In [1]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [2]:
core = await getTempCoreCmdr()
q = '[inet:fqdn=woot.com inet:fqdn=vertex.link inet:fqdn=google.com]'
podes = await core.eval(q, num=3, cmdr=False)


In [3]:
# Use previous temp cortex, define and print test query
q = 'inet:fqdn'
print(q)
# Execute the query to test it and get the packed nodes (podes).
podes = await core.eval(q, num=5, cmdr=False)

inet:fqdn


In [4]:
# Make some mutexes
q = '[it:dev:mutex="!@ADS@#$" it:dev:mutex="***MUTEX***" it:dev:mutex="***MUTEX***_SAIR"]'
# Run the query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [it:dev:mutex="!@ADS@#$" it:dev:mutex="***MUTEX***" it:dev:mutex="***MUTEX***_SAIR"]
Executing query at 2019/07/11 14:51:18.189
it:dev:mutex=!@ADS@#$
        .created = 2019/07/11 14:51:18.208
it:dev:mutex=***MUTEX***
        .created = 2019/07/11 14:51:18.209
it:dev:mutex=***MUTEX***_SAIR
        .created = 2019/07/11 14:51:18.211
complete. 3 nodes in 23 ms (130/sec).


In [5]:
# Define and print test query
q = 'it:dev:mutex'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

it:dev:mutex


In [6]:
# Define and print test query
q = 'inet:fqdn = google.com'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

inet:fqdn = google.com


In [7]:
# Make a hash
q = '[hash:md5=d41d8cd98f00b204e9800998ecf8427e]'
# Run query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [hash:md5=d41d8cd98f00b204e9800998ecf8427e]
Executing query at 2019/07/11 14:51:18.295
hash:md5=d41d8cd98f00b204e9800998ecf8427e
        .created = 2019/07/11 14:51:18.305
complete. 1 nodes in 10 ms (100/sec).


In [8]:
# Define and print test query
q = 'hash:md5 = d41d8cd98f00b204e9800998ecf8427e'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

hash:md5 = d41d8cd98f00b204e9800998ecf8427e


In [9]:
# Make a DNS A node:
q = '[ inet:dns:a=(woot.com,1.2.3.4)]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [ inet:dns:a=(woot.com,1.2.3.4)]
Executing query at 2019/07/11 14:51:18.349
inet:dns:a=('woot.com', '1.2.3.4')
        .created = 2019/07/11 14:51:18.363
        :fqdn = woot.com
        :ipv4 = 1.2.3.4
complete. 1 nodes in 15 ms (66/sec).


In [10]:
# Define and print test query
q = 'inet:dns:a = (woot.com, 1.2.3.4)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

inet:dns:a = (woot.com, 1.2.3.4)


In [11]:
# Make an org node:
q = '[ou:org=2f92bc913918f6598bcf310972ebf32e :alias=vertex :name="the vertex project llc" :url=http://www.vertex.link :loc=us]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [ou:org=2f92bc913918f6598bcf310972ebf32e :alias=vertex :name="the vertex project llc" :url=http://www.vertex.link :loc=us]
Executing query at 2019/07/11 14:51:18.405
ou:org=2f92bc913918f6598bcf310972ebf32e
        .created = 2019/07/11 14:51:18.423
        :alias = vertex
        :loc = us
        :name = the vertex project llc
        :url = http://www.vertex.link
complete. 1 nodes in 21 ms (47/sec).


In [12]:
# Define and print test query
q = 'ou:org=2f92bc913918f6598bcf310972ebf32e'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

ou:org=2f92bc913918f6598bcf310972ebf32e


In [13]:
# Make an edge:has node:
q = '[edge:has=((ps:person,12af06294ddf1a0ac8d6da34e1dabee4),(inet:email, bob.smith@gmail.com))]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)

cli> storm [edge:has=((ps:person,12af06294ddf1a0ac8d6da34e1dabee4),(inet:email, bob.smith@gmail.com))]
Executing query at 2019/07/11 14:51:18.454
edge:has=(('ps:person', '12af06294ddf1a0ac8d6da34e1dabee4'), ('inet:email', 'bob.smith@gmail.com'))
        .created = 2019/07/11 14:51:18.473
        :n1 = ('ps:person', '12af06294ddf1a0ac8d6da34e1dabee4')
        :n1:form = ps:person
        :n2 = ('inet:email', 'bob.smith@gmail.com')
        :n2:form = inet:email
complete. 1 nodes in 21 ms (47/sec).


In [14]:
# Define and print test query
q = 'edge:has=((ps:person,12af06294ddf1a0ac8d6da34e1dabee4),(inet:email, bob.smith@gmail.com))'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

edge:has=((ps:person,12af06294ddf1a0ac8d6da34e1dabee4),(inet:email, bob.smith@gmail.com))


In [15]:
# Make some SOA nodes:
q = '[inet:dns:soa=f511705bb7ba9147b5d1b2058309a53e :email=18929733163@189.cn :fqdn=linvpn11.com]'
q2 = '[inet:dns:soa=6b3bb9decf6f1593476b10937d4783db :ns=ns1.vpntunnel.se :fqdn=vpntunnel.se]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [inet:dns:soa=f511705bb7ba9147b5d1b2058309a53e :email=18929733163@189.cn :fqdn=linvpn11.com]
Executing query at 2019/07/11 14:51:18.519
inet:dns:soa=f511705bb7ba9147b5d1b2058309a53e
        .created = 2019/07/11 14:51:18.530
        :email = 18929733163@189.cn
        :fqdn = linvpn11.com
complete. 1 nodes in 15 ms (66/sec).
cli> storm [inet:dns:soa=6b3bb9decf6f1593476b10937d4783db :ns=ns1.vpntunnel.se :fqdn=vpntunnel.se]
Executing query at 2019/07/11 14:51:18.538
inet:dns:soa=6b3bb9decf6f1593476b10937d4783db
        .created = 2019/07/11 14:51:18.552
        :fqdn = vpntunnel.se
        :ns = ns1.vpntunnel.se
complete. 1 nodes in 17 ms (58/sec).


