User Guide
Synapse-Efflux User Guide
Synapse-Efflux adds new Storm commands to allow you to query the Efflux API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> efflux.setup.apikey --self myapikey
Setting Efflux API key for the current user.
Listing Scans
To list the 5 most recent scans:
> efflux.scans.list --count 5
Job ID | Status | Created | Started | Completed
========================================|==============|===============================|===============================|===============================
4a36bce7-ec50-4510-b81e-0f43e0f291eb | complete | 2024-08-01T19:28:18.693619Z | 2024-08-01T19:28:20.600054Z | 2024-08-01T19:28:29.993855Z
----------------------------------------|--------------|-------------------------------|-------------------------------|-------------------------------
d3160197-396e-49a1-850c-273669ee8e9c | complete | 2024-08-01T15:51:27.331004Z | 2024-08-01T15:51:29.561393Z | 2024-08-01T15:51:38.48537Z
----------------------------------------|--------------|-------------------------------|-------------------------------|-------------------------------
e0303856-ab38-43bf-a180-4ea91c760d30 | complete | 2024-08-01T15:39:16.001947Z | 2024-08-01T15:39:19.024725Z | 2024-08-01T15:39:41.43836Z
----------------------------------------|--------------|-------------------------------|-------------------------------|-------------------------------
58a488d8-2fb9-436d-b0d9-bf2f63a4f7c8 | complete | 2024-08-01T03:21:07.385652Z | 2024-08-01T03:21:09.730695Z | 2024-08-01T03:21:18.625531Z
----------------------------------------|--------------|-------------------------------|-------------------------------|-------------------------------
9d4a1bb2-2a26-4ab9-894d-8f0a7e537d14 | complete | 2024-08-01T03:15:15.816978Z | 2024-08-01T03:15:18.52227Z | 2024-08-01T03:15:41.344097Z
Submit a Scan
To batch a set of nodes, enable Efflux’s checks system, and submit them for a scan:
> #efflux.nowait | efflux.scans.submit --ports "1-1000" --checks --fingerprint 2
Synapse-Efflux New Scan: befb9c74-8481-4660-95fc-73e6a741f8c7
inet:ipv4=23.26.137.228
.created = 2024/09/18 20:27:03.092
:type = unicast
#efflux.nowait
inet:fqdn=softad.net
.created = 2024/09/18 20:27:03.100
:domain = net
:host = softad
:issuffix = false
:iszone = true
:zone = softad.net
#efflux.nowait
To batch a set of nodes, create an extended config, submit that package for a scan, and pend on the results:
> #efflux.wait | efflux.scans.submit --extra ({"ports": ["443", "1-222"], "fingerprint": 2}) --wait
inet:whois:rec=('cyberdyne.com', '2024/02/07 00:05:31.000')
.created = 2024/09/18 20:27:48.960
:asof = 2024/02/07 00:05:31.000
:created = 1994/03/11 05:00:00.000
:expires = 2025/03/12 04:00:00.000
:fqdn = cyberdyne.com
:registrar = amazon registrar, inc.
:updated = 2024/02/07 00:05:31.000
inet:dns:a=('cyberdyne.com', '18.238.49.6')
.created = 2024/09/18 20:27:49.067
:fqdn = cyberdyne.com
:ipv4 = 18.238.49.6
inet:dns:a=('cyberdyne.com', '18.238.49.117')
.created = 2024/09/18 20:27:49.103
:fqdn = cyberdyne.com
:ipv4 = 18.238.49.117
inet:dns:a=('cyberdyne.com', '18.238.49.52')
.created = 2024/09/18 20:27:49.139
:fqdn = cyberdyne.com
:ipv4 = 18.238.49.52
inet:dns:a=('cyberdyne.com', '18.238.49.2')
.created = 2024/09/18 20:27:49.174
:fqdn = cyberdyne.com
:ipv4 = 18.238.49.2
inet:dns:mx=('cyberdyne.com', 'cyberdyne-com.mail.protection.outlook.com')
.created = 2024/09/18 20:27:49.210
:fqdn = cyberdyne.com
:mx = cyberdyne-com.mail.protection.outlook.com
inet:http:request=2603e587879fde961e14ae1d093a8e45
.created = 2024/09/18 20:27:49.327
:response:headers = [('server', 'CloudFront'), ('connection', 'keep-alive'), ('x-cache', 'Error from cloudfront'), ('content-type', 'text/html'), ('content-length', '915'), ('via', '1.1 6ca3dc9afd6f12cee41f6246e0c4aa8e.cloudfront.net (CloudFront)'), ('x-amz-cf-pop', 'JFK52-P3'), ('x-amz-cf-id', 'vn-d6ufW8M7DQceDrkqm7PAwABydibrUVgHQW030pHDSBFOewFg_yg=='), ('date', 'Thu, 01 Aug 2024 21:20:49 GMT')]
:url = http://cyberdyne.com
inet:ipv4=185.196.9.241
.created = 2024/09/18 20:27:03.326
:asn = 42624
:type = unicast
#efflux.wait
inet:flow=7b89fc15c80de4e5e8563ce54988fe1a
.created = 2024/09/18 20:27:49.534
:dst:ipv4 = 185.196.9.241
:dst:port = 22
:dst:proto = tcp
:dst:ssh:key = 8fe243b03590abae28465813b342d67c
:dst:txcount = 324
inet:http:request=17ceb6cfa0b0cd0fa6ba1e7946ae03c4
.created = 2024/09/18 20:27:49.847
:flow = 377f804bcdc533fdcc153ffa2e5ab51b
:response:body = sha256:9c8c654fe26ffff624d54b10e91c30938ac4019fe8c64eb6d739783b9b5f10d0
:response:headers = [('server', 'nginx/1.18.0 (Ubuntu)'), ('content-type', 'text/html'), ('connection', 'keep-alive'), ('date', 'Thu, 01 Aug 2024 21:20:49 GMT')]
:server:ipv4 = 185.196.9.241
:server:port = 80
:url = http://185.196.9.241:80
inet:flow=377f804bcdc533fdcc153ffa2e5ab51b
.created = 2024/09/18 20:27:49.694
:dst:cpes = ['cpe:2.3:a:igor_sysoev:nginx:1.18.0:*:*:*:*:*:*:*']
:dst:ipv4 = 185.196.9.241
:dst:port = 80
:dst:proto = tcp
:dst:softnames = ['nginx']
:dst:txcount = 810
Resubmit a Scan
To rerun a scan and not wait for the rerun to finish:
> efflux.scans.resubmit "fd648e7d-50a0-4206-b4ea-da3df4f21586"
Synapse-Efflux: Rescheduled job fd648e7d-50a0-4206-b4ea-da3df4f21586 with new ID cb078d10-5d7f-4699-b372-aa3782df68fb
To rerun a scan and pend on the results, yielding results as they return:
> efflux.scans.resubmit "be86fce6-7615-4a31-8b09-41c9e38b5c96" --wait --size 5
inet:ipv4=23.26.137.225
.created = 2024/09/18 20:28:35.618
:asn = 19318
:type = unicast
inet:flow=d5d1b99a5978b190cd8710b0a80819c7
.created = 2024/09/18 20:28:35.717
:dst:ipv4 = 23.26.137.225
:dst:port = 22
:dst:proto = tcp
:dst:ssh:key = b571cbf470726d455dd01fd65f723155
:dst:txcount = 396
inet:http:request=601b23035a0ce45c152fe393a2651031
.created = 2024/09/18 20:28:36.001
:flow = 42621ce31d744bf44e3c4e2471f52234
:response:body = sha256:301bd9f16f94feedfae7a946a14bac38cb73c43efe6117bc5586835af03d7d6f
:response:headers = [('server', 'nginx'), ('content-type', 'text/html'), ('content-length', '138'), ('last-modified', 'Sun, 28 Jul 2024 07:21:28 GMT'), ('connection', 'keep-alive'), ('etag', '"66a5f178-8a"'), ('accept-ranges', 'bytes'), ('date', 'Thu, 01 Aug 2024 20:56:42 GMT')]
:server:ipv4 = 23.26.137.225
:server:port = 80
:url = http://23.26.137.225:80
inet:flow=42621ce31d744bf44e3c4e2471f52234
.created = 2024/09/18 20:28:35.861
:dst:cpes = ['cpe:2.3:a:igor_sysoev:nginx:*:*:*:*:*:*:*:*']
:dst:ipv4 = 23.26.137.225
:dst:port = 80
:dst:proto = tcp
:dst:softnames = ['nginx']
