MCPcopy Index your code
hub / github.com/ChistaDev/Chista

github.com/ChistaDev/Chista @v2.0.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v2.0.0 ↗ · + Follow
320 symbols 986 edges 137 files 101 documented · 32%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Chista

Chista | Open Source Threat Intelligence Framework

v1.0


Chista Twitter Chista Linkedin

Chista is an Open Source Cyber Threat Intelligence (CTI) Framework designed to help users understand, predict and defend against cyber threats.

cli-demo

It helps its users understand cyber threats by using data collected from various sources. This data includes IOCs, data leaks, phishing campaigns, threat group activities and CTI sources. By analyzing this data, Chista helps users understand the existence, prevalence, trends and probability of cyber threats.


  • Collecting IOCs: IOCs are signatures used to identify and track cyber threats. Chista can collect IOCs from various sources and make them available to users.
  • Monitoring Data Leaks: Chista can identify accounts that have suffered a data breach by monitoring data leaks from various sources.
  • Monitoring Phishing Campaigns: Chista detects websites created for phishing purposes and provides users with a feed in this direction.
  • Monitoring Threat Groups Activities: Threat groups are organized groups that carry out cyber attacks. By monitoring threat group activity from various sources, Chista helps organizations understand and prepare for the activities of threat groups.
  • Detection of Blacklisted IPs: Chista provides users with a feed for IPs blacklisted by various lists.
  • Detailing Threat Groups: Chista brings together details of cybercrime groups, allowing users to get detailed information about threat groups.
  • Providing Resources: Chista provides resources that can be used for threat intelligence for the benefit of users interested in Cyber Threat Intelligence.

In this document, you'll find usage & installation guide. You can check our detailed documentation about which includes developer documentation.

Table of Contents

Install Chista

Prerequisite

  • go1.21
  • https://go.dev/dl/
  • Python 3.6+
  • It is needed for OpenSquat.
  • OpenSquat (Optional, increases Phishing & Impersonate module performance)
  • https://github.com/atenreiro/opensquat
  • search.censys.io API ID and API KEY (Optional, increases Phishing & Impersonate module performance)
  • It's used in Phishing module and controlled in .ENV file with CENSYS_API_SECRET key. We'll see .ENV file in the Configuration section.
  • 7777 and 7778 ports should be available
  • "google-chrome" executable file should present in $PATH
  • You need to install Google Chrome and it's executable should be found in your PATH (Environment Variables in Windows)

Configuration

The tool's configurations is controlled with .ENV file. The .ENV file should placed in root directory of the project. You can see an example .ENV file in below.

DUMP_MODE=true
API_ONLY=false
WHOIS_SERVER="whois.verisign-grs.com:43"
PY_PATH="C:\Users\<USERNAME>\AppData\Local\Programs\Python\Python37\python37.exe"
OPENSQUAT_PY_PATH="./3rd_party/opensquat"
CENSYS_API_ID="<API-ID>"
CENSYS_API_SECRET="<API-KEY>"
Configuration Default Value Details Mandatory/Optional
DUMP_MODE true If it's true, the API server logs the HTTP requests. It can be useful while debugging. Mandatory
API_ONLY false When it's false, the API server generates a WebSocket connection to the CLI tool. So, if you want to use just API part of the tool, you have to set API_ONLY=true Mandatory
WHOIS_SERVER whois.verisign-grs.com:43 It's used in whois checker, the tool queries to the given Whois Server. Mandatory
PY_PATH It's Python's installation path. Python used for OpenSquat. If you want to use OpenSquat, you have to provide your Python path. Optional
OPENSQUAT_PY_PATH ./3rd_party/opensquat OpenSquat folder's path. The Phishing module uses OpenSquat to generate extra typosquatting domains. Optional
CENSYS_API_ID search.censys.io API Key ID Optional
CENSYS_API_SECRET search.censys.io API Key Secret Optional

Basic Usage

You can use pre-built binaries or you can build the project and use. It's up to your choice!