In [16]:
# Define and print test query
q = 'inet:dns:soa:email'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

inet:dns:soa:email


In [17]:
# Define and print test query
q = 'ou:org:alias = vertex'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

ou:org:alias = vertex


In [18]:
# Make some DNS A nodes:
q = '[inet:dns:a=(blackcake.net,52.4.209.250) inet:dns:a=(blackcake.net,67.215.66.149) inet:dns:a=(blackcake.net,0.0.0.0)]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:dns:a=(blackcake.net,52.4.209.250) inet:dns:a=(blackcake.net,67.215.66.149) inet:dns:a=(blackcake.net,0.0.0.0)]
Executing query at 2019/07/11 14:51:18.602
inet:dns:a=('blackcake.net', '52.4.209.250')
        .created = 2019/07/11 14:51:18.622
        :fqdn = blackcake.net
        :ipv4 = 52.4.209.250
inet:dns:a=('blackcake.net', '67.215.66.149')
        .created = 2019/07/11 14:51:18.625
        :fqdn = blackcake.net
        :ipv4 = 67.215.66.149
inet:dns:a=('blackcake.net', '0.0.0.0')
        .created = 2019/07/11 14:51:18.627
        :fqdn = blackcake.net
        :ipv4 = 0.0.0.0
complete. 3 nodes in 26 ms (115/sec).


In [19]:
# Define and print test query
q = 'inet:dns:a:fqdn = blackcake.net'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

inet:dns:a:fqdn = blackcake.net


In [20]:
# Make some file nodes:
q = '[file:bytes=sha256:e4f8ce133d5c42e6c3adc09c120c2ec483a57e6839c6d9ee39e0b294102b867f :mime:pe:compiled=19920619222217]'
q2 = '[file:bytes=sha256:a2dc8c1327a184013f1e188258813776e052ac7a68c96c058a723cac28c97bdd :mime:pe:compiled=19920619222217]'
q3 = '[file:bytes=sha256:6119c92f5b5cb2cd953925e17ceb4a02a9007029dd27a35d44b116ff9718f814 :mime:pe:compiled=19700101032545]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [file:bytes=sha256:e4f8ce133d5c42e6c3adc09c120c2ec483a57e6839c6d9ee39e0b294102b867f :mime:pe:compiled=19920619222217]
Executing query at 2019/07/11 14:51:18.663
file:bytes=sha256:e4f8ce133d5c42e6c3adc09c120c2ec483a57e6839c6d9ee39e0b294102b867f
        .created = 2019/07/11 14:51:18.676
        :mime = ??
        :mime:pe:compiled = 1992/06/19 22:22:17.000
        :sha256 = e4f8ce133d5c42e6c3adc09c120c2ec483a57e6839c6d9ee39e0b294102b867f
complete. 1 nodes in 14 ms (71/sec).
cli> storm [file:bytes=sha256:a2dc8c1327a184013f1e188258813776e052ac7a68c96c058a723cac28c97bdd :mime:pe:compiled=19920619222217]
Executing query at 2019/07/11 14:51:18.685
file:bytes=sha256:a2dc8c1327a184013f1e188258813776e052ac7a68c96c058a723cac28c97bdd
        .created = 2019/07/11 14:51:18.698
        :mime = ??
        :mime:pe:compiled = 1992/06/19 22:22:17.000
        :sha256 = a2dc8c1327a184013f1e188258813776e052ac7a68c96c058a723cac28c97bdd
complete. 1 nodes in 14 ms (71/sec).
cli> storm [file:bytes

In [21]:
# Define and print test query
q = 'file:bytes:mime:pe:compiled = "1992/06/19 22:22:17"'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

file:bytes:mime:pe:compiled = "1992/06/19 22:22:17"


In [22]:
# Make some tagged nodes:
q = '[inet:ipv4=54.38.219.150 inet:ipv4=151.242.192.84 inet:ipv4=217.83.101.150 +#cno.infra.anon.tor]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:ipv4=54.38.219.150 inet:ipv4=151.242.192.84 inet:ipv4=217.83.101.150 +#cno.infra.anon.tor]
Executing query at 2019/07/11 14:51:18.760
inet:ipv4=54.38.219.150
        .created = 2019/07/11 14:51:18.775
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
inet:ipv4=151.242.192.84
        .created = 2019/07/11 14:51:18.781
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
inet:ipv4=217.83.101.150
        .created = 2019/07/11 14:51:18.782
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
complete. 3 nodes in 23 ms (130/sec).


In [23]:
# Define and print test query
q = '#cno.infra.anon.tor'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

#cno.infra.anon.tor


In [24]:
# Close cortex for next section
_ = await core.fini()

In [25]:
# Get a newtemp cortex to start fresh and preload some WHOIS records into it.
core = await getTempCoreCmdr()
q = '[inet:whois:rec=(vicp.hk,"2007/12/20 00:00:00.000") :created = "2013/01/26 00:00:00.000" :registrant = "shanghai beiruixinxijishu" :text = "domain name: vicp.hk"]'
q2 = '[inet:whois:rec=(lkqd.net,"2018/05/30 09:24:19.000") :created = "2014/06/01 21:05:25.000" :registrar = godaddy :text = "domain name: lkqd.net"]'
# Run the query via the CLI, rips out the nodes, makes sure we got 3 nodes on the output :)
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
# print(f'I got {len(podes)} podes!')
# This runs the query directly, no CLI output
# newpodes = await core.eval(q, num=4, cmdr=False)
# print(f'I got {len(newpodes)} podes the second time!!')
# await core.fini()

cli> storm [inet:whois:rec=(vicp.hk,"2007/12/20 00:00:00.000") :created = "2013/01/26 00:00:00.000" :registrant = "shanghai beiruixinxijishu" :text = "domain name: vicp.hk"]
Executing query at 2019/07/11 14:51:19.201
inet:whois:rec=('vicp.hk', '2007/12/20 00:00:00.000')
        .created = 2019/07/11 14:51:19.213
        :asof = 2007/12/20 00:00:00.000
        :created = 2013/01/26 00:00:00.000
        :fqdn = vicp.hk
        :registrant = shanghai beiruixinxijishu
        :registrar = ??
        :text = domain name: vicp.hk
complete. 1 nodes in 14 ms (71/sec).
cli> storm [inet:whois:rec=(lkqd.net,"2018/05/30 09:24:19.000") :created = "2014/06/01 21:05:25.000" :registrar = godaddy :text = "domain name: lkqd.net"]
Executing query at 2019/07/11 14:51:19.219
inet:whois:rec=('lkqd.net', '2018/05/30 09:24:19.000')
        .created = 2019/07/11 14:51:19.230
        :asof = 2018/05/30 09:24:19.000
        :created = 2014/06/01 21:05:25.000
        :fqdn = lkqd.net
        :registrant = ??
    

