Skip to content

DCSO/gotie

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

56 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GOTIE Build Status

Go bindings and simple command line client for the DCSO Threat Intelligence Engine API (TIE).

Install

To use the Go binding you will have to install a golang environment and configure a $GOPATH for your user/system. Most modern distributions include a recent version of Go. To install the bindings and the command line client into your configured $GOPATH you can use the following command:

$ go get -u github.com/DCSO/gotie/...

The command line client expects a configuration file in your home directory (~/.gotie) containing the following two variables:

tie_token = "<token>"
pingback_token = "<token>"

The tie_token is mandatory. The pingback_token is optional.

NOTE: You can always set an alternative path for the configuration file using the -c / --config command line flag.

Command-line Client

The example command-line client can be used to query the TIE API for IOCs and feeds.

$ gotie iocs -q <query_string>

Run gotie -h to see all options.

Output formats

Depending on your use case, you can choose between the output formats CSV (default), JSON and Bloom filter. The latter integrates well with the DCSO Bloom filter CLI and lib.

Retrieve IOCs of type DomainName created today in JSON format:

gotie iocs -t domainname -f json --created-since $(date +%F)

Print only value field using jq:

gotie iocs -f json --created-since $(date +%F) | jq '.iocs[] | .value'

Build a Bloom filter with capacity of 2000 entries and a false-positive probability of 0.01%:

gotie iocs -f bloom --bloom-p 0.0001 --bloom-n 2000 --created-since $(date +%F) > test.bloom

The default Bloom filter format (bloom) is TIE's 64-bit Bloom filter (v2). Gotie also supports the old Bloom filter format (v1) by specifying bloomv1.

Perform a check with the bloom CLI tool:

echo www.example.com | bloom check test.bloom

The value will be echoed for a match, otherwise the tool stays silent. Read the Bloom CLI Readme for further details.

Tests

To run the included tests you have to set an environment variable containing your API token:

TIE_TOKEN=<token> make test

License

This software is released under a BSD 3-Clause license. Please have a look at the LICENSE file included in the repository.

Copyright (c) 2016-2018, DCSO Deutsche Cyber-Sicherheitsorganisation GmbH