Building & Running from source

1. Clone the repository

git clone https://github.com/Chista-Framework/Chista.git

2. Build & Run the API application

First, open a Command Prompt/Terminal. Then execute the following commands. - For Windows:

go build -o chista.exe
./chista.exe
  • For Linux:
go build -o chista
./chista

NOTE: If you cannot execute the command in Linux, you should give execute permission yourself on the file. You can use chmod +x chista. After running the API server, you'll see the following output.

time="2024-01-12T16:12:08+03:00" level=info msg="DUMP_MODE= true" func=github.com/Chista-Framework/Chista/logger.init.0 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/logger/logger.go:54"
time="2024-01-12T16:12:08+03:00" level=error msg="WebSocket connection error while closing: Websocket Connection is nil but trying to send a WS message." func=github.com/Chista-Framework/Chista/helpers.SendMessageWS file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:230"
[GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached.

[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:   export GIN_MODE=release
 - using code:  gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET    /api/v1/ioc_feed          --> github.com/Chista-Framework/Chista/controller.GetIocs (6 handlers)
[GIN-debug] GET    /api/v1/phishing          --> github.com/Chista-Framework/Chista/controller.GetPhishingDomains (6 handlers)
[GIN-debug] GET    /api/v1/impersonate       --> github.com/Chista-Framework/Chista/controller.GetImpersonatingDomains (6 handlers)
[GIN-debug] GET    /api/v1/leak              --> github.com/Chista-Framework/Chista/controller.GetLeaks (6 handlers)
[GIN-debug] GET    /api/v1/threat_profile    --> github.com/Chista-Framework/Chista/controller.GetThreatActorProfiles (6 handlers)
[GIN-debug] GET    /api/v1/blacklist         --> github.com/Chista-Framework/Chista/controller.CheckBlacklist (6 handlers)
[GIN-debug] GET    /api/v1/source            --> github.com/Chista-Framework/Chista/controller.GetSources (6 handlers)
[GIN-debug] GET    /api/v1/c2                --> github.com/Chista-Framework/Chista/controller.GetC2s (6 handlers)
[GIN-debug] GET    /api/v1/activities        --> github.com/Chista-Framework/Chista/controller.CheckActivities (6 handlers)
[GIN-debug] [WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.
Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.
[GIN-debug] Listening and serving HTTP on localhost:7777
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Apt Profiles Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Ransomware Profiles Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Requesting source for ransom data." func=github.com/Chista-Framework/Chista/controller.GetRansomProfileData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:176"
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Ransom Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Requesting source for ransom data." func=github.com/Chista-Framework/Chista/controller.GetRansomwatchData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/activities.go:132"
time="2024-01-12T16:12:09+03:00" level=debug msg="Ransom data has been updated." func=github.com/Chista-Framework/Chista/controller.GetRansomProfileData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:212"
time="2024-01-12T16:12:09+03:00" level=info msg="Ransom data is up to date. No need to write to the file." func=github.com/Chista-Framework/Chista/controller.GetRansomwatchData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/activities.go:158"
time="2024-01-12T16:12:10+03:00" level=info msg="Apt profiles data is up to date. No need to write to the file." func=github.com/Chista-Framework/Chista/controller.getAPTData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:364"

3. Build & Run the CLI application - For Windows:

cd chista-cli
go build -o chista-cli.exe
  • For Linux:
cd chista-cli
go build -o chista-cli

After running the CLI application, you'll see the following output.

     _     _      _
 __ | |_  (_) ___| |_  __ _
/ _|| ' \ | |(_-<|  _|/ _` |
\__||_||_||_|/__/ \__|\__,_|
-----------------------------
Chista is a command-line tool that helps you perform various cyber threat intelligence tasks. You can use Chista to search for information about malicious activities, indicators of compromise, data leaks, phishing campaigns, and threat sources.
Chista also provides you with a blacklist of malicious domains and IP addresses that you can use to protect your network. With Chista, you can easily access and analyze data from various sources, such as VirusTotal, Shodan, Have I Been Pwned, and more.