In [26]:
# Define and print test query
q = 'inet:whois:rec:created < 2014/06/01'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

inet:whois:rec:created < 2014/06/01


In [27]:
# Make some files:
q = '[file:bytes=sha256:14c2e63dced9ca20e368e056644a6b56f5678b2d3824945563e57255e85135a3 :size=1048592]'
q2 = '[file:bytes=sha256:8146e9d7fe580ebc04331af87fba7cb344094c0a60482f420b566f2df2a22229 :size=1048592]'
q3 = '[file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 :size=0]'
q4 = '[file:bytes=sha256:36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068 :size=1]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)
podes = await core.eval(q4, num=1, cmdr=True)

cli> storm [file:bytes=sha256:14c2e63dced9ca20e368e056644a6b56f5678b2d3824945563e57255e85135a3 :size=1048592]
Executing query at 2019/07/11 14:51:19.264
file:bytes=sha256:14c2e63dced9ca20e368e056644a6b56f5678b2d3824945563e57255e85135a3
        .created = 2019/07/11 14:51:19.275
        :mime = ??
        :sha256 = 14c2e63dced9ca20e368e056644a6b56f5678b2d3824945563e57255e85135a3
        :size = 1048592
complete. 1 nodes in 11 ms (90/sec).
cli> storm [file:bytes=sha256:8146e9d7fe580ebc04331af87fba7cb344094c0a60482f420b566f2df2a22229 :size=1048592]
Executing query at 2019/07/11 14:51:19.280
file:bytes=sha256:8146e9d7fe580ebc04331af87fba7cb344094c0a60482f420b566f2df2a22229
        .created = 2019/07/11 14:51:19.289
        :mime = ??
        :sha256 = 8146e9d7fe580ebc04331af87fba7cb344094c0a60482f420b566f2df2a22229
        :size = 1048592
complete. 1 nodes in 9 ms (111/sec).
cli> storm [file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 :size=0]
Executing qu

In [28]:
# Define and print test query
q = 'file:bytes:size > 1048576'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

file:bytes:size > 1048576


In [29]:
# Make some people:
q = '[ps:person="*" :dob=1974/05/14]'
q2 = '[ps:person="*" :dob=1982/04/27]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [ps:person="*" :dob=1974/05/14]
Executing query at 2019/07/11 14:51:19.360
ps:person=47f3c9d664ee7a470ab140e26de074ee
        .created = 2019/07/11 14:51:19.372
        :dob = 1974/05/14 00:00:00.000
complete. 1 nodes in 13 ms (76/sec).
cli> storm [ps:person="*" :dob=1982/04/27]
Executing query at 2019/07/11 14:51:19.380
ps:person=b0d71f8cb406db4657e974a541809659
        .created = 2019/07/11 14:51:19.390
        :dob = 1982/04/27 00:00:00.000
complete. 1 nodes in 10 ms (100/sec).


In [30]:
# Define and print test query
q = 'ps:person:dob <= 1980/01/01'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

ps:person:dob <= 1980/01/01


In [31]:
# Make some WHOIS records:
q = '[inet:whois:rec=(showustime.com, 2018/12/02) inet:whois:rec=(videosync.info,2018/12/02) inet:whois:rec=(earthsolution.org,1999/11/29)]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:whois:rec=(showustime.com, 2018/12/02) inet:whois:rec=(videosync.info,2018/12/02) inet:whois:rec=(earthsolution.org,1999/11/29)]
Executing query at 2019/07/11 14:51:19.428
inet:whois:rec=('showustime.com', '2018/12/02 00:00:00.000')
        .created = 2019/07/11 14:51:19.452
        :asof = 2018/12/02 00:00:00.000
        :fqdn = showustime.com
        :registrant = ??
        :registrar = ??
inet:whois:rec=('videosync.info', '2018/12/02 00:00:00.000')
        .created = 2019/07/11 14:51:19.454
        :asof = 2018/12/02 00:00:00.000
        :fqdn = videosync.info
        :registrant = ??
        :registrar = ??
inet:whois:rec=('earthsolution.org', '1999/11/29 00:00:00.000')
        .created = 2019/07/11 14:51:19.457
        :asof = 1999/11/29 00:00:00.000
        :fqdn = earthsolution.org
        :registrant = ??
        :registrar = ??
complete. 3 nodes in 30 ms (100/sec).


In [32]:
# Define and print test query
q = 'inet:whois:rec:asof >= "2018/12/01 12:00"'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

inet:whois:rec:asof >= "2018/12/01 12:00"


In [33]:
# Close cortex for next section
await core.fini()

0

In [34]:
import os, sys
try:
    from synapse.lib.jupyter import *
except ImportError as e:
    # Insert the root path of the repository to sys.path.
    # This assumes the notebook is located three directories away
    # From the root synapse directory. It may need to be varied
    synroot = os.path.abspath('../../../')
    sys.path.insert(0, synroot)
    from synapse.lib.jupyter import *

In [35]:
# Get a newtemp cortex to start fresh.
core = await getTempCoreCmdr()
# Make some files:
q = '[file:bytes=sha256:cebb47280cd00814e1c085c5bc3fbac0e9f91168999091f199a1b1d209edd814 :mime:pe:pdbpath="d:/my documents/visual studio projects/rouji/svcmain.pdb"]'
q2 = '[file:bytes=sha256:56d9ed457136c85fba55cdd5ee3b7c21cb25ce0b1d7053d397cf4756fa7a422f :mime:pe:pdbpath="c:/users/milad/desktop/end crypter vb.net/tekide/obj/debug/tekide.pdb"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [file:bytes=sha256:cebb47280cd00814e1c085c5bc3fbac0e9f91168999091f199a1b1d209edd814 :mime:pe:pdbpath="d:/my documents/visual studio projects/rouji/svcmain.pdb"]
Executing query at 2019/07/11 14:51:19.935
file:bytes=sha256:cebb47280cd00814e1c085c5bc3fbac0e9f91168999091f199a1b1d209edd814
        .created = 2019/07/11 14:51:19.941
        :mime = ??
        :mime:pe:pdbpath = d:/my documents/visual studio projects/rouji/svcmain.pdb
        :sha256 = cebb47280cd00814e1c085c5bc3fbac0e9f91168999091f199a1b1d209edd814
complete. 1 nodes in 8 ms (125/sec).
cli> storm [file:bytes=sha256:56d9ed457136c85fba55cdd5ee3b7c21cb25ce0b1d7053d397cf4756fa7a422f :mime:pe:pdbpath="c:/users/milad/desktop/end crypter vb.net/tekide/obj/debug/tekide.pdb"]
Executing query at 2019/07/11 14:51:19.946
file:bytes=sha256:56d9ed457136c85fba55cdd5ee3b7c21cb25ce0b1d7053d397cf4756fa7a422f
        .created = 2019/07/11 14:51:19.953
        :mime = ??
        :mime:pe:pdbpath = c:/users/milad/desktop/end crypter v

In [36]:
# Define and print test query
q = 'file:bytes:mime:pe:pdbpath ~= "rouji"'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

file:bytes:mime:pe:pdbpath ~= "rouji"


In [37]:
# Make some users:
q = '[inet:user=pinky inet:user=pinkyboo inet:user=pinkybrain inet:user=pinkydinky]'
# Execute query and test
podes = await core.eval(q, num=4, cmdr=True)

cli> storm [inet:user=pinky inet:user=pinkyboo inet:user=pinkybrain inet:user=pinkydinky]
Executing query at 2019/07/11 14:51:19.991
inet:user=pinky
        .created = 2019/07/11 14:51:20.007
inet:user=pinkyboo
        .created = 2019/07/11 14:51:20.008
inet:user=pinkybrain
        .created = 2019/07/11 14:51:20.008
inet:user=pinkydinky
        .created = 2019/07/11 14:51:20.009
complete. 4 nodes in 18 ms (222/sec).


In [38]:
# Define and print test query
q = 'inet:user^=pinky'
print(q)
# Execute the query and test
podes = await core.eval(q, num=4, cmdr=False)

inet:user^=pinky


In [39]:
# Make some orgs:
q = '[ou:org="*" :name="International House of Pancakes"]'
q1 = '[ou:org="*" :name="International Society of Funny Walks"]'
q2 = '[ou:org="*" :name="Interrogators Anonymous"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [ou:org="*" :name="International House of Pancakes"]
Executing query at 2019/07/11 14:51:20.051
ou:org=0406d1697ce82750e8cb9081304e8988
        .created = 2019/07/11 14:51:20.076
        :name = international house of pancakes
complete. 1 nodes in 26 ms (38/sec).
cli> storm [ou:org="*" :name="International Society of Funny Walks"]
Executing query at 2019/07/11 14:51:20.084
ou:org=3e7a1c11b9dab9254a7ac98e9dcfe1f8
        .created = 2019/07/11 14:51:20.094
        :name = international society of funny walks
complete. 1 nodes in 10 ms (100/sec).
cli> storm [ou:org="*" :name="Interrogators Anonymous"]
Executing query at 2019/07/11 14:51:20.100
ou:org=82dba07855f5f876953208f250d5ba5a
        .created = 2019/07/11 14:51:20.109
        :name = interrogators anonymous
complete. 1 nodes in 10 ms (100/sec).


In [40]:
# Define and print test query
q = 'ou:org:name^=international'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

ou:org:name^=international


In [41]:
# Make some dns a records:
q = '[inet:dns:a=(woot.com,1.2.3.4) .seen=(20180101,20180720)]'
q1 = '[inet:dns:a=(woot.com,5.6.7.8) .seen=(20180504,20180622)]'
q2 = '[inet:dns:a=(woot.com,9.8.7.6) .seen=(20180710,20180801)]'
q3 = '[inet:dns:a=(woot.com,4.4.4.4) .seen=(20180729,20181013)]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [inet:dns:a=(woot.com,1.2.3.4) .seen=(20180101,20180720)]
Executing query at 2019/07/11 14:51:20.140
inet:dns:a=('woot.com', '1.2.3.4')
        .created = 2019/07/11 14:51:20.163
        .seen = ('2018/01/01 00:00:00.000', '2018/07/20 00:00:00.000')
        :fqdn = woot.com
        :ipv4 = 1.2.3.4
complete. 1 nodes in 26 ms (38/sec).
cli> storm [inet:dns:a=(woot.com,5.6.7.8) .seen=(20180504,20180622)]
Executing query at 2019/07/11 14:51:20.172
inet:dns:a=('woot.com', '5.6.7.8')
        .created = 2019/07/11 14:51:20.187
        .seen = ('2018/05/04 00:00:00.000', '2018/06/22 00:00:00.000')
        :fqdn = woot.com
        :ipv4 = 5.6.7.8
complete. 1 nodes in 17 ms (58/sec).
cli> storm [inet:dns:a=(woot.com,9.8.7.6) .seen=(20180710,20180801)]
Executing query at 2019/07/11 14:51:20.194
inet:dns:a=('woot.com', '9.8.7.6')
        .created = 2019/07/11 14:51:20.213
        .seen = ('2018/07/10 00:00:00.000', '2018/08/01 00:00:00.000')
        :fqdn = woot.com
        :ipv4 = 9.8.

