This section describes all supported structs in depth. Please refer to this section if in doubt about the correct usage of fields to ensure interoperability between modules.
- The domain name, like
A subdomain of a domain. The depth is arbitrary, so
foo.bar.example.co.uk are both valid subdomains
- The subdomain, like
- The numeric id of a domain struct.
- Whether the subdomain can be resolved to a A/AAAA record. nil if unknown.
An ip address. Note that most of these fields are geoip related and an approximation instead of an actual location.
- The ip address.
- The address family of the ip address, either
- The continent associated with this ip address.
- The continent code of the
- The country associated with this ip address.
- The country code of the
- The city associated with this ip address.
- Latitude associated with this ip address.
- Longitude associated with this ip address.
- The number of the autonomous system this ip belongs to.
- The organization of the autonomous system this ip belongs to.
- This field is sn0int internal if we have additional information about this ip address, for example technical identifiers from aws.
- The reverse dns name setup for this ip address.
- The numeric id of a subdomain struct.
- The url, including a schema, hostname and path.
- The http status code, like
- The raw response body. This can be any mime type.
- Whether or not the url gives a http response (even if it’s an error).
- The parsed
<title>of the page, if available.
- If the server replied with a redirect, this is the url it redirected to.
- The email address.
- The display name of a given email address:
this is the name <firstname.lastname@example.org>.
- Whether that email address is valid or has been disabled.
- The phone number in E.164 format (+491234567)
- An alias we can assign to this phone number. This alias is sn0int internal.
- Whether the number is assigned to a customer.
- The last time this number has been online.
- The country this number is associated with.
- The name of the carrier this numer is registered with.
- The type of the phone number, can be
- Whether this number has been ported to a different carrier.
- The last time this number has been ported.
- The name of the owner of the phone number.
- The type of caller, eg
- The devices mac address or another identifier if needed.
- An alias we can assign to this device. This alias is sn0int internal.
- The hostname configured on the device.
- The hardware vendor of the device. This is usually derived from the mac address.
- The last time we’ve observed the device somewhere.
A wired or wireless network at a specific location that a device could be connected to.
- The network name. This can be an ssid or any other identifier but should be unique.
- Latitude of the networks location.
- Longitude of the networks location.
- A human readable description in case the value is a technical identifier.
A users account or profile on a webservice, like github or instagram.
- The identifier of the service/website. It’s recommended to use the websites domain for this as defined in Domains.
- The users unique identifier, like the login name. If the login name is not known or the system doesn’t use login names, use the email address instead.
- The users display name. This name is often not unique and may contain the users real name.
- The email address associated with the account.
- The url of the public profile if available.
- The last time this account has been active/online.
- The users birthday set on the account.
- The phonenumber associated with the account.
- The blob identifier of the users current profile picture.
Either a breach of a specific website, a breach compilation or a breach notification service.
- The name of the breach, breach compilation or notification service.
- The id that identifies the blob. This id is deterministic based on file content.
- This field is used if we have a well known filename for the content.
- The image mimetype, like
- The width of the image.
- The height of the image.
- The date and time this image has been taken.
- Latitude this picture has been taken.
- Longitude this picture has been taken.
- A score that classifies nudity in this picture. The score goes from 0 to 2
and is commonly calculated with
img_nudity. A score above 1 means nudity has been detected.
- The Mean (aHash) perceptual hash.
- The Gradient (dHash) perceptual hash.
- The DCT (pHash) perceptual hash.
The status of a port on an ip address.
- The numeric id of an ipaddr struct.
- The actual ipaddr.
- The port number.
- The status of the port, either
- The service banner we discovered on this port.
- The service that is running on this port.
- The version of the service running on this port.
A netblock is a network address range that has been allocated to an individual, organization or company. Those are commonly found when running whois lookups on an ip address.
Consider the following example: Running a whois lookup on
of the addresses currently in use by github) returns that this address belongs
to the netrange
188.8.131.52 - 184.108.40.206, so the netblock in this case
- This is either
6and populated automatically.
- This is the network range in CIDR notation.
- The number of the autonomous system this network belongs to.
- The organization of the autonomous system this network belongs to.
- This field isn’t strictly defined and meant to be used as a human meaningful name if available.
A cryptoaddr is any cryptocurrency address and not tied to a specific currency.
- The address string. This looks like
- The identifier for a specific currency. This is usually the ticker symbols,
- Balance is tracked internally using 64 bit integers (signed, for technical reasons). Balance is supposed to be the lowest unit, so in case of bitcoin you’d write
100,000,000satoshi instead of
1bitcoin. Since this value is inconvinient to work with we’re using the denominator to display values. In case of bitcoin you’d set it to
- The current balance of the address, in the lowest possible unit. In case of bitcoin this would be satoshis.
- The total amount of currency received by this address.
- The first time currency was sent to this address.
- The last time a transaction signed by this address was observed.
- A human readable note for this address.
Relations are linking two structs together. The link may contain additional information.
Links an ip address to a subdomain.
- The numeric id of a subdomain struct.
- The numeric id of an ip addr struct.
Links a device to a network. This is commonly used with
db_add_ttl so the
link automatically expires. This is frequently used to monitor networks for
known and unknown devices.
- The numeric id of a network struct.
- The numeric id of a device struct.
- The ip address assigned to the device.
- The last time we’ve seen the device on that network.
Links an email to a breach. If we know the password as well we can add it to the link. If we don’t know the password we can leave it blank and fill it later. An email can be linked to a breach multiple times with different passwords. There is a special upserting logic in place to support this.
- The numeric id of a breach struct.
- The numeric id of an email struct.
- The password for that email in the breach.