Home » Analyzing

Category Archives: Analyzing

Ad-hoc queries against STINGAR repository

We talk with participants in the STINGAR project a lot about using feeds in protection devices via the chn-intel-feeds container, but our partners don’t have to limit themselves to the time-limited feeds; ad-hoc queries are also supported both via the CLI cifsdk client, as well as via a Chrome browser plugin! In this post, I’ll walk through the simple process for setting up the Chrome plugin and configuring it to query the STINGAR CIFv3 backend.

You can install the Chrome plugin via the Chrome Store at this URL:

https://chrome.google.com/webstore/detail/bearded-avenger-client-ci/ggapdokcabjlmadcloapikhofcpkaocg/related?hl=en-US

screenshot of CIF plugin in chrome store

Once you’ve installed the plugin, you should have a new icon on your toolbar:

CIF icon in toolbar

Click the plugin icon, then click the “hamburger” to expose the settings link.

settings shown for cif plugin

Once you’re in the settings, fill out a name of your choice, and then fill in the information you were given when joining the STINGAR project:

detailed settings view when adding a source of data

API Location : Fill in your “Production CIF URL”

Token: Fill in your “Read Token”

Groups: Fill in “everybody” and your partner ID, comma separated. I.e.: “everybody,partner1”

Provider: Your partner ID (“partner1”, etc)

Ensure the “Default Server” option is selected, and uncheck the “Log Queries” option.

 

Click the “Save” button and you’re all set! Your read key cannot submit data to the server, nor do we encourage using your write key for submitting via the plugin.

From here you can search for observables and see quick results across all time for any reports in the STINGAR CIFv3 backend. This data can help confirm suspicious activity, or identify IP’s that could be excluded based on their presence on a safelist.

The plugin works great for quick searches while reviewing reports, surfing the web, reading Twitter, etc., however for use cases that involved hundreds of indicators (or more!) users should consider using the CIFsdk CLI interface. For users of the awesome TheHive and associated Cortex, you may find this repo useful, enabling STINGAR lookups as an analyzer.

Join private STINGAR mailing list

Interested parties are encouraged to interact with the team via the project Github pages or in the Gitter IM community, which gives us a public space for quick questions.

Academic institutions can email Jesse Bowling at team-stingar@duke.edu to be added to the private STINGAR mailing list and Slack workspace.

Please include information about your organization’s interest in the STINGAR project in your request.