Package Documentation
Storm Package: synapse-teamcymru
The following Commands are available from this package. This documentation is generated for version 2.3.0 of the package.
Storm Commands
This package implements the following Storm Commands.
teamcymru.recon.flows
Create, run, ingest, and remove a flows query using the TeamCymru PureSignal Recon API.
Examples:
// Load up to 100 flows for the IPv4 address 1.2.3.4 and yield inet:flow nodes
inet:ipv4=1.2.3.4 | teamcymru.recon.flows --timeout 30 --size 100 --yield
Usage: teamcymru.recon.flows [options]
Options:
--help : Display the command usage.
--size <size> : The max number of rows to ingest per query. (default: 10000)
--timeout <timeout> : The max number of seconds to let the query run. (default: 60)
--yield : Yield nodes created by the command.
--poll <poll> : The poll interval to check if the job is done. (default: 2)
--timebox <timebox> : The timebox to limit the query results. (default: ('-7days', 'now'))
--debug : Print diagnostic debug output.
--batch-size <batch_size> : Specify the number of inbound nodes to batch into each job (max 10000). (default: 100)
teamcymru.recon.ja3.search
Specify a set of filters to create, run, ingest, and remove a JA3 query.
If inbound nodes are used to specify filter values, this command will create
a separate job for each node.
A dictionary of filters may also be provided to the --filters argument to
specify a set of query filters. Any filters from additional arguments will be
added to that dictionary before creating the job.
For the full list of custom filters, see the JA3 section of the RECON API's
Query Type documentation, located at https://recon.cymru.com/docs/query_types#ja3
Examples:
// Load up to 100 JA3 results with the client JA3 hash of ae7bcd580f25264f07d86fde88003134
// and the server JA3S hash of bea44b5899c70914eb50774185c62c0d, and yield the results.
teamcymru.recon.ja3.search --yield --size 100 --ja3-fingerprint-md5 ae7bcd580f25264f07d86fde88003134 --ja3s-fingerprint-md5 bea44b5899c70914eb50774185c62c0d
// Load up to 100 results with a server country code of US, a source IP address of 1.2.3.4, with
// Elliptic Curves of 29 and 23, and yield the results.
teamcymru.recon.ja3.search --yield --size 100 --dst-cc US --ja3-ecs "29,23" --src-ip-addr "1.2.3.4"
// Load up to 100 results which match a custom filter set and yield the results
// For the list of custom filter options, see the JA3 section of the RECON API's
// Query Type documentation, located at
// https://recon.cymru.com/docs/query_types#ja3
$filters = ({'any_asn': 1234, 'dst_port': '1.2.3.4/24', 'exclude_ja3_fingerprint_md5': 'a235967450016aa7ec015e53a660fe41'})
teamcymru.recon.ja3.search --yield --size 100 --filters $filters
Usage: teamcymru.recon.ja3.search [options]
Options:
--help : Display the command usage.
--size <size> : The max number of rows to ingest per query. (default: 10000)
--timeout <timeout> : The max number of seconds to let the query run. (default: 60)
--yield : Yield nodes created by the command.
--poll <poll> : The poll interval to check if the job is done. (default: 2)
--timebox <timebox> : The timebox to limit the query results. (default: ('-7days', 'now'))
--debug : Print diagnostic debug output.
--cert-sha1 <cert_sha1> : The SHA1 of the server's TLS certificate.
--dst-cc <dst_cc> : The ISO-3166 country code(s) of the server.
--dst-ip-addr <dst_ip_addr> : The IP address/CIDR range of the server.
--dst-port <dst_port> : Server port/port range.
--hostname <hostname> : Hostname of server seen during TLS handshake.
--ja3 <ja3> : The client's JA3 hash.
--ja3-ciphers <ja3_ciphers> : The JA3 array of ciphers the client supports.
--ja3-ecfs <ja3_ecfs> : The JA3 Elliptic Curve Point Formats.
--ja3-ecs <ja3_ecs> : The JA3 Elliptic Curves.
--ja3-extensions <ja3_extensions>: The JA3 extensions.
