Return to site

GreyNoise Cheat Sheet

CLI & Web UI

· ip reputation,blacklist,log analysis,ip scanning,greynoise

GreyNoise - collects and analyzes untargeted, widespread, and opportunistic scan and attack activity that reaches every server directly connected to the Internet. Mass scanners (such as Shodan and Censys), search engines, bots, worms, and crawlers generate logs and events omnidirectionally on every IP address in the IPv4 space. GreyNoise gives you the ability to filter this useless noise out. GreyNoise Query Language (GNQL) provides a structure syntax language to methodically query and refine your search parameters. Lastly, accounts for GreyNoise are FREE for personal use and offers amazing data possibilities at your disposal. Consider upgrading to the Enterprise license for large bulk queries.

**Python CLI & WEB UI Available

GREYNOISE CLI

https://github.com/GreyNoise-Intelligence/pygreynoise

Install the library:

pip install greynoise

or

python setup.py install

Save your configuration:

greynoise setup --api-key <your-API-key>

Upgrade current install:

pip3 install greynoise --upgrade

#CLI COMMAND OPTIONS

query - Run a GNQL structured query.

account - View information about your GreyNoise account.

alerts - List, create, delete, and manage your GreyNoise alerts.

analyze - Analyze the IP addresses in a log file, stdin, etc.

feedback - Send feedback directly to the GreyNoise team.

filter - Filter the noise from a log file, stdin, etc.

help - Show this message and exit.

interesting - Report one/more IP "interesting".

ip - Query for all information on an IP.

pcap - Get PCAP for a given IP address.

quick - Check if one/many IPs are "noise".

repl - Start an interactive shell.

setup - Configure API key.

signature - Submit IDS signature to GreyNoise.

stats - Aggregate stats from a GNQL query.

version - Get version and OS of GreyNoise.

FILTER

Sort external IP's from a log file (firewall, netflow, DNS, etc..) into a text file ips.txt one per line. Stdin to greynoise filter/remove all IP's that are "noise" and return non-noise IP's"

# cat ips.txt | greynoise filter > non-noise-ips.txt

ANALYZE

Sort external IP's from a log file (firewall, netflow, DNS, etc..) into a text file one per line ips.txt. Stdin to greynoise to analyze all IP's for ASN, Categories, Classifications, Countries, Operating Systems, Organizations, and Tags:

# cat ips.txt | greynoise analyze

STATS

Any query you run can be first checked for statistics returned for that query such as counts for ASN, Categories, Classifications, Countries, Operating Systems, Organizations, and Tags::

# greynoise stats "ip:113.88.161.0/24 classification:malicious"

QUERY

#IP DATA

The IP address of the scanning device IP:

# greynoise query "ip:<IPAddr or CIDR>"

# greynoise query "ip:113.88.161.215"

# greynoise query "113.88.161.0/24"

Whether the device has been categorized as unknown, benign, or malicious:

# greynoise query "classification:<type>"

# greynoise query "classification:malicious"

# greynoise query "ip:113.88.161.0/24 classification:malicious"

The date the device was first observed:

# greynoise query "first_seen:<YYYY-MM-DD>"

# greynoise query "first_seen:2019-12-29"

# greynoise query "ip:113.88.161.0/24 first_seen: 2019-12-29"

The date the device was most recently observed:

# greynoise query "last_seen:<YYYY-MM-DD>"

# greynoise query "last_seen:2019-12-30"
# greynoise query "ip:113.88.161.0/24 last_seen:2019-12-30"

The benign actor the device has been associated with, i.e. Shodan, GoogleBot, BinaryEdge, etc:

# greynoise query "actor:<actor>"

# greynoise query "actor:censys"

# greynoise query "198.108.0.0/16 actor:censys"

A list of the tags the device has been assigned over the past 90 days:

# greynoise query "tags:<tag string>"

# greynoise query "tags:avtech"

# greynoise query "tags:avtech metadata.asn:AS17974"

Search for scanning traffic related to a specific CVE:

# greynoise query "cve:<cve-YYYY-#####>"

# greynoise query "cve:cve-2019-19781"

# greynoise query "cve:cve-2019-19781 metadata.country:germany"

#METADATA

Whether device is a business, isp, or hosting:

# greynoise query "metadata.category:<category string>"

# greynoise query "metadata.category:ISP"

# greynoise query "metadata.category:ISP actor:Yandex"

The full name of the country the device is geographically located in:

# greynoise query "metadata.country:<country>"

# greynoise query "metadata.country:turkey"

# greynoise query "metadata.country:turkey metadata.category:mobile"

The two-character country code of the country the device is geographically located:

# greynoise query "metadata.country_code:<##>"

# greynoise query "metadata.country_code:RU"

# greynoise query "metadata.country_code:RU classification:benign"

The city the device is geographically located in metadata.organization:

# greynoise query "metadata.city:<city string>"

# greynoise query "metadata.city:moscow"

# greynoise query "metadata.city:moscow tags:SMB Scanner"

The organization that owns the network that the IP address belongs:

# greynoise query "metadata.organization:<string>"

# greynoise query "metadata.organization:Yandex"

# greynoise query "metadata.organization:Yandex tags:DNS Scanner"

The reverse DNS pointer of the IP:

# greynoise query "metadata.rdns:<dns string>"

# greynoise query "metadata.rdns:*yandex*"

# greynoise query "metadata.rdns:*yandex* tags:Web Crawler"

The autonomous system the IP address belongs:

