styx/README.md

# Styx

## IMPORTANT

For development purposes, each time you restart Styx, the database and the
schema is dropped. Currently, this is hardcoded and used to make development
easier. Just so you know.

## Prerequisites

Styx uses a couple of other services to run:

* Kafka for messaging (not implemented yet in the docker, but currently not
        necessary)
* Dgraph for graph representation of results
* Docker-compose to launch everything

For that purposes, there is a `docker-compose.yml` file that you can spin up
with the following command when in the directory:

```sh
docker-compose up -d
```

*Note*: for some reasons, OpenVPN blocks the establishment of the docker
compose, you can alternatively run Dgraph manually as such:

```sh
docker run --rm -it -p 8080:8080 -p 9080:9080 -p 8000:8000 -v ~/dgraph:/dgraph dgraph/standalone:v20.03.0
```

## Install

```sh
go get -u gitlab.dcso.lolcat/LABS/styx
cd $GOPATH/src/gitlab.dcso.lolcat/LABS/styx
go build
docker-compose up -d # or the other command
./styx
```

*Note*: if you have issues with the docker compose, make sure it runs on the
same subnet. Check [this](https://serverfault.com/questions/916941/configuring-docker-to-not-use-the-172-17-0-0-range) for inspiration.

### Example configuration:
```
certstream:
activated: true

pastebin:
activated: true

shodan:
activated: true
key: "SHODAN_KEY"
ports:
- 80
- 443

kafka:
activated: true
protocol: "tcp"
host: "localhost"
port: 9092
topic: "styx"
partition: 0

balboa:
# the url you tunneled to Balboa
url: http://127.0.0.1:8030
activated: true

elasticsearch:
activated: true
url: http://localhost:9200
index: "pastebin"
```

## Dgraph Interface

You can connect to the Dgraph interface at this default address: localhost:8000.
There you would be able to run GraphQL+ queries, here to query a node.

```graphql
query {
    Node(func: eq(id, "node--cde8decb-0a8b-4d19-bd77-c2decb6dab9c")) {
        uid
            ndata
            modified
            type
            id
    }
}

```

Or filter node by type, this example works for certstream nodes:

```graphql
query {
    Node(func: eq(type, "certstream")) {
        uid
            created
            modified
            type
            ndata
            certNode {
      uid
      fingerprint
      cn
      raw {
        uid
        id
      }
      chain {
        uid
        id
      }
      sourceName
      serialNumber
      basicConstrains
      notBefore
      notAfter
    }
    shodanNode {
        uid
            hostData {
                product
                ip
                version
                hostnames
                port
                html
            }
    }
  }
}
```

## Datastructure

### Meta

Node --[Edge]-- Node

```go
type Node struct {
	ID       string `json:"id"`
	Type     string `json:"type"`
	Data     string `json:"data"` // For plain Node, the data is the ID of another typed node or a unique value like a domain or a host name.
	Created  string `json:"created"`
	Modified string `json:"modified"`
}

// Edge defines a relation between two nodes.
type Edge struct {
	ID        string `json:"id"`
	NodeOneID string `json:"nodeOneID"`
	NodeTwoID string `json:"nodeTwoID"`
	Timestamp string `json:"timestamp"`
	Source    string `json:"source"`
}

```

### Certstream

Node --[Edge]-- CertNode --[Edge]-- CertStreamRaw
Node(domain) --[Edge]-- CertNode

```go

// CertStreamRaw is a wrapper around the stream function to unmarshall the
// data receive in a Go structure.
type CertStreamRaw struct {
	ID       string           `json:"id"`
	Type     string           `json:"type"`
	Data     CertStreamStruct `json:"data"`
	Created  string           `json:"created"`
	Modified string           `json:"modified"`
}

// CertNode represents our custom struct of data extraction from CertStream.
type CertNode struct {
	ID               string     `json:"id"`
	Fingerprint      string     `json:"fingerprint"`
	NotBefore        string     `json:"notBefore"`
	NotAfter         string     `json:"notAfter"`
	CN               string     `json:"cn"`
	SourceName       string     `json:"sourceName"`
	SerialNumber     string     `json:"serialNumber"`
	BasicConstraints string     `json:"basicConstraints"`
	RawUUID          string     `json:"rawUUID"`
	Chain            []CertNode `json:"chainedTo"`
}