In [42]:
# Define and print test query
q = 'inet:dns:a.seen@=(2018/07/01, 2018/08/01)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

inet:dns:a.seen@=(2018/07/01, 2018/08/01)


In [43]:
# Make some dns requests:
q = '[inet:dns:request=00000399e09b949ad82bfe0f12bd78e1 :query:name=1.north-america.pool.ntp.org :time="2018/05/03 13:06:24.457"]'
q1 = '[inet:dns:request=00000a17dbe261d10ce6ed514872bd37 :query:name = download.applemusic.itemdb.com :time="2018/05/03 00:12:29.062"]'
q2 = '[inet:dns:request=00000c5d90986334b8d6721639d987b6 :query:name = bestsellers.com.ua :time="2018/05/04 00:00:00.000"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [inet:dns:request=00000399e09b949ad82bfe0f12bd78e1 :query:name=1.north-america.pool.ntp.org :time="2018/05/03 13:06:24.457"]
Executing query at 2019/07/11 14:51:20.281
inet:dns:request=00000399e09b949ad82bfe0f12bd78e1
        .created = 2019/07/11 14:51:20.293
        :query:name = 1.north-america.pool.ntp.org
        :query:name:fqdn = 1.north-america.pool.ntp.org
        :time = 2018/05/03 13:06:24.457
complete. 1 nodes in 16 ms (62/sec).
cli> storm [inet:dns:request=00000a17dbe261d10ce6ed514872bd37 :query:name = download.applemusic.itemdb.com :time="2018/05/03 00:12:29.062"]
Executing query at 2019/07/11 14:51:20.302
inet:dns:request=00000a17dbe261d10ce6ed514872bd37
        .created = 2019/07/11 14:51:20.312
        :query:name = download.applemusic.itemdb.com
        :query:name:fqdn = download.applemusic.itemdb.com
        :time = 2018/05/03 00:12:29.062
complete. 1 nodes in 13 ms (76/sec).
cli> storm [inet:dns:request=00000c5d90986334b8d6721639d987b6 :query:name = best

In [44]:
# Define and print test query
q = 'inet:dns:request:time@=("2018/05/03 00:00:00", "2018/05/04 00:00:00")'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

inet:dns:request:time@=("2018/05/03 00:00:00", "2018/05/04 00:00:00")


In [45]:
# Make some whois records:
q = '[inet:whois:rec=(jeepworker.com,20170717)]'
q1 = '[inet:whois:rec=(woot.com,20180503)]'
q2 = '[inet:whois:rec=(nato-hq.com,20170717)]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [inet:whois:rec=(jeepworker.com,20170717)]
Executing query at 2019/07/11 14:51:20.375
inet:whois:rec=('jeepworker.com', '2017/07/17 00:00:00.000')
        .created = 2019/07/11 14:51:20.387
        :asof = 2017/07/17 00:00:00.000
        :fqdn = jeepworker.com
        :registrant = ??
        :registrar = ??
complete. 1 nodes in 13 ms (76/sec).
cli> storm [inet:whois:rec=(woot.com,20180503)]
Executing query at 2019/07/11 14:51:20.398
inet:whois:rec=('woot.com', '2018/05/03 00:00:00.000')
        .created = 2019/07/11 14:51:20.414
        :asof = 2018/05/03 00:00:00.000
        :fqdn = woot.com
        :registrant = ??
        :registrar = ??
complete. 1 nodes in 17 ms (58/sec).
cli> storm [inet:whois:rec=(nato-hq.com,20170717)]
Executing query at 2019/07/11 14:51:20.422
inet:whois:rec=('nato-hq.com', '2017/07/17 00:00:00.000')
        .created = 2019/07/11 14:51:20.433
        :asof = 2017/07/17 00:00:00.000
        :fqdn = nato-hq.com
        :registrant = ??
        :regis

In [46]:
# Define and print test query
q = 'inet:whois:rec:asof@=2017/07/17'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

inet:whois:rec:asof@=2017/07/17


In [47]:
# Make some whois email nodes:
q = '[inet:whois:email=(garyhart.com, garyhartaz@hotmail.com) .seen = ("2001/07/11 00:00:00.000", "2019/01/24 00:00:00.001")]'
q1 = '[inet:whois:email=(dynip.com, david@canweb.ca) .seen = ("2001/09/06 00:00:00.000", "2019/02/08 00:00:00.001")]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)

cli> storm [inet:whois:email=(garyhart.com, garyhartaz@hotmail.com) .seen = ("2001/07/11 00:00:00.000", "2019/01/24 00:00:00.001")]
Executing query at 2019/07/11 14:51:20.463
inet:whois:email=('garyhart.com', 'garyhartaz@hotmail.com')
        .created = 2019/07/11 14:51:20.483
        .seen = ('2001/07/11 00:00:00.000', '2019/01/24 00:00:00.001')
        :email = garyhartaz@hotmail.com
        :fqdn = garyhart.com
complete. 1 nodes in 22 ms (45/sec).
cli> storm [inet:whois:email=(dynip.com, david@canweb.ca) .seen = ("2001/09/06 00:00:00.000", "2019/02/08 00:00:00.001")]
Executing query at 2019/07/11 14:51:20.491
inet:whois:email=('dynip.com', 'david@canweb.ca')
        .created = 2019/07/11 14:51:20.509
        .seen = ('2001/09/06 00:00:00.000', '2019/02/08 00:00:00.001')
        :email = david@canweb.ca
        :fqdn = dynip.com
complete. 1 nodes in 21 ms (47/sec).


In [48]:
# Define and print test query
q = 'inet:whois:email.seen@=(2019/01/01, now)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

inet:whois:email.seen@=(2019/01/01, now)


In [49]:
# Make some dns request nodes:
q = '[inet:dns:request=a5efa31ac253d6d0d6123dbdaa73212a :query:name=outlookteam.live :time="2018/10/15 00:00:00.026"]'
q1 = '[inet:dns:request=65b0dfa5bc609082e45bb76c24ada08c :query:name=toknowall.com :time="2018/10/15 00:00:11.046"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)

cli> storm [inet:dns:request=a5efa31ac253d6d0d6123dbdaa73212a :query:name=outlookteam.live :time="2018/10/15 00:00:00.026"]
Executing query at 2019/07/11 14:51:20.546
inet:dns:request=a5efa31ac253d6d0d6123dbdaa73212a
        .created = 2019/07/11 14:51:20.561
        :query:name = outlookteam.live
        :query:name:fqdn = outlookteam.live
        :time = 2018/10/15 00:00:00.026
complete. 1 nodes in 18 ms (55/sec).
cli> storm [inet:dns:request=65b0dfa5bc609082e45bb76c24ada08c :query:name=toknowall.com :time="2018/10/15 00:00:11.046"]
Executing query at 2019/07/11 14:51:20.573
inet:dns:request=65b0dfa5bc609082e45bb76c24ada08c
        .created = 2019/07/11 14:51:20.584
        :query:name = toknowall.com
        :query:name:fqdn = toknowall.com
        :time = 2018/10/15 00:00:11.046
complete. 1 nodes in 12 ms (83/sec).