--ja3-version <ja3_version> : The JA3 version.
--ja3s <ja3s> : The server's JA3S hash.
--ja3s-ciphers <ja3s_ciphers>: The JA3 array of ciphers the server supports.
--ja3s-extensions <ja3s_extensions>: The JA3S extensions.
--ja3s-version <ja3s_version>: The JA3S version.
--src-cc <src_cc> : The ISO-3166 country code(s) of the client.
--src-ip-addr <src_ip_addr> : The IP address/CIDR range of the client.
--filters <filters> : Provide a dictionary of filters to use for a query as a single parameter.
teamcymru.recon.jobs.del
Delete a job from the PureSignal RECON API.
Examples:
teamcymru.recon.jobs.del 2384334
Usage: teamcymru.recon.jobs.del [options] <jobids>
Options:
--help : Display the command usage.
--debug : Print diagnostic debug output.
Arguments:
<jobids> [<jobids> ...] : The job id to delete.
teamcymru.recon.jobs.ingest
Ingest all the results from a given job by ID.
This command allows users to ingest the results of a Recon job that was
previously created and configured via the Team-Cymru Pure Signal Recon
web interface.
Examples:
// ingest and remove a specific job by id
teamcymru.recon.jobs.ingest --delete 2384334
Usage: teamcymru.recon.jobs.ingest [options] <jobids>
Options:
--help : Display the command usage.
--delete : Remove the job once results are ingested.
--debug : Print diagnostic debug output.
Arguments:
<jobids> [<jobids> ...] : The job IDs to ingest. If unspecified, ingest all complete jobs.
teamcymru.recon.jobs.list
List the current jobs from the PureSignal RECON API.
Examples:
teamcymru.recon.jobs.list
Usage: teamcymru.recon.jobs.list [options]
Options:
--help : Display the command usage.
--debug : Print diagnostic debug output.
teamcymru.recon.pdns
Create, run, ingest, and remove a pdns query using the TeamCymru PureSignal Recon API.
Note:
When batching inbound nodes, if both inet:fqdn and inet:ipv4/inet:cidr4 nodes are
are present in a batch, they will be split into two separate jobs to perform the
corresponding "qname" or "rdata" queries.
Examples:
inet:fqdn=vertex.link | teamcymru.recon.pdns --timeout 30 --size 100 --yield
Usage: teamcymru.recon.pdns [options]
Options:
--help : Display the command usage.
--size <size> : The max number of rows to ingest per query. (default: 10000)
--timeout <timeout> : The max number of seconds to let the query run. (default: 60)
--yield : Yield nodes created by the command.
--poll <poll> : The poll interval to check if the job is done. (default: 2)
--timebox <timebox> : The timebox to limit the query results. (default: ('-7days', 'now'))
--debug : Print diagnostic debug output.
--batch-size <batch_size> : Specify the number of inbound nodes to batch into each job (max 10000). (default: 100)
teamcymru.recon.setup.apikey
Manage the TeamCymru PureSignal RECON API key.
Examples:
// Set a global TeamCymru API key
teamcymru.recon.setup.apikey abcd1234
// Set a TeamCymru API key for the current user
teamcymru.recon.setup.apikey --self abcd1234
// Display the API key scope of the current key
teamcymru.recon.setup.apikey --show-scope
// Display the current API key.
teamcymru.recon.setup.apikey --show-apikey
// Remove the current global API key.
teamcymru.recon.setup.apikey --remove
// Remove the per-user API key for the current user.
teamcymru.recon.setup.apikey --self --remove
Usage: teamcymru.recon.setup.apikey [options] <apikey>
Options:
--help : Display the command usage.
--baseurl <baseurl> : Specify an alternate Team Cymru URL for this API key. (default: None)
--self : Set or remove the key as a user variable. If not used, the key is set globally.
--show-scope : Display the API key scope in use (global vs self).
--show-apikey : Display the API key value (requires admin perms or a "self" scope key).
--remove : Remove the configured API key. May be used with --self.
Arguments:
[apikey] : The API key string.
teamcymru.recon.setup.tagprefix
Set the tag prefix used when recording TeamCymru tags.
