v1.0
Chista is an Open Source Cyber Threat Intelligence (CTI) Framework designed to help users understand, predict and defend against cyber threats.

It helps its users understand cyber threats by using data collected from various sources. This data includes IOCs, data leaks, phishing campaigns, threat group activities and CTI sources. By analyzing this data, Chista helps users understand the existence, prevalence, trends and probability of cyber threats.
In this document, you'll find usage & installation guide. You can check our detailed documentation about which includes developer documentation.
CENSYS_API_SECRET key. We'll see .ENV file in the Configuration section.7777 and 7778 ports should be availableThe tool's configurations is controlled with .ENV file. The .ENV file should placed in root directory of the project. You can see an example .ENV file in below.
DUMP_MODE=true
API_ONLY=false
WHOIS_SERVER="whois.verisign-grs.com:43"
PY_PATH="C:\Users\<USERNAME>\AppData\Local\Programs\Python\Python37\python37.exe"
OPENSQUAT_PY_PATH="./3rd_party/opensquat"
CENSYS_API_ID="<API-ID>"
CENSYS_API_SECRET="<API-KEY>"
| Configuration | Default Value | Details | Mandatory/Optional |
|---|---|---|---|
| DUMP_MODE | true | If it's true, the API server logs the HTTP requests. It can be useful while debugging. |
Mandatory |
| API_ONLY | false | When it's false, the API server generates a WebSocket connection to the CLI tool. So, if you want to use just API part of the tool, you have to set API_ONLY=true |
Mandatory |
| WHOIS_SERVER | whois.verisign-grs.com:43 | It's used in whois checker, the tool queries to the given Whois Server. | Mandatory |
| PY_PATH | It's Python's installation path. Python used for OpenSquat. If you want to use OpenSquat, you have to provide your Python path. | Optional | |
| OPENSQUAT_PY_PATH | ./3rd_party/opensquat | OpenSquat folder's path. The Phishing module uses OpenSquat to generate extra typosquatting domains. | Optional |
| CENSYS_API_ID | search.censys.io API Key ID | Optional | |
| CENSYS_API_SECRET | search.censys.io API Key Secret | Optional |
You can use pre-built binaries or you can build the project and use. It's up to your choice!
1. Clone the repository
git clone https://github.com/Chista-Framework/Chista.git
2. Build & Run the API application
First, open a Command Prompt/Terminal. Then execute the following commands. - For Windows:
go build -o chista.exe
./chista.exe
go build -o chista
./chista
NOTE: If you cannot execute the command in Linux, you should give execute permission yourself on the file. You can use chmod +x chista.
After running the API server, you'll see the following output.
time="2024-01-12T16:12:08+03:00" level=info msg="DUMP_MODE= true" func=github.com/Chista-Framework/Chista/logger.init.0 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/logger/logger.go:54"
time="2024-01-12T16:12:08+03:00" level=error msg="WebSocket connection error while closing: Websocket Connection is nil but trying to send a WS message." func=github.com/Chista-Framework/Chista/helpers.SendMessageWS file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:230"
[GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached.
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)
[GIN-debug] GET /api/v1/ioc_feed --> github.com/Chista-Framework/Chista/controller.GetIocs (6 handlers)
[GIN-debug] GET /api/v1/phishing --> github.com/Chista-Framework/Chista/controller.GetPhishingDomains (6 handlers)
[GIN-debug] GET /api/v1/impersonate --> github.com/Chista-Framework/Chista/controller.GetImpersonatingDomains (6 handlers)
[GIN-debug] GET /api/v1/leak --> github.com/Chista-Framework/Chista/controller.GetLeaks (6 handlers)
[GIN-debug] GET /api/v1/threat_profile --> github.com/Chista-Framework/Chista/controller.GetThreatActorProfiles (6 handlers)
[GIN-debug] GET /api/v1/blacklist --> github.com/Chista-Framework/Chista/controller.CheckBlacklist (6 handlers)
[GIN-debug] GET /api/v1/source --> github.com/Chista-Framework/Chista/controller.GetSources (6 handlers)
[GIN-debug] GET /api/v1/c2 --> github.com/Chista-Framework/Chista/controller.GetC2s (6 handlers)
[GIN-debug] GET /api/v1/activities --> github.com/Chista-Framework/Chista/controller.CheckActivities (6 handlers)
[GIN-debug] [WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.
Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.
