Package Documentation

Storm Package: synapse-domaintools

The following Commands are available from this package. This documentation is generated for version 0.5.0 of the package.

Storm Commands

This package implements the following Storm Commands.

domaintools.farsight.setup.apikey

Manage the DomainTools Farsight DNSDB API key.

Examples:

    // Set the global DomainTools API key
    domaintools.farsight.setup.apikey key1234

    // Set the DomainTools API key for the current user
    domaintools.farsight.setup.apikey --self key1234

    // Display the scope of the current API key
    domaintools.farsight.setup.apikey --show-scope

    // Display the current API key.
    domaintools.farsight.setup.apikey --show-apikey

    // Remove the current global API key.
    domaintools.farsight.setup.apikey --remove

    // Remove the per-user API key for the current user.
    domaintools.farsight.setup.apikey --self --remove


Usage: domaintools.farsight.setup.apikey [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set or remove the API key as a user variable. If not used, the API key is set globally.
  --show-scope                : Display the API key scope in use (global vs self).
  --show-apikey               : Display the API key (requires admin perms or a "self" scope key).
  --remove                    : Remove the configured API key. May be used with --self.

Arguments:

  [apikey]                    : The API key string.

domaintools.farsight.setup.url

Manage the DomainTools Farsight API URL.

By default, the base API URL used will be https://api.dnsdb.info

Examples:

  // Set the DomainTools Farsight API URL
  domaintools.farsight.setup.url https://myfarsight.org

  // Display the current API URL
  domaintools.farsight.setup.url --show-url

  // Remove the current API URL
  domaintools.farsight.setup.url --remove


Usage: domaintools.farsight.setup.url [options] <url>

Options:

  --help                      : Display the command usage.
  --show-url                  : Display the Farsight API URL value.
  --remove                    : Remove the configured Farsight API URL.

Arguments:

  [url]                       : The base Farsight API URL.

domaintools.hosting.history

Query the DomainTools API for hosting history data.

This command takes inet:fqdn nodes as input to query the DomainTools
hosting history API.

Examples:

  // Get hosting history for an inet:fqdn node
  inet:fqdn=vertex.link | domaintools.hosting.history


Usage: domaintools.hosting.history [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.

domaintools.iris.detect

Retrieve domains from the Iris Detect API.

This command will first retrieve the list of monitors from the
"iris-detect/monitors/" endpoint and create "meta:rule" nodes to represent
the currently configured monitor rules. Once the rules are populated,
the command will retrieve domains and link them to the monitor that matched
them using "meta:rule -(matches)> inet:fqdn" edges. The "--no-monitors"
option may be used to disable creating the "meta:rule" nodes and edges.

By default this command will retrieve newly discovered domains from the
"iris-detect/domains/new/" endpoint. To retrieve watched domains from
the "iris-detect/domains/watched/" endpoint, specify "--type watched".

Examples:

  // Ingest newly discovered domains
  domaintools.iris.detect

  // Ingest watched domains and do not link associated monitors.
  domaintools.iris.detect --type watched --no-monitors

  // Create a cron job to ingest newly discovered domains every day
  cron.add --name "DomainTools Iris Detect New Domains Feed" --hour 3
  { domaintools.iris.detect.new }


Usage: domaintools.iris.detect [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.
  --no-monitors               : Skip creating nodes/edges to represent the monitors that matched domain results.
  --type <type>               : Specify whether 'new' or 'watched' domains should be retrieved. (default: new)

domaintools.iris.enrich

Enrich domains using the Iris Enrich API.

This command takes inet:fqdn nodes as input to query the DomainTools
Iris Enrich API. The Iris Enrich API is optimized for fast responses and high volume
lookups, so it does not offer most of the search parameters available in the
Iris Investigate API.