```

### Pastebin

Node --[Edge]-- PasteNode --[Edge]-- FullPaste

```go
// PasteNode is a node from PasteBin.
type PasteNode struct {
	ID       string    `json:"id"`
	Type     string    `json:"type"`
	Data     FullPaste `json:"data"`
	Created  string    `json:"create"`
	Modified string    `json:"modified"`
}

// FullPaste wrapes meta and information from Pastebin.
type FullPaste struct {
	Meta PasteMeta `json:"meta"`
	Full string    `json:"full"`
}
```

### Shodan

Node --[Edge]-- ShodanNode --[Edge]-- Node(s) (hostnames and domains)

```go
type ShodanNode struct {
	ID       string           `json:"id"`
	Type     string           `json:"type"`
	Data     *shodan.HostData `json:"data"`
	Created  string           `json:"created"`
	Modified string           `json:"modified"`
}
```

### Balboa

Balboa enrichment happens on domains and hostnames extracted from Certstream
and Shodan streams and the node is created only if Balboa returns data.

Node --[Edge]-- ShodanNode --[Edge]-- Node (domain) --[Edge]-- BalboaNode

```go
type BalboaNode struct {
	ID       string           `json:"id"`
	Type     string           `json:"type"`
	Data     []balboa.Entries `json:"data"`
	Created  string           `json:"created"`
	Modified string           `json:"modified"`
}
```
Adding README with install instructions 2020-01-15 14:40:47 +01:00			`# Styx`
Adding docker-compose for dgraph 2020-05-13 11:51:54 +02:00
Simple linked model on certstream + better install instructions 2020-05-18 10:22:08 +02:00			`## IMPORTANT`

			`For development purposes, each time you restart Styx, the database and the`
			`schema is dropped. Currently, this is hardcoded and used to make development`
			`easier. Just so you know.`

Adding docker-compose for dgraph 2020-05-13 11:51:54 +02:00			`## Prerequisites`

			`Styx uses a couple of other services to run:`

			`* Kafka for messaging (not implemented yet in the docker, but currently not`
Shodan in Dgraph, first part Implementing first version for shodan node, missing yet some models, but the overal approach works and can be queried in Ratel. 2020-05-18 16:09:04 +02:00			`necessary)`
Adding docker-compose for dgraph 2020-05-13 11:51:54 +02:00			`* Dgraph for graph representation of results`
Simple linked model on certstream + better install instructions 2020-05-18 10:22:08 +02:00			`* Docker-compose to launch everything`
Adding docker-compose for dgraph 2020-05-13 11:51:54 +02:00
			For that purposes, there is a `docker-compose.yml` file that you can spin up
			`with the following command when in the directory:`

			```sh
			`docker-compose up -d`
			```

			`Note: for some reasons, OpenVPN blocks the establishment of the docker`
			`compose, you can alternatively run Dgraph manually as such:`

			```sh
			`docker run --rm -it -p 8080:8080 -p 9080:9080 -p 8000:8000 -v ~/dgraph:/dgraph dgraph/standalone:v20.03.0`
			```

Adding README with install instructions 2020-01-15 14:40:47 +01:00			`## Install`

			```sh
			`go get -u gitlab.dcso.lolcat/LABS/styx`
			`cd $GOPATH/src/gitlab.dcso.lolcat/LABS/styx`
			`go build`
Simple linked model on certstream + better install instructions 2020-05-18 10:22:08 +02:00			`docker-compose up -d # or the other command`
Adding README with install instructions 2020-01-15 14:40:47 +01:00			`./styx`
			```
Update README with more information on the nodes and edges connections 2020-02-07 15:49:42 +01:00
Simple linked model on certstream + better install instructions 2020-05-18 10:22:08 +02:00			`Note: if you have issues with the docker compose, make sure it runs on the`
			`same subnet. Check [this](https://serverfault.com/questions/916941/configuring-docker-to-not-use-the-172-17-0-0-range) for inspiration.`

