User Guide

Synapse-Spur User Guide

Synapse-Spur adds new Storm commands to allow you to query the Spur API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> spur.setup.apikey --self myapikey
Setting Spur API key for the current user.

Enrich an inet:ipv4 with data from the Spur IP Context API

> [ inet:ipv4=148.72.164.186 ] | spur.ipcontext
inet:ipv4=148.72.164.186
        .created = 2024/12/20 18:15:27.076
        :_spur:client:concentration:density = 0.34
        :_spur:client:concentration:geohash = dng
        :_spur:client:concentration:loc = us.indiana.vevay
        :_spur:client:concentration:skew = 445.0 km
        :_spur:client:count = 6
        :_spur:client:countries = 1
        :_spur:client:spread = 290972.0 km
        :_spur:infrastructure = datacenter
        :_spur:organization = heg us inc.
        :asn = 30083
        :loc = us.missouri.st louis
        :type = unicast
        #rep.spur.client.behavior.file_sharing
        #rep.spur.client.proxy.spider_proxy
        #rep.spur.client.type.desktop
        #rep.spur.client.type.mobile
        #rep.spur.risk.callback_proxy
        #rep.spur.risk.tunnel
        #rep.spur.service.ipsec
        #rep.spur.tunnel

Enrich an inet:ipv6 with data from the Spur IP Context API

> [ inet:ipv6=2806:263:C486:915B:39FA:C9F0:85FA:11A4 ] | spur.ipcontext
inet:ipv6=2806:263:c486:915b:39fa:c9f0:85fa:11a4
        .created = 2024/12/20 18:15:27.902
        :asn = 13999
        :loc = mx.sonora.hermosillo
        :scope = global
        :type = unicast
        #rep.spur.client.proxy.soax_proxy
        #rep.spur.risk.callback_proxy

Use of meta:source nodes

Synapse-Spur uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Spur API.

> meta:source=d2ca4923d5c72c753fcb391a92c9085c
meta:source=d2ca4923d5c72c753fcb391a92c9085c
        .created = 2024/12/20 18:15:27.214
        :name = spur api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Spur. The following example shows how to filter the results of a query to include only results observed by Synapse-Spur:

> inet:ipv4#myips +{ <(seen)- meta:source=d2ca4923d5c72c753fcb391a92c9085c }
inet:ipv4=148.72.164.186
        .created = 2024/12/20 18:15:27.076
        :_spur:client:concentration:density = 0.34
        :_spur:client:concentration:geohash = dng
        :_spur:client:concentration:loc = us.indiana.vevay
        :_spur:client:concentration:skew = 445.0 km
        :_spur:client:count = 6
        :_spur:client:countries = 1
        :_spur:client:spread = 290972.0 km
        :_spur:infrastructure = datacenter
        :_spur:organization = heg us inc.
        :asn = 30083
        :loc = us.missouri.st louis
        :type = unicast
        #myips
        #rep.spur.client.behavior.file_sharing
        #rep.spur.client.proxy.spider_proxy
        #rep.spur.client.type.desktop
        #rep.spur.client.type.mobile
        #rep.spur.risk.callback_proxy
        #rep.spur.risk.tunnel
        #rep.spur.service.ipsec
        #rep.spur.tunnel
inet:ipv4=148.72.164.179
        .created = 2024/12/20 18:15:27.572
        :type = unicast
        #myips
        #rep.spur.tunnel