Examples:

  // Enrich an inet:fqdn node
  inet:fqdn=vertex.link | domaintools.iris.enrich


Usage: domaintools.iris.enrich [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.
  --batch-size <batch_size>   : Specify the number of domains to submit in each query to the API (max 100). (default: 100)

domaintools.iris.investigate

Search for domain information using the Iris Investigate API.

This command takes a domain name or a set of search parameters to query
the API for matching domains. When specifying a command argument,
a node may be passed as the value which will use the string representation
of the node's primary property as the search value.

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.

Examples:

  // Search for a domain name
  domaintools.iris.investigate --domain vertex.link

  // Search using filters
  domaintools.iris.investigate --mailserver-domain vertex.link

  // Search for multiple domain names
  domaintools.iris.investigate --domain (vertex.link, domaintools.net)


Usage: domaintools.iris.investigate [options]

Options:

  --help                      : Display the command usage.
  --domain <domain>           : Domain or list of domains to investigate.
  --ip <ip>                   : IPv4 address the registered domain was last known to point to during an active DNS check.
  --email <email>             : Email address from the most recently available Whois record, DNS SOA record or SSL certificate.
  --email-domain <email_domain>: Only the domain portion of a Whois or DNS SOA email address.
  --nameserver-host <nameserver_host>: Fully-qualified host name of the name server.
  --nameserver-domain <nameserver_domain>: Registered domain portion of the name server.
  --nameserver-ip <nameserver_ip>: IP address of the name server.
  --registrar <registrar>     : Exact match to the Whois registrar field.
  --registrant <registrant>   : Exact match to the Whois registrant field.
  --registrant-org <registrant_org>: Exact match to the Whois registrant organization field.
  --mailserver-host <mailserver_host>: Fully-qualified host name of the mail server (mx.domaintools.net) Reverse MX.
  --mailserver-domain <mailserver_domain>: Only the registered domain portion of the mail server (domaintools.net).
  --mailserver-ip <mailserver_ip>: IP address of the mail server.
  --redirect-domain <redirect_domain>: Find domains observed to redirect to another domain name.
  --ssl-hash <ssl_hash>       : SSL certificate SHA-1 hash.
  --ssl-org <ssl_org>         : Exact match to the organization name on the SSL certificate.
  --ssl-subject <ssl_subject> : Subject field from the SSL certificate.
  --ssl-email <ssl_email>     : Email address from the SSL certificate.
  --google-analytics <google_analytics>: Domains with a Google Analytics tracking code.
  --adsense <adsense>         : Domains with a Google AdSense tracking code.
  --search-hash <search_hash> : Encoded search from the Iris UI.
  --tld <tld>                 : Limit results to only include domains in a specific top-level domain.
  --create-date <create_date> : Only include domains created on a specific date.
  --expiration-date <expiration_date>: Only include domains expiring on a specific date.
  --data-updated-after <data_updated_after>: Iris records that were updated on or after midnight on this date. Must be paired with another parameter.
  --active <active>           : Set to true to only return domains that have either an entry in the global DNS system, OR are listed as registered by the registry. Set to false to only return domains that do not have an entry in the global DNS system AND are not listed as registered by the registry.
  --tagged-with-any <tagged_with_any>: Iris Investigate tag or tags. Returns domains tagged with any of the tags.
  --tagged-with-all <tagged_with_all>: Iris Investigate tag or tags. Returns domains tagged with all of the tags.
  --not-tagged-with-any <not_tagged_with_any>: Iris Investigate tag or tags. Excludes domains tagged with any of the tags.
  --not-tagged-with-all <not_tagged_with_all>: Iris Investigate tag or tags. Excludes domains tagged with all of the tags.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.

domaintools.limits

Get the current DomainTools query limits.


Usage: domaintools.limits [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.

domaintools.pdns

Query the DomainTools Farsight DNSDB API for passive DNS data.

This command takes inet:fqdn, inet:ipv4, inet:ipv6, inet:cidr4, or inet:cidr6
nodes as input to query the DomainTools Farsight DNSDB API. The --domain or
--ip arguments may also be used to specify the value to search for. By
default, queries for domains will perform rrset lookups. To instead perform an
rdata lookup for a domain, the --rdata argument may be specified. IP queries will
always perform rdata lookups.