Adding configuration documentation and the config file in the gitignore 2020-02-10 14:40:33 +01:00			`### Example configuration:`
			```
Allowing the possiblity to activate or deactivate modules 2020-02-14 11:30:59 +01:00			`certstream:`
Shodan in Dgraph, first part Implementing first version for shodan node, missing yet some models, but the overal approach works and can be queried in Ratel. 2020-05-18 16:09:04 +02:00			`activated: true`
Allowing the possiblity to activate or deactivate modules 2020-02-14 11:30:59 +01:00
			`pastebin:`
Shodan in Dgraph, first part Implementing first version for shodan node, missing yet some models, but the overal approach works and can be queried in Ratel. 2020-05-18 16:09:04 +02:00			`activated: true`
Allowing the possiblity to activate or deactivate modules 2020-02-14 11:30:59 +01:00
Adding configuration documentation and the config file in the gitignore 2020-02-10 14:40:33 +01:00			`shodan:`
Shodan in Dgraph, first part Implementing first version for shodan node, missing yet some models, but the overal approach works and can be queried in Ratel. 2020-05-18 16:09:04 +02:00			`activated: true`
			`key: "SHODAN_KEY"`
			`ports:`
			`- 80`
			`- 443`
Adding configuration documentation and the config file in the gitignore 2020-02-10 14:40:33 +01:00
			`kafka:`
Shodan in Dgraph, first part Implementing first version for shodan node, missing yet some models, but the overal approach works and can be queried in Ratel. 2020-05-18 16:09:04 +02:00			`activated: true`
			`protocol: "tcp"`
			`host: "localhost"`
			`port: 9092`
			`topic: "styx"`
			`partition: 0`
Adding configuration documentation and the config file in the gitignore 2020-02-10 14:40:33 +01:00
			`balboa:`
Shodan in Dgraph, first part Implementing first version for shodan node, missing yet some models, but the overal approach works and can be queried in Ratel. 2020-05-18 16:09:04 +02:00			`# the url you tunneled to Balboa`
			`url: http://127.0.0.1:8030`
			`activated: true`
Adding configuration documentation and the config file in the gitignore 2020-02-10 14:40:33 +01:00
Adding elasticsearch configuration on README 2020-02-17 12:10:27 +01:00			`elasticsearch:`
Shodan in Dgraph, first part Implementing first version for shodan node, missing yet some models, but the overal approach works and can be queried in Ratel. 2020-05-18 16:09:04 +02:00			`activated: true`
			`url: http://localhost:9200`
			`index: "pastebin"`
Adding configuration documentation and the config file in the gitignore 2020-02-10 14:40:33 +01:00			```

adding Dgraph explanantions 2020-05-13 14:52:38 +02:00			`## Dgraph Interface`

			`You can connect to the Dgraph interface at this default address: localhost:8000.`
			`There you would be able to run GraphQL+ queries, here to query a node.`

			```graphql
			`query {`
Shodan in Dgraph, first part Implementing first version for shodan node, missing yet some models, but the overal approach works and can be queried in Ratel. 2020-05-18 16:09:04 +02:00			`Node(func: eq(id, "node--cde8decb-0a8b-4d19-bd77-c2decb6dab9c")) {`
			`uid`
			`ndata`
			`modified`
			`type`
			`id`
			`}`
adding Dgraph explanantions 2020-05-13 14:52:38 +02:00			`}`

			```

Simple linked model on certstream + better install instructions 2020-05-18 10:22:08 +02:00			`Or filter node by type, this example works for certstream nodes:`

			```graphql
			`query {`
Shodan in Dgraph, first part Implementing first version for shodan node, missing yet some models, but the overal approach works and can be queried in Ratel. 2020-05-18 16:09:04 +02:00			`Node(func: eq(type, "certstream")) {`
			`uid`
			`created`
			`modified`
			`type`
			`ndata`
			`certNode {`
Simple linked model on certstream + better install instructions 2020-05-18 10:22:08 +02:00			`uid`
			`fingerprint`
			`cn`
			`raw {`
			`uid`
			`id`
			`}`
			`chain {`
			`uid`
			`id`
			`}`
			`sourceName`
			`serialNumber`
			`basicConstrains`
			`notBefore`
			`notAfter`
			`}`
Shodan in Dgraph, first part Implementing first version for shodan node, missing yet some models, but the overal approach works and can be queried in Ratel. 2020-05-18 16:09:04 +02:00			`shodanNode {`
			`uid`
			`hostData {`
			`product`
			`ip`
			`version`
			`hostnames`
			`port`
			`html`
			`}`
			`}`
Simple linked model on certstream + better install instructions 2020-05-18 10:22:08 +02:00			`}`
			`}`
			```

Update README with more information on the nodes and edges connections 2020-02-07 15:49:42 +01:00			`## Datastructure`

			`### Meta`

Fix readme 2020-02-10 10:36:36 +01:00			`Node --[Edge]-- Node`
Beautify readme 2020-02-07 17:50:07 +01:00
Update README with more information on the nodes and edges connections 2020-02-07 15:49:42 +01:00			```go
			`type Node struct {`
			ID string `json:"id"`
			Type string `json:"type"`
			Data string `json:"data"` // For plain Node, the data is the ID of another typed node or a unique value like a domain or a host name.
			Created string `json:"created"`
			Modified string `json:"modified"`
			`}`

			`// Edge defines a relation between two nodes.`
			`type Edge struct {`
			ID string `json:"id"`
			NodeOneID string `json:"nodeOneID"`
			NodeTwoID string `json:"nodeTwoID"`
			Timestamp string `json:"timestamp"`
			Source string `json:"source"`
			`}`

			```