In [50]:
# Define and print test query
q = 'inet:dns:request:time@=(2018/10/15,"+1 day")'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

inet:dns:request:time@=(2018/10/15,"+1 day")


In [51]:
# Make some tagged FQDNs:
q = '[inet:fqdn=derp.com +#cno.threat.t43.tc=(20121014,20151014)]'
q1 = '[inet:fqdn=hurr.com +#cno.threat.t43.tc=(20140806,20160806)]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)

cli> storm [inet:fqdn=derp.com +#cno.threat.t43.tc=(20121014,20151014)]
Executing query at 2019/07/11 14:51:20.618
inet:fqdn=derp.com
        .created = 2019/07/11 14:51:20.631
        :domain = com
        :host = derp
        :issuffix = False
        :iszone = True
        :zone = derp.com
        #cno.threat.t43.tc = (2012/10/14 00:00:00.000, 2015/10/14 00:00:00.000)
complete. 1 nodes in 16 ms (62/sec).
cli> storm [inet:fqdn=hurr.com +#cno.threat.t43.tc=(20140806,20160806)]
Executing query at 2019/07/11 14:51:20.640
inet:fqdn=hurr.com
        .created = 2019/07/11 14:51:20.652
        :domain = com
        :host = hurr
        :issuffix = False
        :iszone = True
        :zone = hurr.com
        #cno.threat.t43.tc = (2014/08/06 00:00:00.000, 2016/08/06 00:00:00.000)
complete. 1 nodes in 14 ms (71/sec).


In [52]:
# Define and print test query
q = 'inet:fqdn#cno.threat.t43.tc@=(2013/01/01, 2015/01/01)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

inet:fqdn#cno.threat.t43.tc@=(2013/01/01, 2015/01/01)


In [53]:
# Make some nodes:
q = '[inet:ipv4=192.168.0.0/24]'
# Execute query and test
podes = await core.eval(q, num=256, cmdr=False)

In [54]:
# Define and print test query
q = 'inet:ipv4*range=(192.168.0.0, 192.168.0.10)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=11, cmdr=False)

inet:ipv4*range=(192.168.0.0, 192.168.0.10)


In [55]:
# Make some files:
q = '[file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 :size=0]'
q1 = '[file:bytes=sha256:929c3316a91c62170e545986274dc6a36e6560ca5bf85a98e96662a5a3c5edb0 :size=1001]'
q2 = '[file:bytes=sha256:e7db39923c5244bfc96af4593794f8e85eb4b68da4f80c7b67cc887aa1ea4713 :size=5000]'
q3 = '[file:bytes=sha256:e708cd312b2b87c6ecc62fe2d33071380a90e60f6f98cf37f1e178127d2c3241 :size=100002]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)

cli> storm [file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 :size=0]
Executing query at 2019/07/11 14:51:20.852
file:bytes=sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        .created = 2019/07/11 14:51:20.862
        :mime = ??
        :sha256 = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        :size = 0
complete. 1 nodes in 10 ms (100/sec).
cli> storm [file:bytes=sha256:929c3316a91c62170e545986274dc6a36e6560ca5bf85a98e96662a5a3c5edb0 :size=1001]
Executing query at 2019/07/11 14:51:20.867
file:bytes=sha256:929c3316a91c62170e545986274dc6a36e6560ca5bf85a98e96662a5a3c5edb0
        .created = 2019/07/11 14:51:20.876
        :mime = ??
        :sha256 = 929c3316a91c62170e545986274dc6a36e6560ca5bf85a98e96662a5a3c5edb0
        :size = 1001
complete. 1 nodes in 10 ms (100/sec).
cli> storm [file:bytes=sha256:e7db39923c5244bfc96af4593794f8e85eb4b68da4f80c7b67cc887aa1ea4713 :size=5000]
Executing query at 2019/0

In [56]:
# Define and print test query
q = 'file:bytes:size*range=(1000,100000)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

file:bytes:size*range=(1000,100000)


In [57]:
# Make some WHOIS records:
q = '[inet:whois:rec=(pe75.com,2013/11/29) :text="domain name: pe75.com"]'
q1 = '[inet:whois:rec=(youipcam.com,2013/11/29) :text="domain name: youipcam.com"]'
q2 = '[inet:whois:rec=(17ti.net,2016/01/01) :text="domain name: 17ti.net"]'
q3 = '[inet:whois:rec=(africawebcast.com,1999/11/19) :text="domain name: africawebcast.com"]'
q4 = '[inet:whois:rec=(teads.tv,2017/03/02) :text="domain name: teads.tv"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)
podes = await core.eval(q4, num=1, cmdr=True)

cli> storm [inet:whois:rec=(pe75.com,2013/11/29) :text="domain name: pe75.com"]
Executing query at 2019/07/11 14:51:20.997
inet:whois:rec=('pe75.com', '2013/11/29 00:00:00.000')
        .created = 2019/07/11 14:51:21.026
        :asof = 2013/11/29 00:00:00.000
        :fqdn = pe75.com
        :registrant = ??
        :registrar = ??
        :text = domain name: pe75.com
complete. 1 nodes in 30 ms (33/sec).
cli> storm [inet:whois:rec=(youipcam.com,2013/11/29) :text="domain name: youipcam.com"]
Executing query at 2019/07/11 14:51:21.037
inet:whois:rec=('youipcam.com', '2013/11/29 00:00:00.000')
        .created = 2019/07/11 14:51:21.050
        :asof = 2013/11/29 00:00:00.000
        :fqdn = youipcam.com
        :registrant = ??
        :registrar = ??
        :text = domain name: youipcam.com
complete. 1 nodes in 15 ms (66/sec).
cli> storm [inet:whois:rec=(17ti.net,2016/01/01) :text="domain name: 17ti.net"]
Executing query at 2019/07/11 14:51:21.063
inet:whois:rec=('17ti.net', '2016/01/

In [58]:
# Define and print test query
q = 'inet:whois:rec:asof*range=(2013/11/29, 2016/06/14)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

inet:whois:rec:asof*range=(2013/11/29, 2016/06/14)