When specifying an RRtype to search for, ANY (the default) will match any RRtype
except the DNSSEC-related RRtypes: DS, RRSIG, NSEC, DNSKEY, NSEC3, NSEC3PARAM, DLV,
CDS, CDNSKEY, and TA. The pseudo-mnemonic ANY-DNSSEC can be used which will return
only those records matching the aforementioned RRtypes.

Examples:

  // Perform an rrset query for a domain
  inet:fqdn=vertex.link | domaintools.pdns

  // Perform an rdata query for a domain
  inet:fqdn=vertex.link | domaintools.pdns --rdata

  // Perform an rdata query for an IP
  inet:ipv4=104.244.13.104 | domaintools.pdns


Usage: domaintools.pdns [options]

Options:

  --help                      : Display the command usage.
  --domain <domain>           : Domain name with optional leading or trailing asterisk and label separator (*. or .*).
  --ip <ip>                   : An IPv4 or IPv6 single address, with a prefix length, or range to search for.
  --rdata                     : For a domain, perform an rdata lookup instead of an rrset lookup. Does not apply to ip queries.
  --rrtype <rrtype>           : Specify an RRtype to search for. (default: ANY)
  --bailiwick <bailiwick>     : Specify a bailiwick to filter on. Does not apply to rdata queries.
  --no-aggr                   : Disable rrset aggregation.
  --time-first-before <time_first_before>: Search for results where the DNS record was first observed before the specified time.
  --time-first-after <time_first_after>: Search for results where the DNS record was first observed after the specified time.
  --time-last-before <time_last_before>: Search for results where the DNS record was last observed before the specified time.
  --time-last-after <time_last_after>: Search for results where the DNS record was last observed after the specified time.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of records ingested to the given size.
  --yield                     : Yield the newly created nodes.

domaintools.setup.apikey

Manage the DomainTools API user and key.

Examples:

    // Set the global DomainTools API credentials
    domaintools.setup.apikey user1234 key1234

    // Set the DomainTools API credentials for the current user
    domaintools.setup.apikey --self user1234 key1234

    // Display the scope of the current API credentials
    domaintools.setup.apikey --show-scope

    // Display the current API credentials.
    domaintools.setup.apikey --show-apikey

    // Remove the current global API credentials.
    domaintools.setup.apikey --remove

    // Remove the per-user API credentials for the current user.
    domaintools.setup.apikey --self --remove


Usage: domaintools.setup.apikey [options] <apiuser> <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set or remove the credentials as a user variable. If not used, the credentials are set globally.
  --show-scope                : Display the API credentials scope in use (global vs self).
  --show-apikey               : Display the API credentials (requires admin perms or a "self" scope key).
  --remove                    : Remove the configured API credentials. May be used with --self.

Arguments:

  [apiuser]                   : The API user string.
  [apikey]                    : The API key string.

domaintools.setup.tagprefix

Set the tag prefix used when recording DomainTools data as tags.
The default tag prefix is "rep.domaintools" if not specified.
Any tags provided by the DomainTools API will be added within the given namespace.
For example, the item "proximity" would result in "#rep.domaintools.proximity".  Any
characters incompatible with tag names are replaced with "_".


Usage: domaintools.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

domaintools.whois.history

Query the DomainTools API for Whois history data.

This command takes inet:fqdn nodes as input to query the DomainTools
Whois history API.

Examples:

  // Get Whois history for an inet:fqdn node
  inet:fqdn=vertex.link | domaintools.whois.history


Usage: domaintools.whois.history [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --sort <sort>               : Sort the records returned in either ascending or descending order. (default: date_desc, choices: date_desc, date_asc)
  --yield                     : Yield the newly created nodes.

Storm Modules

This package does not export any Storm APIs.