:dst:txcount = 796
inet:http:request=c224f920fb00136dbf35c6f350591384
.created = 2024/09/18 20:28:36.224
:flow = 60681dc92caee1a5209b2de8e24a0bd1
:response:body = sha256:32f2fa940d4b4fe19aca1e53a24e5aac29c57b7c5ee78588325b87f1b649c864
:response:headers = [('server', 'nginx'), ('connection', 'keep-alive'), ('date', 'Thu, 01 Aug 2024 20:56:43 GMT'), ('content-type', 'text/html'), ('content-length', '146')]
:server:ipv4 = 23.26.137.225
:server:port = 888
:url = http://23.26.137.225:888
Ingest a Scan by ID
To retrieve a specific scan via an ID:
> efflux.scans.byid "4471a791-c1f6-4591-b200-3b0769c3a5b1" --yield --size 5
inet:whois:rec=('krebsonsecurity.com', '2017/10/27 17:22:54.000')
.created = 2024/09/18 20:28:36.547
:asof = 2017/10/27 17:22:54.000
:created = 2009/11/23 15:16:26.000
:expires = 2026/11/23 15:16:26.000
:fqdn = krebsonsecurity.com
:registrar = tucows domains inc.
:updated = 2017/10/27 17:22:54.000
inet:dns:a=('krebsonsecurity.com', '130.211.45.45')
.created = 2024/09/18 20:28:36.631
:fqdn = krebsonsecurity.com
:ipv4 = 130.211.45.45
inet:http:request=c4f892da61dcecb15bf5a80c98c09274
.created = 2024/09/18 20:28:36.877
:response:headers = [('server', 'nginx'), ('alt-svc', 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000'), ('referrer-policy', 'no-referrer-when-downgrade'), ('via', '1.1 google'), ('vary', 'Accept-Encoding'), ('pragma', 'public'), ('last-modified', 'Mon, 29 Jul 2024 19:27:44 GMT'), ('age', '552'), ('x-cache-status', 'EXPIRED'), ('cache-control', 'max-age=3,public,max-age=311,public'), ('date', 'Mon, 29 Jul 2024 19:40:23 GMT'), ('content-type', 'text/html; charset=UTF-8')]
:url = https://krebsonsecurity.com/
inet:urlfile=('https://krebsonsecurity.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.4', 'guid:f24df139606003a8c4dca215c3468eca')
.created = 2024/09/18 20:28:36.722
:file = guid:f24df139606003a8c4dca215c3468eca
:url = https://krebsonsecurity.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.4
inet:urlfile=('https://krebsonsecurity.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.0', 'guid:8db9dc961b59b51fc22f453847c3d733')
.created = 2024/09/18 20:28:36.747
:file = guid:8db9dc961b59b51fc22f453847c3d733
:url = https://krebsonsecurity.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.0
See Usage
To see the API key’s current usage for the past 2 months, grouped by months:
> efflux.usage --months 2
Date | Job Count | Request Count
==============|===============|=======================
2024-07 | 10 | 1037050
--------------|---------------|-----------------------
2024-08 | 7 | 14432
To see the API key’s current usage for the past 2 months, grouped by days:
> efflux.usage --by-days --months 2
Date | Job Count | Request Count
==============|===============|=======================
2024-07-11 | 2 | 2388
--------------|---------------|-----------------------
2024-07-17 | 1 | 11802
--------------|---------------|-----------------------
2024-07-24 | 4 | 1022394
--------------|---------------|-----------------------
2024-07-29 | 1 | 20
--------------|---------------|-----------------------
2024-07-31 | 2 | 446
--------------|---------------|-----------------------
2024-08-01 | 7 | 14432
Use of meta:source nodes
Synapse-Efflux uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the Efflux API.
> meta:source=61a50740dbd7598776d759e0bcf33050
meta:source=61a50740dbd7598776d759e0bcf33050
.created = 2024/09/18 20:27:48.857
:name = efflux api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Efflux. The following example shows how to filter the results of a query to include only results observed by Synapse-Efflux:
> #cool.tag.lift +{ <(seen)- meta:source=61a50740dbd7598776d759e0bcf33050 }