In [59]:
# Make some DNS requests:
q = '[inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/12/01 00:00:00"]'
q1 = '[inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/11/30 00:00:00"]'
q2 = '[inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/12/01 23:59:59"]'
q3 = '[inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/12/02 00:01:00"]'
q4 = '[inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/11/29 23:59:59"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)
podes = await core.eval(q3, num=1, cmdr=True)
podes = await core.eval(q4, num=1, cmdr=True)

cli> storm [inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/12/01 00:00:00"]
Executing query at 2019/07/11 14:51:21.184
inet:dns:request=f50afa952bd95ee7a3334e8d103588bc
        .created = 2019/07/11 14:51:21.203
        :query = ('tcp://8.8.8.8', 'woot.com', '1')
        :query:name = woot.com
        :query:name:fqdn = woot.com
        :query:type = 1
        :time = 2018/12/01 00:00:00.000
complete. 1 nodes in 22 ms (45/sec).
cli> storm [inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/11/30 00:00:00"]
Executing query at 2019/07/11 14:51:21.212
inet:dns:request=6253b6679847fdba1174e081580bcd2b
        .created = 2019/07/11 14:51:21.227
        :query = ('tcp://8.8.8.8', 'woot.com', '1')
        :query:name = woot.com
        :query:name:fqdn = woot.com
        :query:type = 1
        :time = 2018/11/30 00:00:00.000
complete. 1 nodes in 16 ms (62/sec).
cli> storm [inet:dns:request="*" :query=(tcp://8.8.8.8, woot.com, 1) :time="2018/12/01 23:59

In [60]:
# Define and print test query
q = 'inet:dns:request:time*range=(2018/12/01, "+-1 day")'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

inet:dns:request:time*range=(2018/12/01, "+-1 day")


In [61]:
# Make some moar IPs:
q = '[inet:ipv4=127.0.0.1 inet:ipv4=192.168.0.100 inet:ipv4=255.255.255.254]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:ipv4=127.0.0.1 inet:ipv4=192.168.0.100 inet:ipv4=255.255.255.254]
Executing query at 2019/07/11 14:51:21.339
inet:ipv4=127.0.0.1
        .created = 2019/07/11 14:51:21.348
        :asn = 0
        :loc = ??
        :type = loopback
inet:ipv4=192.168.0.100
        .created = 2019/07/11 14:51:20.757
        :asn = 0
        :loc = ??
        :type = private
inet:ipv4=255.255.255.254
        .created = 2019/07/11 14:51:21.349
        :asn = 0
        :loc = ??
        :type = private
complete. 3 nodes in 11 ms (272/sec).


In [62]:
# Define and print test query
q = 'inet:ipv4*in=(127.0.0.1, 192.168.0.100, 255.255.255.254)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

inet:ipv4*in=(127.0.0.1, 192.168.0.100, 255.255.255.254)


In [63]:
# Make some moar files:
q = '[file:bytes=sha256:68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c :size=4096]'
q1 = '[file:bytes=sha256:0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81 :size=16384]'
q2 = '[file:bytes=sha256:2e248baca79a14f6a62a6bb962a68f7b6f1dfea4641beb39f8e7f0ec5bb47e36 :size=65536]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [file:bytes=sha256:68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c :size=4096]
Executing query at 2019/07/11 14:51:21.386
file:bytes=sha256:68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c
        .created = 2019/07/11 14:51:21.398
        :mime = ??
        :sha256 = 68168583a7778d3c8512f8d6ae47a44618c58537dd5af8eff7da41da0c000c0c
        :size = 4096
complete. 1 nodes in 13 ms (76/sec).
cli> storm [file:bytes=sha256:0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81 :size=16384]
Executing query at 2019/07/11 14:51:21.406
file:bytes=sha256:0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81
        .created = 2019/07/11 14:51:21.416
        :mime = ??
        :sha256 = 0a040124ffeccf0031369c57ca7b1dd70f61c71d9b10710bdc6adb53d0eefd81
        :size = 16384
complete. 1 nodes in 10 ms (100/sec).
cli> storm [file:bytes=sha256:2e248baca79a14f6a62a6bb962a68f7b6f1dfea4641beb39f8e7f0ec5bb47e36 :size=65536]
Executing query a

In [64]:
# Define and print test query
q = 'file:bytes:size*in=(4096, 16384, 65536)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

file:bytes:size*in=(4096, 16384, 65536)


In [65]:
# Make some tag nodes:
q = '[syn:tag=aaa.foo syn:tag=aaa.bbb.bar syn:tag=ccc.baz syn:tag=aaa.bar.hurr syn:tag=baz.woop]'
# Execute query and test
podes = await core.eval(q, num=5, cmdr=True)

cli> storm [syn:tag=aaa.foo syn:tag=aaa.bbb.bar syn:tag=ccc.baz syn:tag=aaa.bar.hurr syn:tag=baz.woop]
Executing query at 2019/07/11 14:51:21.476
syn:tag=aaa.foo
        .created = 2019/07/11 14:51:21.491
        :base = foo
        :depth = 1
        :doc = 
        :title = 
        :up = aaa
syn:tag=aaa.bbb.bar
        .created = 2019/07/11 14:51:21.492
        :base = bar
        :depth = 2
        :doc = 
        :title = 
        :up = aaa.bbb
syn:tag=ccc.baz
        .created = 2019/07/11 14:51:21.494
        :base = baz
        :depth = 1
        :doc = 
        :title = 
        :up = ccc
syn:tag=aaa.bar.hurr
        .created = 2019/07/11 14:51:21.496
        :base = hurr
        :depth = 2
        :doc = 
        :title = 
        :up = aaa.bar
syn:tag=baz.woop
        .created = 2019/07/11 14:51:21.498
        :base = woop
        :depth = 1
        :doc = 
        :title = 
        :up = baz
complete. 5 nodes in 23 ms (217/sec).


