Full Documentation (all the things)

$ critical-stack-intel
usage: critical-stack-intel [<flags>] <command> [<flags>] [<args> ...]

Threat Intel Marketplace client by Critical Stack, Inc

Flags:
  --help              Show help.
  --user=USER         Drop privileges to this user.
  --color             Show output color. Default: true
  --api-key=API-KEY   Override stored API key.
  --api-url=API-URL   Override API url.
  --api-version=API-VERSION  
                      Override API version. Example: v1
  --global-do-notice  Output master list with do_notice for all indicators.
  --version           Show application version.

Commands:
  help [<command>]
    Show help for a command.

  config [<flags>]
    Configuration management.

  list
    List all feeds that belong to your currently set API key.

  api [<flags>] [<api-key>]
    Add or update your API key.

  pull [<flags>]
    Fetch from the Intel market using your API key.

  white-list [<flags>]
    White list configuration management.
        

Adding your api key

Your api key can be found on the sensor listing page. Once you select the the sensor you wish to use copy the api key and do the following.

$ sudo critical-stack-intel api API-KEY-HERE

*NOTE: If this is a new API key the client will fetch the feeds.

 $ critical-stack-intel api
usage: critical-stack-intel [<flags>] api [<flags>] [<api-key>]

Add or update your API key.

Flags:
  --ignore-pull  Do not pull after API add or update.

Args:
  [<api-key>]  Api Key.
        

Configuring a Proxy

You can configure the critical-stack-intel client to use a proxy in one of two ways. Configure it using the client:

$ sudo critical-stack-intel config --set proxy.url="http://username:password@hostname:port"

Or simply ensure that the proxy is configured via an environment variable; something like:

HTTP_PROXY=http://username:password@hostname:port sudo critical-stack-intel pull

Listing your feeds

$ sudo critical-stack-intel list

  ID  |                   NAME                   |        LAST UPDATED         | INDICATOR COUNT  
+-----+------------------------------------------+-----------------------------+-----------------+
  1   | Matsnu-Botnet                            | 01/10/15-01:01-pm-(EST)     | 0                
  2   | C&Cs-IPs/Domains                         | 01/10/15-01:01-pm-(EST)     | 0                
  3   | Cryptolocker                             | 01/10/15-01:01-pm-(EST)     | 0                
  4   | Post-Tovar-GameOver-Zeus                 | 01/10/15-01:01-pm-(EST)     | 0                
  5   | Tinybanker-/-Tinba                       | 01/10/15-01:01-pm-(EST)     | 0                
  6   | PushDo-Malware                           | 01/10/15-01:01-pm-(EST)     | 0                
  7   | Known-Tor-Exit-Nodes                     | 01/10/15-01:09-pm-(EST)     | 7022             
  8   | Cyber-Crime-Tracker                      | 01/10/15-01:01-pm-(EST)     | 2972             
  9   | Zeus-Tracker:-Configs                    | 01/10/15-01:01-pm-(EST)     | 95               
  10  | Zeus-Tracker:-Drop-Zones                 | 01/10/15-01:01-pm-(EST)     | 50               
  11  | Zeus-Tracker:-Binaries                   | 01/10/15-01:01-pm-(EST)     | 55               
  12  | SSL-Blacklist-(SSLBL)                    | 01/10/15-01:02-pm-(EST)     | 345              
  13  | Palevo:-Domain-Block-List                | 01/10/15-01:01-pm-(EST)     | 18               
  14  | Palevo:-IP-Block-List                    | 01/10/15-01:01-pm-(EST)     | 17               
  15  | Zeus-Tracker:-Domain-Block-List          | 01/10/15-01:01-pm-(EST)     | 497              
  16  | SpyEye:-IP-Block-List                    | 01/10/15-01:02-pm-(EST)     | 84               
  17  | SpyEye:-Domain-Block-List                | 01/10/15-01:02-pm-(EST)     | 127              
  18  | PhishTank-Intel-Feed-(Verified)          | 01/10/15-01:02-pm-(EST)     | 24265            
+-----+------------------------------------------+-----------------------------+-----------------+
                                                              TOTAL            |      35547       
                                                 +-----------------------------+-----------------+
** = Update Available
`LAST UPDATED` Column = Server time last updated - not local time.

Pulling feeds

 $ sudo critical-stack-intel pull

2015/01/10 14:20:17 Fetching feed subscriptions.
2015/01/10 14:20:17   * critical-stack-intel-1-Matsnu-Botnet.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-2-C-Cs-IPs-Domains.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-3-Cryptolocker.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-4-Post-Tovar-GameOver-Zeus.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-5-Tinybanker---Tinba.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-6-PushDo-Malware.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-7-Known-Tor-Exit-Nodes.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-8-Cyber-Crime-Tracker.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-9-Zeus-Tracker--Configs.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-10-Zeus-Tracker--Drop-Zones.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-11-Zeus-Tracker--Binaries.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-12-SSL-Blacklist-(SSLBL).bro.dat
2015/01/10 14:20:17   * critical-stack-intel-13-Palevo--Domain-Block-List.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-14-Palevo--IP-Block-List.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-15-Zeus-Tracker--Domain-Block-List.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-16-SpyEye--IP-Block-List.bro.dat
2015/01/10 14:20:17   * critical-stack-intel-17-SpyEye--Domain-Block-List.bro.dat
2015/01/10 14:20:18   * critical-stack-intel-18-PhishTank-Intel-Feed-(Verified).bro.dat
2015/01/10 14:20:18 Creating master file: master-public.bro.dat
2015/01/10 14:20:18 Master file created successfully.
2015/01/10 14:20:18 Intel files located at: /opt/critical-stack/frameworks/intel
2015/01/10 14:20:18 API Requests Remaining: 81 of 100
      

Auto-Restart bro on local.bro changes

$ sudo critical-stack-intel config --set bro.restart=true

Whitelisting

$ sudo critical-stack-intel whitelist --add google.com
$ sudo critical-stack-intel whitelist list

   ID   |         VALUE           
+-------+------------------------+
  1     | google.com              
+-------+------------------------+
  TOTAL |           1             
+-------+------------------------+
        
Have more questions? Submit a request

0 Comments

Article is closed for comments.