styx/DEMO.md

# Demo notes

```graphql
{
  Node(func: eq(nodeType, "matcher")){
    id
    target
    nodeType
    full
    nodes {
      uid
      full
      meta {
        full_url
      }
    }
  }
}
```

```graphql
{
  Node(func: has(nodes)  ) {
    uid
    nodeType
    target
    timestamp
    nodes {
      uid
      type
      full
      hostnames

    }
  }
}
```

```graphql
{
  Node(func: eq(nodeType, "certstream")){
    id
    nodeType
    certNode {
      cn
      sourceName
      fingerprint
      notBefore
      notAfter
    }
    }
  }

```

## Notes

* There is TOO MUCH junk data
* Upsert is not optimal
* What do we do with the data so it can be exploitable by analysts
* Sould we store matched data in an SQL-like db?


## TDH

* patterns: stream to IP address and not a domain (so the HTTP hostname won't be interesting) => look into any canonical name resolving to a NXDOMAIN (tls connection directly to an IP address) NO DNS => hostname is a DGA (should be a way to identify visually)
* any canonical name that is a IP address and not a domain name
multiple search works (kinda) 2020-06-03 16:20:40 +02:00			`# Demo notes`

			```graphql
			`{`
Changing Type to NodeType to avoid issues 2020-08-28 13:34:08 +02:00			`Node(func: eq(nodeType, "matcher")){`
multiple search works (kinda) 2020-06-03 16:20:40 +02:00			`id`
			`target`
Changing Type to NodeType to avoid issues 2020-08-28 13:34:08 +02:00			`nodeType`
multiple search works (kinda) 2020-06-03 16:20:40 +02:00			`full`
			`nodes {`
			`uid`
			`full`
Changing Type to NodeType to avoid issues 2020-08-28 13:34:08 +02:00			`meta {`
			`full_url`
			`}`
multiple search works (kinda) 2020-06-03 16:20:40 +02:00			`}`
			`}`
			`}`
			```

Adding pastebin matching + demo IOC 2020-06-10 11:32:56 +02:00			```graphql
			`{`
			`Node(func: has(nodes) ) {`
			`uid`
Changing Type to NodeType to avoid issues 2020-08-28 13:34:08 +02:00			`nodeType`
Adding pastebin matching + demo IOC 2020-06-10 11:32:56 +02:00			`target`
			`timestamp`
			`nodes {`
			`uid`
			`type`
			`full`
			`hostnames`

			`}`
			`}`
			`}`
			```

Changing Type to NodeType to avoid issues 2020-08-28 13:34:08 +02:00			```graphql
			`{`
			`Node(func: eq(nodeType, "certstream")){`
			`id`
			`nodeType`
			`certNode {`
			`cn`
			`sourceName`
			`fingerprint`
			`notBefore`
			`notAfter`
			`}`
			`}`
			`}`

			```

multiple search works (kinda) 2020-06-03 16:20:40 +02:00			`## Notes`

Parsing shodan, not droppping DB * Adding Certstream and Shodan matchers * Insert or skip for new matchers (working without having to drop the DB and not more duplicate matchers) * Closing files after using them * Adding Match model to schema and Node (for unmarshalling purposes) 2020-06-10 10:48:47 +02:00			`* There is TOO MUCH junk data`
multiple search works (kinda) 2020-06-03 16:20:40 +02:00			`* Upsert is not optimal`
			`* What do we do with the data so it can be exploitable by analysts`
			`* Sould we store matched data in an SQL-like db?`
Major version update This new work implements the server and the loader in two different binaries allowing the code while updating the IOC list. It updates also the documentation to reflect the new changes. 2020-08-24 16:25:49 +02:00

			`## TDH`

			`* patterns: stream to IP address and not a domain (so the HTTP hostname won't be interesting) => look into any canonical name resolving to a NXDOMAIN (tls connection directly to an IP address) NO DNS => hostname is a DGA (should be a way to identify visually)`
			`* any canonical name that is a IP address and not a domain name`