In [1]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [2]:
# Get a temp cortex
core = await getTempCoreCmdr()

In [4]:
# Make some nodes
q = '[ inet:fqdn = woot.com ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)

[ inet:fqdn = woot.com ]


In [3]:
# Make some nodes
q = '[ inet:dns:a=(woot.com, 12.34.56.78) ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)

[ inet:dns:a=(woot.com, 12.34.56.78) ]


In [5]:
# Make some nodes
guid = '2f92bc913918f6598bcf310972ebf32e'
q = f'[ ou:org={guid}]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)

[ ou:org=2f92bc913918f6598bcf310972ebf32e]


In [6]:
# Make some nodes
q = '[ ou:org="*" ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)
assert podes[0][0] != ('ou:org', guid)

[ ou:org="*" ]


In [7]:
# Make some nodes
q = '[ edge:refs=((media:news, 00a1f0d928e25729b9e86e2d08c127ce), (inet:fqdn, woot.com)) ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)

[ edge:refs=((media:news, 00a1f0d928e25729b9e86e2d08c127ce), (inet:fqdn, woot.com)) ]


In [8]:
# Make some nodes
q = '[ inet:fqdn=woot.com inet:ipv4=12.34.56.78 hash:md5=d41d8cd98f00b204e9800998ecf8427e ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=3, cmdr=False)

[ inet:fqdn=woot.com inet:ipv4=12.34.56.78 hash:md5=d41d8cd98f00b204e9800998ecf8427e ]


In [9]:
# Use previous data, define and print test query
q = '<inet:ipv4> '
q1 = 'inet:ipv4=12.34.56.78 '
q2 = '[ :loc=us.oh.wilmington ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert podes[0][1].get('props').get('loc') == 'us.oh.wilmington'

<inet:ipv4> [ :loc=us.oh.wilmington ]


In [10]:
# Use previous data, define and print test query
q = '<inet:dns:a> '
q1 = 'inet:dns:a=(woot.com,12.34.56.78) '
q2 = '[ .seen=("2017/08/01 01:23", "2017/08/01 04:56") ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)

<inet:dns:a> [ .seen=("2017/08/01 01:23", "2017/08/01 04:56") ]


In [11]:
# Use previous data, define and print test query
q = '<media:news> '
q1 = 'media:news=00a1f0d928e25729b9e86e2d08c127ce '
q2 = '[ :summary="" ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert podes[0][1].get('props').get('summary') == ''

<media:news> [ :summary="" ]


In [13]:
# Make a node
q = '[ inet:ipv4=94.75.194.194 :loc=nl :asn=60781 ]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)
assert podes[0][1].get('props').get('asn') == 60781
assert podes[0][1].get('props').get('loc') == 'nl'

cli> storm [ inet:ipv4=94.75.194.194 :loc=nl :asn=60781 ]

inet:ipv4=94.75.194.194
        .created = 2019/03/20 16:01:49.975
        :asn = 60781
        :loc = nl
        :type = unicast
complete. 1 nodes in 7 ms (142/sec).


In [14]:
# Use previous data, define and print test query
q = '<inet:ipv4> '
q1 = 'inet:ipv4=94.75.194.194 '
q2 = '[ -:loc ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert podes[0][1].get('props').get('loc') is None

<inet:ipv4> [ -:loc ]


In [15]:
# Use previous data, define and print test query
q = '<media:news> '
q1 = 'media:news=00a1f0d928e25729b9e86e2d08c127ce '
q2 = '[ -:author -:summary ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert podes[0][1].get('props').get('author') is None
assert podes[0][1].get('props').get('summary') is None

<media:news> [ -:author -:summary ]


In [17]:
# Make a node
q = '[inet:fqdn=blackcake.net]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [inet:fqdn=blackcake.net]

inet:fqdn=blackcake.net
        .created = 2019/03/20 16:02:46.711
        :domain = net
        :host = blackcake
        :issuffix = False
        :iszone = True
        :zone = blackcake.net
complete. 1 nodes in 4 ms (250/sec).


In [18]:
# Use previous data, define and print test query
q = '<inet:fqdn> '
q1 = 'inet:fqdn=blackcake.net '
q2 = '[ +#aka.feye.thr.apt1 +#cno.infra.sink.hole ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert 'aka.feye.thr.apt1' in podes[0][1].get('tags')
assert 'cno.infra.sink.hole' in podes[0][1].get('tags')

<inet:fqdn> [ +#aka.feye.thr.apt1 +#cno.infra.sink.hole ]


In [19]:
# Use previous data, define and print test query
q = '<inet:fqdn> '
q1 = 'inet:fqdn=blackcake.net '
q2 = '[ +#cno.infra.sink.hole=(2014/11/06, 2016/11/06) ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert podes[0][1].get('tags').get('cno.infra.sink.hole') != (None, None)

<inet:fqdn> [ +#cno.infra.sink.hole=(2014/11/06, 2016/11/06) ]


In [20]:
# Make a node
q = '[inet:ipv4=54.38.219.150 +#cno.infra.anon.tor]'
# Run the query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [inet:ipv4=54.38.219.150 +#cno.infra.anon.tor]

inet:ipv4=54.38.219.150
        .created = 2019/03/20 16:04:06.349
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
complete. 1 nodes in 8 ms (125/sec).


In [21]:
# Define and print test query
q = '<inet:ipv4> '
q1 = 'inet:ipv4=54.38.219.150 '
q2 = '[ -#cno.infra.anon.tor ]'
print(q + q2)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q1 + q2, num=1, cmdr=False)
assert 'cno.infra.anon.tor' not in podes[0][1].get('tags')

<inet:ipv4> [ -#cno.infra.anon.tor ]


In [24]:
# Make some nodes
q = '[ inet:ipv4=94.75.194.194 :loc=nl :asn=60781 ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)
assert podes[0][1].get('props').get('loc') == 'nl'
assert podes[0][1].get('props').get('asn') == 60781

[ inet:ipv4=94.75.194.194 :loc=nl :asn=60781 ]


In [25]:
# Make some nodes
q = '[ inet:fqdn=blackcake.net +#aka.feye.thr.apt1 ]'
# Display the syntax
print(q)
# Run the query and test
podes = await core.eval(q, num=1, cmdr=False)
assert 'aka.feye.thr.apt1' in podes[0][1].get('tags')

[ inet:fqdn=blackcake.net +#aka.feye.thr.apt1 ]


In [26]:
# Close cortex because done
await core.fini()

0