originally written by our good friend Kyle.
Understanding CIFFrom the perspective of a user, CIF allows you to run queries against many data sources at once. If you have other private data sources available, particularly via XML (RSS), JSON, or in a file (e.g. CSV), you can incorporate those, as well as additional OSINT sources. CIF comes preconfigured for:
- Malware Domain Blocklist
- SpyEye Tracker
- VoIP Abuse Blacklist
- ZeuS Tracker
- Dragon Research Group Insight and Analysis
- Malware Patrol
- Malc0de Database
- Clean MX malware database
Everything below comes from the Perl client. I haven't yet dealt with the Python client, much less hacked on it, but that's coming Soontm.
$ cif -q infrastructure/malware -c 50 -s medium
gives a fairly large list of IP addresses associated with malware. (I used medium severity and 50% confidence in these examples.)
Even if you don't use a proxy server, you might find CIF useful for checking suspicious URLs:
cif -q url -c 50 -s medium -p snort
You now have a list of Snort rules to pull into your IDS.
you can put them in a file and query each of them:
for f in `cat hostlist.txt` ; do cif -q $f >> specific-ip.txt; done
This yields another list. You might see a few lines in that example with a "private" restriction and impact as "search". This happens because, by default, CIF will log every query for a specific indicator. A number of searches, such as from other investigators, may have significance apart from any data. However, if you don't want CIF to log a query, just use the "-n" parameter.
Appendix: CIF on the Amazon cloud
Amazon Web Services provide a decent platform for testing CIF or running a public instance like mine. The following assumes some familiarity with Linux administration and at least a basic understanding of the Elastic Compute Cloud (EC2).
You can start with a small instance for the installation, but you'll quickly want to move to a medium instance at least. I run a large instance using the Ubuntu Cloud Guest server image. In general, follow the server install instructions for CIF. You'll also want to note the specifics for Ubuntu as they contain a few workarounds you will need. Allocate an Elastic IP and register it in DNS someplace, such as with Amazon Route 53. For the Security Group, only add HTTPS and SSH. You won't need anything else, and I recommend leaving it at this minimal state for security purposes. You'll also need an Elastic Block Store. While you can start with 10GB, expect that to grow a few GB per week, so you'll need to resize from time to time or create a larger volume at the beginning. While not required for CIF installation, I can't recommend enough that you use git to manage config files. Srsly.
When installing Postgres, note that "peer" may appear in the original file instead of "ident sameuser". Also, I did not use the values in CIF doc, as postgres didn't like them. I left everything at the defaults except:
work_mem = 512MB checkpoint_segments = 32
When setting up BIND9, first check /etc/resolv.conf for the IP addresses you should use as forwarders.