In [66]:
# Define and print test query
q = 'syn:tag:base*in=(foo,bar,baz)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=5, cmdr=False)

syn:tag:base*in=(foo,bar,baz)


In [67]:
# Make some geo:place nodes:
q = '[geo:place=531665e149b54a8a160961f47faab360 :latlong="48.8589878,2.2989958" :loc=fr.paris :name="the american library in paris"]'
q1 = '[geo:place=05d499e9aef335cc9d27be5aeed1ccfe :latlong="59.9124013,10.63733779" :loc=no.lysaker :name="avast software"]'
# Execute query and test
podes = await core.eval(q, num=1, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)

cli> storm [geo:place=531665e149b54a8a160961f47faab360 :latlong="48.8589878,2.2989958" :loc=fr.paris :name="the american library in paris"]
Executing query at 2019/07/11 14:51:21.537
geo:place=531665e149b54a8a160961f47faab360
        .created = 2019/07/11 14:51:21.549
        :latlong = 48.8589878,2.2989958
        :loc = fr.paris
        :name = the american library in paris
complete. 1 nodes in 13 ms (76/sec).
cli> storm [geo:place=05d499e9aef335cc9d27be5aeed1ccfe :latlong="59.9124013,10.63733779" :loc=no.lysaker :name="avast software"]
Executing query at 2019/07/11 14:51:21.554
geo:place=05d499e9aef335cc9d27be5aeed1ccfe
        .created = 2019/07/11 14:51:21.568
        :latlong = 59.9124013,10.63733779
        :loc = no.lysaker
        :name = avast software
complete. 1 nodes in 15 ms (66/sec).


In [68]:
# Define and print test query
q = 'geo:place:latlong*near=((48.8583701,2.2944813),500m)'
print(q)
# Execute the query and test
podes = await core.eval(q, num=1, cmdr=False)

geo:place:latlong*near=((48.8583701,2.2944813),500m)


In [69]:
# Make some tagged nodes:
q = '[inet:ipv4=54.38.219.150 inet:ipv4=151.242.192.84 inet:ipv4=217.83.101.150 +#cno.infra.anon.tor]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:ipv4=54.38.219.150 inet:ipv4=151.242.192.84 inet:ipv4=217.83.101.150 +#cno.infra.anon.tor]
Executing query at 2019/07/11 14:51:21.606
inet:ipv4=54.38.219.150
        .created = 2019/07/11 14:51:21.618
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
inet:ipv4=151.242.192.84
        .created = 2019/07/11 14:51:21.623
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
inet:ipv4=217.83.101.150
        .created = 2019/07/11 14:51:21.625
        :asn = 0
        :loc = ??
        :type = unicast
        #cno.infra.anon.tor
complete. 3 nodes in 19 ms (157/sec).


In [70]:
# Define and print test query
q = '#cno.infra.anon.tor'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

#cno.infra.anon.tor


In [71]:
# Make some moar tagged nodes:
q = '[inet:fqdn=adobeproduct.com inet:fqdn=ntupdateserver.com inet:fqdn=fireeyeupdate.com +#aka.paloalto.thr.oilrig]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)

cli> storm [inet:fqdn=adobeproduct.com inet:fqdn=ntupdateserver.com inet:fqdn=fireeyeupdate.com +#aka.paloalto.thr.oilrig]
Executing query at 2019/07/11 14:51:21.667
inet:fqdn=adobeproduct.com
        .created = 2019/07/11 14:51:21.681
        :domain = com
        :host = adobeproduct
        :issuffix = False
        :iszone = True
        :zone = adobeproduct.com
        #aka.paloalto.thr.oilrig
inet:fqdn=ntupdateserver.com
        .created = 2019/07/11 14:51:21.686
        :domain = com
        :host = ntupdateserver
        :issuffix = False
        :iszone = True
        :zone = ntupdateserver.com
        #aka.paloalto.thr.oilrig
inet:fqdn=fireeyeupdate.com
        .created = 2019/07/11 14:51:21.688
        :domain = com
        :host = fireeyeupdate
        :issuffix = False
        :iszone = True
        :zone = fireeyeupdate.com
        #aka.paloalto.thr.oilrig
complete. 3 nodes in 22 ms (136/sec).


In [72]:
# Define and print test query
q = 'inet:fqdn#aka.paloalto.thr.oilrig'
print(q)
# Execute the query and test
podes = await core.eval(q, num=3, cmdr=False)

inet:fqdn#aka.paloalto.thr.oilrig


In [73]:
# Make some moar tagged nodes:
q = '[syn:tag=aka.feye.thr.apt28 syn:tag=aka.feye.thr.apt29 syn:tag=aka.feye.thr.veles +#aka.feye.cc.ru]'
q1= '[inet:fqdn=scanmalware.info +#aka.feye.thr.apt28]'
q2= '[inet:ipv4=87.245.143.140 +#aka.feye.thr.veles]'
# Execute query and test
podes = await core.eval(q, num=3, cmdr=True)
podes = await core.eval(q1, num=1, cmdr=True)
podes = await core.eval(q2, num=1, cmdr=True)

cli> storm [syn:tag=aka.feye.thr.apt28 syn:tag=aka.feye.thr.apt29 syn:tag=aka.feye.thr.veles +#aka.feye.cc.ru]
Executing query at 2019/07/11 14:51:21.733
syn:tag=aka.feye.thr.apt28
        .created = 2019/07/11 14:51:21.751
        :base = apt28
        :depth = 3
        :doc = 
        :title = 
        :up = aka.feye.thr
        #aka.feye.cc.ru
syn:tag=aka.feye.thr.apt29
        .created = 2019/07/11 14:51:21.758
        :base = apt29
        :depth = 3
        :doc = 
        :title = 
        :up = aka.feye.thr
        #aka.feye.cc.ru
syn:tag=aka.feye.thr.veles
        .created = 2019/07/11 14:51:21.761
        :base = veles
        :depth = 3
        :doc = 
        :title = 
        :up = aka.feye.thr
        #aka.feye.cc.ru
complete. 3 nodes in 29 ms (103/sec).
cli> storm [inet:fqdn=scanmalware.info +#aka.feye.thr.apt28]
Executing query at 2019/07/11 14:51:21.774
inet:fqdn=scanmalware.info
        .created = 2019/07/11 14:51:21.784
        :domain = info
        :host = scanmal

In [74]:
# Define and print test query
q = '##aka.feye.cc.ru'
print(q)
# Execute the query and test
podes = await core.eval(q, num=2, cmdr=False)

##aka.feye.cc.ru


In [75]:
# Close cortex because done
_ = await core.fini()