Package Documentation

Storm Package: synapse-teamcymru

The following Commands are available from this package. This documentation is generated for version 2.1.1 of the package.

Storm Commands

This package implements the following Storm Commands.

teamcymru.recon.flows

Create, run, ingest, and remove a flows query using the TeamCymru PureSignal Recon API.

Examples:

  // Load up to 100 flows for the IPv4 address 1.2.3.4 and yield inet:flow nodes
  inet:ipv4=1.2.3.4 | teamcymru.recon.flows --timeout 30 --size 100 --yield


Usage: teamcymru.recon.flows [options]

Options:

  --help                      : Display the command usage.
  --size <size>               : The max number of rows to ingest per query. (default: 10000)
  --timeout <timeout>         : The max number of seconds to let the query run. (default: 60)
  --yield                     : Yield nodes created by the command.
  --poll <poll>               : The poll interval to check if the job is done. (default: 2)
  --timebox <timebox>         : The timebox to limit the query results. (default: ('-7days', 'now'))
  --debug                     : Print diagnostic debug output.
  --batch-size <batch_size>   : Specify the number of inbound nodes to batch into each job (max 10000). (default: 100)

teamcymru.recon.jobs.del

Delete a job from the PureSignal RECON API.

Examples:
  teamcymru.recon.jobs.del 2384334


Usage: teamcymru.recon.jobs.del [options] <jobids>

Options:

  --help                      : Display the command usage.
  --debug                     : Print diagnostic debug output.

Arguments:

  <jobids> [<jobids> ...]     : The job id to delete.

teamcymru.recon.jobs.ingest

Ingest all the results from a given job by ID.

This command allows users to ingest the results of a Recon job that was
previously created and configured via the Team-Cymru Pure Signal Recon
web interface.

Examples:

  // ingest and remove a specific job by id
  teamcymru.recon.jobs.ingest --delete 2384334


Usage: teamcymru.recon.jobs.ingest [options] <jobids>

Options:

  --help                      : Display the command usage.
  --delete                    : Remove the job once results are ingested.
  --debug                     : Print diagnostic debug output.

Arguments:

  <jobids> [<jobids> ...]     : The job IDs to ingest.  If unspecified, ingest all complete jobs.

teamcymru.recon.jobs.list

List the current jobs from the PureSignal RECON API.

Examples:
  teamcymru.recon.jobs.list


Usage: teamcymru.recon.jobs.list [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Print diagnostic debug output.

teamcymru.recon.pdns

Create, run, ingest, and remove a pdns query using the TeamCymru PureSignal Recon API.

Note:

  When batching inbound nodes, if both inet:fqdn and inet:ipv4/inet:cidr4 nodes are
  are present in a batch, they will be split into two separate jobs to perform the
  corresponding "qname" or "rdata" queries.

Examples:

  inet:fqdn=vertex.link | teamcymru.recon.pdns --timeout 30 --size 100 --yield


Usage: teamcymru.recon.pdns [options]

Options:

  --help                      : Display the command usage.
  --size <size>               : The max number of rows to ingest per query. (default: 10000)
  --timeout <timeout>         : The max number of seconds to let the query run. (default: 60)
  --yield                     : Yield nodes created by the command.
  --poll <poll>               : The poll interval to check if the job is done. (default: 2)
  --timebox <timebox>         : The timebox to limit the query results. (default: ('-7days', 'now'))
  --debug                     : Print diagnostic debug output.
  --batch-size <batch_size>   : Specify the number of inbound nodes to batch into each job (max 10000). (default: 100)

teamcymru.recon.setup.apikey

Manage the TeamCymru PureSignal RECON API key.

Examples:

    // Set a global TeamCymru API key
    teamcymru.recon.setup.apikey abcd1234

    // Set a TeamCymru API key for the current user
    teamcymru.recon.setup.apikey --self abcd1234

    // Display the API key scope of the current key
    teamcymru.recon.setup.apikey --show-scope

    // Display the current API key.
    teamcymru.recon.setup.apikey --show-apikey

    // Remove the current global API key.
    teamcymru.recon.setup.apikey --remove

    // Remove the per-user API key for the current user.
    teamcymru.recon.setup.apikey --self --remove


Usage: teamcymru.recon.setup.apikey [options] <apikey>

Options:

  --help                      : Display the command usage.
  --baseurl <baseurl>         : Specify an alternate Team Cymru URL for this API key. (default: None)
  --self                      : Set or remove the key as a user variable. If not used, the key is set globally.
  --show-scope                : Display the API key scope in use (global vs self).
  --show-apikey               : Display the API key value (requires admin perms or a "self" scope key).
  --remove                    : Remove the configured API key. May be used with --self.