			`### Certstream`

Fix readme 2020-02-10 10:36:36 +01:00			`Node --[Edge]-- CertNode --[Edge]-- CertStreamRaw`
			`Node(domain) --[Edge]-- CertNode`
Beautify readme 2020-02-07 17:50:07 +01:00
Update README with more information on the nodes and edges connections 2020-02-07 15:49:42 +01:00			```go

			`// CertStreamRaw is a wrapper around the stream function to unmarshall the`
			`// data receive in a Go structure.`
			`type CertStreamRaw struct {`
			ID string `json:"id"`
			Type string `json:"type"`
			Data CertStreamStruct `json:"data"`
			Created string `json:"created"`
			Modified string `json:"modified"`
			`}`

			`// CertNode represents our custom struct of data extraction from CertStream.`
			`type CertNode struct {`
			ID string `json:"id"`
			Fingerprint string `json:"fingerprint"`
			NotBefore string `json:"notBefore"`
			NotAfter string `json:"notAfter"`
			CN string `json:"cn"`
			SourceName string `json:"sourceName"`
			SerialNumber string `json:"serialNumber"`
			BasicConstraints string `json:"basicConstraints"`
			RawUUID string `json:"rawUUID"`
			Chain []CertNode `json:"chainedTo"`
			`}`

			```

			`### Pastebin`

Fix readme 2020-02-10 10:36:36 +01:00			`Node --[Edge]-- PasteNode --[Edge]-- FullPaste`
Beautify readme 2020-02-07 17:50:07 +01:00
Update README with more information on the nodes and edges connections 2020-02-07 15:49:42 +01:00			```go
			`// PasteNode is a node from PasteBin.`
			`type PasteNode struct {`
			ID string `json:"id"`
			Type string `json:"type"`
			Data FullPaste `json:"data"`
			Created string `json:"create"`
			Modified string `json:"modified"`
			`}`

			`// FullPaste wrapes meta and information from Pastebin.`
			`type FullPaste struct {`
			Meta PasteMeta `json:"meta"`
			Full string `json:"full"`
			`}`
			```

			`### Shodan`
Beautify readme 2020-02-07 17:50:07 +01:00
Fix readme 2020-02-10 10:36:36 +01:00			`Node --[Edge]-- ShodanNode --[Edge]-- Node(s) (hostnames and domains)`
Beautify readme 2020-02-07 17:50:07 +01:00
Update README with more information on the nodes and edges connections 2020-02-07 15:49:42 +01:00			```go
			`type ShodanNode struct {`
			ID string `json:"id"`
			Type string `json:"type"`
			Data *shodan.HostData `json:"data"`
			Created string `json:"created"`
			Modified string `json:"modified"`
			`}`
			```
Adding balboa enrichment for domains and hostnames + documentation 2020-02-07 17:39:33 +01:00
Update README with info about Balboa queries 2020-02-07 17:45:37 +01:00			`### Balboa`

			`Balboa enrichment happens on domains and hostnames extracted from Certstream`
			`and Shodan streams and the node is created only if Balboa returns data.`

Fix readme 2020-02-10 10:36:36 +01:00			`Node --[Edge]-- ShodanNode --[Edge]-- Node (domain) --[Edge]-- BalboaNode`
Update README with info about Balboa queries 2020-02-07 17:45:37 +01:00
			```go
			`type BalboaNode struct {`
			ID string `json:"id"`
			Type string `json:"type"`
			Data []balboa.Entries `json:"data"`
			Created string `json:"created"`
			Modified string `json:"modified"`
			`}`
			```