# greynoise query "metadata.asn:<AS#####>"

# greynoise query "metadata.asn:AS17974"

# greynoise query "metadata.asn:AS17974 metadata.organization:PT TELEKOMUNIKASI INDONESIA"

Whether the device is a known Tor exit node:

# greynoise query "metadata.tor:<true>"

# greynoise query "metadata.tor:true"

# greynoise query "metadata.tor:true metadata.country:sweden"

#RAW_DATA

The port number(s) the devices has been observed scanning:

# greynoise query "raw_data.scan.port:<port number>"

# greynoise query "raw_data.scan.port:23"

# greynoise query "raw_data.scan.port:23 metdata.country:sweden"

The protocol of the port the device has been observed scanning:

# greynoise query "raw_data.scan.protocol:<tcp/udp>"

# greynoise query "raw_data.scan.protocol:udp"

# greynoise query "raw_data.scan.protocol:udp metadata.country:china"

Any HTTP paths the device has been observed crawling the Internet:

# greynoise query "raw_data.web.paths:<path string>"

# greynoise query "raw_data.web.paths:*admin*"

# greynoise query "raw_data.web.paths:*admin* tags:Jboss Worm"

Any HTTP user-agents the device has been observed using while crawling the Internet

# greynoise query "raw_data.web.useragents:<UA string>"

# greynoise query "raw_data.web.useragents:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)"

# greynoise query "raw_data.web.useragents:*baidu* metadata.country:Hong Kong"

Fingerprinting TLS encrypted negotiation between client and server interactions (https://ja3er.com/ & https://github.com/salesforce/ja3/tree/master/lists):

# greynoise query "raw_data.ja3.fingerprint:<JA3 fingerprint hash>"

# greynoise query "raw_data.ja3.fingerprint:6734f37431670b3ab4292b8f60f29984"

# greynoise query "raw_data.ja3.fingerprint:6734f37431670b3ab4292b8f60f29984 metadata.country:china"

GREYNOISE WEB UI

#IP DATA

The IP address of the scanning device IP:

> ip or cidr

> 113.88.161.215

> 113.88.161.0/24

Whether the device has been categorized as unknown, benign, or malicious:

> classification:<type>

> classification:malicious

> 113.88.161.0/24 classification:malicious

The date the device was first observed:

> first_seen:<YYYY-MM-DD>

> first_seen:2019-12-29

> 113.88.161.0/24 first_seen 2019-12-29

The date the device was most recently observed:

> last_seen:<YYYY-MM-DD>

> last_seen:2019-12-30
> 113.88.161.0/24 last_seen:2019-12-30

The benign actor the device has been associated with, i.e. Shodan, GoogleBot, BinaryEdge, etc:

> actor:<actor>

> actor:censys

> 198.108.0.0/16 actor:censys

A list of the tags the device has been assigned over the past 90 days:

> tags:<tag string>

> tags:avtech

> tags:avtech metadata.asn:AS17974

Search for scanning traffic related to a specific CVE:

> cve:<cve-YYYY-#####>

> cve:cve-2019-19781"

> cve:cve-2019-19781 metadata.country:germany

#METADATA

Whether device is a business, isp, or hosting:

> metadata.category:<category string>

> metadata.category:ISP

> metadata.category:ISP actor:Yandex

The full name of the country the device is geographically located in:

> metadata.country:<country>

> metadata.country:turkey

> metadata.country:turkey metadata.category:mobile

The two-character country code of the country the device is geographically located:

> metadata.country_code:<##>

> metadata.country_code:RU

> metadata.country_code:RU classification:benign

The city the device is geographically located in metadata.organization:

> metadata.city:<city string>

> metadata.city:moscow

> metadata.city:moscow tags:SMB Scanner

The organization that owns the network that the IP address belongs:

> metadata.organization:<string>

> metadata.organization:Yandex

> metadata.organization:Yandex tags:DNS Scanner

The reverse DNS pointer of the IP:

> metadata.rdns:<dns string>

> metadata.rdns:*yandex*

> metadata.rdns:*yandex* tags:Web Crawler

The autonomous system the IP address belongs:

> metadata.asn:<AS#####>

> metadata.asn:AS17974

> metadata.asn:AS17974 metadata.organization:"PT TELEKOMUNIKASI INDONESIA"

Whether the device is a known Tor exit node:

> metadata.tor:<true>

> metadata.tor:true

> metadata.tor:true metadata.country:sweden

#RAW_DATA

The port number(s) the devices has been observed scanning:

> raw_data.scan.port:<port number>

> raw_data.scan.port:23

> raw_data.scan.port:23 metdata.country:sweden

The protocol of the port the device has been observed scanning:

> raw_data.scan.protocol:<tcp/udp>

> raw_data.scan.protocol:udp

> raw_data.scan.protocol:udp metadata.country:china

Any HTTP paths the device has been observed crawling the Internet:

> raw_data.web.paths:<path string>

> raw_data.web.paths:*admin*

> raw_data.web.paths:*admin* tags:"Jboss Worm"

Any HTTP user-agents the device has been observed using while crawling the Internet

> raw_data.web.useragents:<UA string>

> raw_data.web.useragents:"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)"

> raw_data.web.useragents:*baidu* metadata.country:Hong Kong

Fingerprinting TLS encrypted negotiation between client and server interactions (https://ja3er.com/ & https://github.com/salesforce/ja3/tree/master/lists):

> raw_data.ja3.fingerprint:<JA3 fingerprint hash>

> raw_data.ja3.fingerprint:6734f37431670b3ab4292b8f60f29984

> raw_data.ja3.fingerprint:6734f37431670b3ab4292b8f60f29984 metadata.country:china