = aaa.bar
syn:tag=baz.woop
        .created = 2019/01/02 22:55:49.726
        :base = woop
        :depth = 1
        :doc = 
        :title = 
        :up = baz
complete. 5 nodes in 19 ms (263/sec).


In [58]:
# Define and print test query
q = 'syn:tag:base*in=(foo,bar,baz)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=5, cmdr=False)

syn:tag:base*in=(foo,bar,baz)


In [59]:
# Make some geo:place nodes:
q = '[geo:place=531665e149b54a8a160961f47faab360 :latlong="48.8589878,2.2989958" :loc=fr.paris :name="the american library in paris"]'
q1 = '[geo:place=05d499e9aef335cc9d27be5aeed1ccfe :latlong="59.9124013,10.63733779" :loc=no.lysaker :name="avast software"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)

cli> storm [geo:place=531665e149b54a8a160961f47faab360 :latlong="48.8589878,2.2989958" :loc=fr.paris :name="the american library in paris"]

geo:place=531665e149b54a8a160961f47faab360
        .created = 2019/01/02 22:55:49.769
        :latlong = 48.8589878,2.2989958
        :loc = fr.paris
        :name = the american library in paris
complete. 1 nodes in 21 ms (47/sec).
cli> storm [geo:place=05d499e9aef335cc9d27be5aeed1ccfe :latlong="59.9124013,10.63733779" :loc=no.lysaker :name="avast software"]

geo:place=05d499e9aef335cc9d27be5aeed1ccfe
        .created = 2019/01/02 22:55:49.806
        :latlong = 59.9124013,10.63733779
        :loc = no.lysaker
        :name = avast software
complete. 1 nodes in 17 ms (58/sec).


In [60]:
# Define and print test query
q = 'geo:place:latlong*near=((48.8583701,2.2944813),500m)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

geo:place:latlong*near=((48.8583701,2.2944813),500m)


In [61]:
# Make some tagged nodes:
q = '[inet:ipv4=54.38.219.150 inet:ipv4=151.242.192.84 inet:ipv4=217.83.101.150 +#cno.infra.anon.tor]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:ipv4=54.38.219.150 inet:ipv4=151.242.192.84 inet:ipv4=217.83.101.150 +#cno.infra.anon.tor]

inet:ipv4=54.38.219.150
        .created = 2019/01/02 22:55:49.870
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
inet:ipv4=151.242.192.84
        .created = 2019/01/02 22:55:49.875
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
inet:ipv4=217.83.101.150
        .created = 2019/01/02 22:55:49.879
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
complete. 3 nodes in 24 ms (125/sec).


In [62]:
# Define and print test query
q = '#cno.infra.anon.tor'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

#cno.infra.anon.tor


In [63]:
# Make some moar tagged nodes:
q = '[inet:fqdn=adobeproduct.com inet:fqdn=ntupdateserver.com inet:fqdn=fireeyeupdate.com +#aka.paloalto.thr.oilrig]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:fqdn=adobeproduct.com inet:fqdn=ntupdateserver.com inet:fqdn=fireeyeupdate.com +#aka.paloalto.thr.oilrig]

inet:fqdn=adobeproduct.com
        .created = 2019/01/02 22:55:49.940
        :domain = com
        :host = adobeproduct
        :issuffix = False
        :iszone = True
        :zone = adobeproduct.com
        #aka.paloalto.thr.oilrig
inet:fqdn=ntupdateserver.com
        .created = 2019/01/02 22:55:49.946
        :domain = com
        :host = ntupdateserver
        :issuffix = False
        :iszone = True
        :zone = ntupdateserver.com
        #aka.paloalto.thr.oilrig
inet:fqdn=fireeyeupdate.com
        .created = 2019/01/02 22:55:49.948
        :domain = com
        :host = fireeyeupdate
        :issuffix = False
        :iszone = True
        :zone = fireeyeupdate.com
        #aka.paloalto.thr.oilrig
complete. 3 nodes in 21 ms (142/sec).


In [64]:
# Define and print test query
q = '#aka.paloalto.thr.oilrig'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

#aka.paloalto.thr.oilrig


In [65]:
# Make some moar tagged nodes:
q = '[syn:tag=aka.feye.thr.apt28 syn:tag=aka.feye.thr.apt29 syn:tag=aka.feye.thr.veles +#aka.feye.cc.ru]'
q1= '[inet:fqdn=scanmalware.info +#aka.feye.thr.apt28]'
q2= '[inet:ipv4=87.245.143.140 +#aka.feye.thr.veles]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [syn:tag=aka.feye.thr.apt28 syn:tag=aka.feye.thr.apt29 syn:tag=aka.feye.thr.veles +#aka.feye.cc.ru]

syn:tag=aka.feye.thr.apt28
        .created = 2019/01/02 22:55:49.997
        :base = apt28
        :depth = 3
        :doc = 
        :title = 
        :up = aka.feye.thr
        #aka.feye.cc.ru
syn:tag=aka.feye.thr.apt29
        .created = 2019/01/02 22:55:49.999
        :base = apt29
        :depth = 3
        :doc = 
        :title = 
        :up = aka.feye.thr
        #aka.feye.cc.ru
syn:tag=aka.feye.thr.veles
        .created = 2019/01/02 22:55:50.000
        :base = veles
        :depth = 3
        :doc = 
        :title = 
        :up = aka.feye.thr
        #aka.feye.cc.ru
complete. 3 nodes in 12 ms (250/sec).
cli> storm [inet:fqdn=scanmalware.info +#aka.feye.thr.apt28]

inet:fqdn=scanmalware.info
        .created = 2019/01/02 22:55:50.028
        :domain = info
        :host = scanmalware
        :issuffix = False
        :iszone = True
        :zone = scanmalware.in

In [66]:
# Define and print test query
q = '##aka.feye.cc.ru'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

##aka.feye.cc.ru


In [67]:
# Close cortex because done
await core.fini()

0