[GIN-debug] Listening and serving HTTP on localhost:7777
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Apt Profiles Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Ransomware Profiles Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Requesting source for ransom data." func=github.com/Chista-Framework/Chista/controller.GetRansomProfileData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:176"
time="2024-01-12T16:12:08+03:00" level=debug msg="Starting the Ransom Data Check periodic function\n" func=github.com/Chista-Framework/Chista/helpers.RunPeriodicly.func1 file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/helpers/helpers.go:595"
time="2024-01-12T16:12:08+03:00" level=debug msg="Requesting source for ransom data." func=github.com/Chista-Framework/Chista/controller.GetRansomwatchData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/activities.go:132"
time="2024-01-12T16:12:09+03:00" level=debug msg="Ransom data has been updated." func=github.com/Chista-Framework/Chista/controller.GetRansomProfileData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:212"
time="2024-01-12T16:12:09+03:00" level=info msg="Ransom data is up to date. No need to write to the file." func=github.com/Chista-Framework/Chista/controller.GetRansomwatchData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/activities.go:158"
time="2024-01-12T16:12:10+03:00" level=info msg="Apt profiles data is up to date. No need to write to the file." func=github.com/Chista-Framework/Chista/controller.getAPTData file="C:/Users/ResulBozburun/Desktop/Personal/Go/chista/controller/threat_profile.go:364"
3. Build & Run the CLI application - For Windows:
cd chista-cli
go build -o chista-cli.exe
cd chista-cli
go build -o chista-cli
After running the CLI application, you'll see the following output.
_ _ _
__ | |_ (_) ___| |_ __ _
/ _|| ' \ | |(_-<| _|/ _` |
\__||_||_||_|/__/ \__|\__,_|
-----------------------------
Chista is a command-line tool that helps you perform various cyber threat intelligence tasks. You can use Chista to search for information about malicious activities, indicators of compromise, data leaks, phishing campaigns, and threat sources.
Chista also provides you with a blacklist of malicious domains and IP addresses that you can use to protect your network. With Chista, you can easily access and analyze data from various sources, such as VirusTotal, Shodan, Have I Been Pwned, and more.
To get started, simply run Chista with one of the subcommands: activities, blacklist, ioc, leak, phishing, or source. You can also use the -h or --help flag to get more information about each subcommand and its options.
Usage:
Chista [command]
Available Commands:
activities Lists latest activities
blacklist Shows the blacklist sources.
completion Generate the autocompletion script for the specified shell
help Help about any command
impersonate Lists impersonating domains
ioc Lists IOC data
leak Lists leak infos
phishing Lists phishing domains
source Lists data related to parameters.
threatProfile Lists latest threat profile
Flags:
-h, --help help for Chista
-t, --toggle Help message for toggle
Use "Chista [command] --help" for more information about a command.
You can download the API Server & CLI binaries according to your OS from releases then just execute. - For Windows:
./chista.exe
./chista-cli.exe
./chista
./chista-cli
Chista provides data feed to users via API. In order to use Chista on the API, the following command is executed in the main directory and the Web Socket is started on localhost.
go run main.go
The following message indicates that the Chista API is up and running
[GIN-debug] Listening and serving HTTP on localhost:7777
After this stage, data feed can be provided via API by sending a request to the relevant endpoint
| Endpoint | Method | Query Params | Description |
|---|---|---|---|
| /api/v1/ioc_feed | GET | attacker, verbosity | List all of the IOC data related with used query params. |
| /api/v1/leak | GET | email, verbosity | List all of the leak info related with used query params |
| /api/v1/phishing | GET | domain, verbosity | List all of the latest phishing domains that related with the supplied query param. |
| /api/v1/impersonate | GET | domain, verbosity | List all of the impersonating domains that related with the supplied query param. |
| /api/v1/activities | GET | ransom, list, verbosity | List all of the latest activites of attacker related with the supplied query param. |
| /api/v1/source | GET | ransom, apt, forum, market, telegram, exploit, discord, verbosity | List all of the data related with the supplied query param. |
| /api/v1/blacklist | GET | asset, verbosity | Shows the blacklist sources that the supplied asset marked as “malicious”. |
| /api/v1/threat_profile | GET | apt, ransom, list, verbosity | Brings together details of cybercrime groups, allowing users to get detailed information about threat groups |
Read the Documentation for more details
Chista can be run on the CLI according to user needs. In order to us
$ claude mcp add Chista \
-- python -m otcore.mcp_server <graph>