The default tag prefix is "rep.teamcymru" if not specified.
Any tags provided by the TeamCymru API will be added within the given namespace.
For example, the tag "controller.mirai" would result in
"#rep.teamcymru.controller.mirai". Any characters incompatible with tag names
are replaced with "_".
Usage: teamcymru.recon.setup.tagprefix [options] <tagname>
Options:
--help : Display the command usage.
Arguments:
<tagname> : The tag prefix to use.
teamcymru.recon.x509.enrich
Use inbound nodes to create, run, ingest, and remove an x509 query.
This command uses inbound inet:email, inet:fqdn, inet:ipv4, inet:cidr4, hash:md5,
or hash:sha1 nodes to search for x509 certificates. The results are used to create
inet:ssl:cert nodes representing the certificate and the IP/port where it was
seen.
Notes:
This command requires that Synapse-Fileparser is available to parse the certificates
returned.
When batching inbound nodes, if multiple types of nodes are present in a batch, they
will be split into separate jobs to perform queries with the corresponding filters.
Examples:
// Get certificates seen at IPv4 address 8.8.8.8 and yield inet:ssl:cert nodes
inet:ipv4=8.8.8.8 | teamcymru.recon.x509.enrich --timeout 30 --yield
Usage: teamcymru.recon.x509.enrich [options]
Options:
--help : Display the command usage.
--size <size> : The max number of rows to ingest per query. (default: 10000)
--timeout <timeout> : The max number of seconds to let the query run. (default: 60)
--yield : Yield nodes created by the command.
--poll <poll> : The poll interval to check if the job is done. (default: 2)
--timebox <timebox> : The timebox to limit the query results. (default: ('-7days', 'now'))
--debug : Print diagnostic debug output.
--batch-size <batch_size> : Specify the number of inbound nodes to batch into each job (max 10000). (default: 100)
teamcymru.recon.x509.search
Specify a set of filters to create, run, ingest, and remove an x509 query.
If inbound nodes are used to specify filter values, this command will create
a separate job for each node.
A dictionary of filters may also be provided to the --filters argument to
specify a set of query filters. Any filters from additional arguments will be
added to that dictionary before creating the job.
Note:
This command requires that Synapse-Fileparser is available to parse the certificates
returned.
Examples:
// Load up to 100 certificates with email addresses containing "gmail" and
// yield inet:ssl:cert nodes
teamcymru.recon.x509.search --yield --size 100 --email *gmail*
// Load up to 100 certificates which have an issuer containing "freebox" which
// were seen on port 80 and yield the results
teamcymru.recon.x509.search --yield --size 100 --issuer *freebox* --port 80
// Load up to 100 certificates which match a custom filter set and yield the results
$filters = ({'issuer': '*freebox*', 'port': 80, 'exclude_cn': '*.fbxos.fr'})
teamcymru.recon.x509.search --yield --size 100 --filters $filters
Usage: teamcymru.recon.x509.search [options]
Options:
--help : Display the command usage.
--size <size> : The max number of rows to ingest per query. (default: 10000)
--timeout <timeout> : The max number of seconds to let the query run. (default: 60)
--yield : Yield nodes created by the command.
--poll <poll> : The poll interval to check if the job is done. (default: 2)
--timebox <timebox> : The timebox to limit the query results. (default: ('-7days', 'now'))
--debug : Print diagnostic debug output.
--hostname <hostname> : Hostname of server.
--ip-addr <ip_addr> : IP address of server or CIDR range to search.
--port <port> : Server port/port range.
--subject <subject> : Certificate owner distinguished name information.
--altnames <altnames> : Certificate owner Alternate Common Name.
--email <email> : Certificate owner email address.
--issuer <issuer> : Certificate Authority signing certificate information.
--serial <serial> : Certificate serial number.
--x509-md5 <x509_md5> : Certificate MD5 hash.
--x509-sha1 <x509_sha1> : Certificate SHA1 hash.
--filters <filters> : Provide a dictionary of filters to use for a query as a single parameter.
Storm Modules
This package does not export any Storm APIs.