Arguments:

  [apikey]                    : The API key string.

teamcymru.recon.setup.tagprefix

Set the tag prefix used when recording TeamCymru tags.
The default tag prefix is "rep.teamcymru" if not specified.

Any tags provided by the TeamCymru API will be added within the given namespace.
For example, the tag "controller.mirai" would result in
"#rep.teamcymru.controller.mirai".  Any characters incompatible with tag names
are replaced with "_".


Usage: teamcymru.recon.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

teamcymru.recon.x509.enrich

Use inbound nodes to create, run, ingest, and remove an x509 query.

This command uses inbound inet:email, inet:fqdn, inet:ipv4, inet:cidr4, hash:md5,
or hash:sha1 nodes to search for x509 certificates. The results are used to create
inet:ssl:cert nodes representing the certificate and the IP/port where it was
seen.

Notes:

  This command requires that Synapse-Fileparser is available to parse the certificates
  returned.

  When batching inbound nodes, if multiple types of nodes are present in a batch, they
  will be split into separate jobs to perform queries with the corresponding filters.

Examples:

  // Get certificates seen at IPv4 address 8.8.8.8 and yield inet:ssl:cert nodes
  inet:ipv4=8.8.8.8 | teamcymru.recon.x509.enrich --timeout 30 --yield


Usage: teamcymru.recon.x509.enrich [options]

Options:

  --help                      : Display the command usage.
  --size <size>               : The max number of rows to ingest per query. (default: 10000)
  --timeout <timeout>         : The max number of seconds to let the query run. (default: 60)
  --yield                     : Yield nodes created by the command.
  --poll <poll>               : The poll interval to check if the job is done. (default: 2)
  --timebox <timebox>         : The timebox to limit the query results. (default: ('-7days', 'now'))
  --debug                     : Print diagnostic debug output.
  --batch-size <batch_size>   : Specify the number of inbound nodes to batch into each job (max 10000). (default: 100)

teamcymru.recon.x509.search

Specify a set of filters to create, run, ingest, and remove an x509 query.

If inbound nodes are used to specify filter values, this command will create
a separate job for each node.

A dictionary of filters may also be provided to the --filters argument to
specify a set of query filters. Any filters from additional arguments will be
added to that dictionary before creating the job.

Note:

  This command requires that Synapse-Fileparser is available to parse the certificates
  returned.

Examples:

  // Load up to 100 certificates with email addresses containing "gmail" and
  // yield inet:ssl:cert nodes
  teamcymru.recon.x509.search --yield --size 100 --email *gmail*

  // Load up to 100 certificates which have an issuer containing "freebox" which
  // were seen on port 80 and yield the results
  teamcymru.recon.x509.search --yield --size 100 --issuer *freebox* --port 80

  // Load up to 100 certificates which match a custom filter set and yield the results
  $filters = ({'issuer': '*freebox*', 'port': 80, 'exclude_cn': '*.fbxos.fr'})
  teamcymru.recon.x509.search --yield --size 100 --filters $filters


Usage: teamcymru.recon.x509.search [options]

Options:

  --help                      : Display the command usage.
  --size <size>               : The max number of rows to ingest per query. (default: 10000)
  --timeout <timeout>         : The max number of seconds to let the query run. (default: 60)
  --yield                     : Yield nodes created by the command.
  --poll <poll>               : The poll interval to check if the job is done. (default: 2)
  --timebox <timebox>         : The timebox to limit the query results. (default: ('-7days', 'now'))
  --debug                     : Print diagnostic debug output.
  --hostname <hostname>       : Hostname of server.
  --ip-addr <ip_addr>         : IP address of server or CIDR range to search.
  --port <port>               : Server port/port range.
  --subject <subject>         : Certificate owner distinguished name information.
  --altnames <altnames>       : Certificate owner Alternate Common Name.
  --email <email>             : Certificate owner email address.
  --issuer <issuer>           : Certificate Authority signing certificate information.
  --serial <serial>           : Certificate serial number.
  --x509-md5 <x509_md5>       : Certificate MD5 hash.
  --x509-sha1 <x509_sha1>     : Certificate SHA1 hash.
  --filters <filters>         : Provide a dictionary of filters to use for a query as a single parameter.

Storm Modules

This package does not export any Storm APIs.