The --itype flag appears not to work in cif test queries in CIF 3.0.0rc4
Closed this issue · 1 comments
cjhc commented
Do you have an active https://csirtg.io/support account ? :)
no
Expected behavior and actual behavior.
Output of indicators.
Steps to reporduce the problem
s/reporduce/reproduce/
cif@beardedavenger:~$ cif --itype ipv4 --tags scanner -d --limit 10
2018-08-13 11:47:14,704 - INFO - cifsdk.client.client[199][MainThread] - setting feed flag by default, use --no-feed to override
2018-08-13 11:47:14,707 - DEBUG - urllib3.connectionpool[205][MainThread] - Starting new HTTP connection (1): localhost:5000
2018-08-13 11:47:14,785 - DEBUG - urllib3.connectionpool[393][MainThread] - http://localhost:5000 "GET /feed?itype=ipv4&tags=scanner&confidence=8&nolog=False&limit=10 HTTP/1.1" 200 45
+-----+-------+------------+-----------+-----------+----------+-------+------+-------------+------------+-------+----------+
| tlp | group | reporttime | indicator | firsttime | lasttime | count | tags | description | confidence | rdata | provider |
+-----+-------+------------+-----------+-----------+----------+-------+------+-------------+------------+-------+----------+
+-----+-------+------------+-----------+-----------+----------+-------+------+-------------+------------+-------+----------+
Expected output with --itype ommited:
cif@beardedavenger:~$ cif --tags scanner -d --limit 10
2018-08-13 11:48:13,855 - DEBUG - urllib3.connectionpool[205][MainThread] - Starting new HTTP connection (1): localhost:5000
2018-08-13 11:48:13,927 - DEBUG - urllib3.connectionpool[393][MainThread] - http://localhost:5000 "GET /search?tags=scanner&nolog=False&limit=10 HTTP/1.1" 200 1419
+-------+----------+----------------------------+-----------------+----------------------------+----------------------------+-------+-----------------------------+------------------+------------+-------+----------------+
| tlp | group | reporttime | indicator | firsttime | lasttime | count | tags | description | confidence | rdata | provider |
+-------+----------+----------------------------+-----------------+----------------------------+----------------------------+-------+-----------------------------+------------------+------------+-------+----------------+
| green | everyone | 2018-08-13T18:25:20.89377Z | 146.185.222.55 | 2018-08-13T12:54:29.00000Z | 2018-08-13T12:54:29.00000Z | 1 | honeynet,scanner,suspicious | honeypot traffic | 8.0 | | packetmail.net |
| green | everyone | 2018-08-13T18:25:20.89399Z | 111.59.84.186 | 2018-08-13T12:54:36.00000Z | 2018-08-13T12:54:36.00000Z | 1 | honeynet,scanner,suspicious | honeypot traffic | 8.0 | | packetmail.net |
| green | everyone | 2018-08-13T18:25:20.89421Z | 66.196.21.169 | 2018-08-13T12:54:51.00000Z | 2018-08-13T12:54:51.00000Z | 1 | honeynet,scanner,suspicious | honeypot traffic | 8.0 | | packetmail.net |
| green | everyone | 2018-08-13T18:25:20.89443Z | 185.234.216.130 | 2018-08-13T12:55:08.00000Z | 2018-08-13T12:55:08.00000Z | 1 | honeynet,scanner,suspicious | honeypot traffic | 8.0 | | packetmail.net |
| green | everyone | 2018-08-13T18:25:30.05741Z | 0.0.0.0 | 2018-08-13T12:11:24.00000Z | 2018-08-13T12:11:24.00000Z | 1 | honeynet,scanner,suspicious | honeypot traffic | 8.0 | | packetmail.net |
| green | everyone | 2018-08-13T18:25:30.05770Z | 50.115.123.135 | 2018-08-13T12:12:02.00000Z | 2018-08-13T12:12:02.00000Z | 1 | honeynet,scanner,suspicious | honeypot traffic | 8.0 | | packetmail.net |
| green | everyone | 2018-08-13T18:25:30.05795Z | 198.23.166.165 | 2018-08-13T12:23:28.00000Z | 2018-08-13T12:23:28.00000Z | 1 | honeynet,scanner,suspicious | honeypot traffic | 8.0 | | packetmail.net |
| green | everyone | 2018-08-13T18:25:30.05820Z | 190.145.52.118 | 2018-08-13T12:23:28.00000Z | 2018-08-13T12:23:28.00000Z | 1 | honeynet,scanner,suspicious | honeypot traffic | 8.0 | | packetmail.net |
| green | everyone | 2018-08-13T18:25:30.05845Z | 192.237.159.214 | 2018-08-13T12:26:02.00000Z | 2018-08-13T12:26:02.00000Z | 1 | honeynet,scanner,suspicious | honeypot traffic | 8.0 | | packetmail.net |
| green | everyone | 2018-08-13T18:25:30.05869Z | 104.129.20.182 | 2018-08-13T12:35:47.00000Z | 2018-08-13T12:35:47.00000Z | 1 | honeynet,scanner,suspicious | honeypot traffic | 8.0 | | packetmail.net |
+-------+----------+----------------------------+-----------------+----------------------------+----------------------------+-------+-----------------------------+------------------+------------+-------+----------------+
Relevant logs as a result of the actual behavior
Failed query:
Aug 13 11:51:08 beardedavenger cif-router[841]: 2018-08-13 11:51:08,590 - DEBUG - cif.store.zelasticsearch[92][MainThread] - {'sort': [{'reporttime': {'order': 'desc'}}, {'lasttime': {'order': 'desc'}}], 'query': {'bool': {'minimum_should_match': 1, 'must': [{'bool': {'filter': [{'range': {'confidence': {'gte': 5.0, 'lte': 10.0}}}, {'term': {'reporttime': '2018-06-29T18:51:08Z'}}, {'term': {'itype': u'fqdn'}}, {'term': {'tags': u'whitelist'}}]}}], 'should': [{'term': {'group': u'everyone'}}]}}}
Aug 13 11:51:08 beardedavenger cif-router[841]: 2018-08-13 11:51:08,618 - DEBUG - cif.store.zelasticsearch[112][MainThread] - query took: 0.03
Successful query:
Aug 13 11:52:03 beardedavenger cif-router[841]: 2018-08-13 11:52:03,576 - DEBUG - cif.store.zelasticsearch[92][MainThread] - {'sort': [{'reporttime': {'order': 'desc'}}, {'lasttime': {'order': 'desc'}}], 'query': {'bool': {'minimum_should_match': 1, 'must': [{'bool': {'filter': [{'term': {'tags': u'scanner'}}]}}], 'should': [{'term': {'group': u'everyone'}}]}}}
Aug 13 11:52:03 beardedavenger cif-router[841]: 2018-08-13 11:52:03,595 - DEBUG - cif.store.zelasticsearch[112][MainThread] - query took: 0.02
Specifications like the version of the project, operating system, or hardware.
Linux beardedavenger 4.4.0-131-generic #157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux```
CIF 3.0.0rc4, 297ac59
ES 5.6.10
cjhc commented
This should have been filed under bearded-avenger, not the deploymentkit. My bad.