To get started, simply run Chista with one of the subcommands: activities, blacklist, ioc, leak, phishing, or source. You can also use the -h or --help flag to get more information about each subcommand and its options.

Usage:
  Chista [command]

Available Commands:
  activities    Lists latest activities
  blacklist     Shows the blacklist sources.
  completion    Generate the autocompletion script for the specified shell
  help          Help about any command
  impersonate   Lists impersonating domains
  ioc           Lists IOC data
  leak          Lists leak infos
  phishing      Lists phishing domains
  source        Lists data related to parameters.
  threatProfile Lists latest threat profile

Flags:
  -h, --help     help for Chista
  -t, --toggle   Help message for toggle

Use "Chista [command] --help" for more information about a command.

Directly running the binaries

You can download the API Server & CLI binaries according to your OS from releases then just execute. - For Windows:

./chista.exe
./chista-cli.exe
  • For Linux:
./chista
./chista-cli

API Usage

Chista provides data feed to users via API. In order to use Chista on the API, the following command is executed in the main directory and the Web Socket is started on localhost.

go run main.go

The following message indicates that the Chista API is up and running

[GIN-debug] Listening and serving HTTP on localhost:7777

After this stage, data feed can be provided via API by sending a request to the relevant endpoint

Endpoint Method Query Params Description
/api/v1/ioc_feed GET attacker, verbosity List all of the IOC data related with used query params.
/api/v1/leak GET email, verbosity List all of the leak info related with used query params
/api/v1/phishing GET domain, verbosity List all of the latest phishing domains that related with the supplied query param.
/api/v1/impersonate GET domain, verbosity List all of the impersonating domains that related with the supplied query param.
/api/v1/activities GET ransom, list, verbosity List all of the latest activites of attacker related with the supplied query param.
/api/v1/source GET ransom, apt, forum, market, telegram, exploit, discord, verbosity List all of the data related with the supplied query param.
/api/v1/blacklist GET asset, verbosity Shows the blacklist sources that the supplied asset marked as “malicious”.
/api/v1/threat_profile GET apt, ransom, list, verbosity Brings together details of cybercrime groups, allowing users to get detailed information about threat groups

Read the Documentation for more details

CLI Usage

Chista can be run on the CLI according to user needs. In order to us

Extension points exported contracts — how you extend this code

Response (Interface)
(no doc)
models/phishing.go

Core symbols most depended-on inside this repo

SendMessageWS
called by 242
helpers/helpers.go
useIsDrawerOpen
called by 21
chista-frontend/src/contexts/IsDrawerOpenContext.js
requester
called by 10
chista-cli/cmd/helpers.go
GoDotEnvVariable
called by 10
helpers/helpers.go
main
called by 9
3rd_party/opensquat/opensquat/app.py
InitiliazeWebSocketConnection
called by 9
helpers/helpers.go
useDarkMode
called by 8
chista-frontend/src/contexts/DarkModeContext.js
CloseWSConnection
called by 7
helpers/helpers.go

Shape

Function 210
Method 72
Struct 25
Class 10
TypeAlias 2
Interface 1

Languages

Go45%
Python28%
TypeScript27%

Modules by API surface

3rd_party/opensquat/opensquat/app.py31 symbols
helpers/helpers.go29 symbols
models/phishing.go15 symbols
controller/phishing.go12 symbols
controller/threat_profile.go10 symbols
3rd_party/opensquat/opensquat/output.py9 symbols
3rd_party/opensquat/opensquat/phishing.py8 symbols
3rd_party/opensquat/opensquat/file_input.py7 symbols
3rd_party/opensquat/opensquat/vt.py6 symbols
3rd_party/opensquat/opensquat/port_check.py6 symbols
models/threat_profile.go5 symbols
helpers/helpers_test.go5 symbols

For agents

$ claude mcp add Chista \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact