Command-Line Interface

BitNinja has a command-line interface to alter or query your black/whitelist and manage the greylist. You can use this tool to integrate your software with BitNinja.

Installation

After installing BitNinja, bitninjacli is accessible. You can use it.

Usage

bitninjacli --help

Usage: bitninjacli Command

Commands:

[--whitelist|--blacklist|--greylist] [--add|--del|--check]=ip[--comment="Your comment about why is the IP black or whitelisted"]
    You can manipulate the user specific white/black/greylist
    with the corresponding command. You can add/delete/check a
    given IP address.

    Comments can be added to white and blacklist. The default comment is: Operation made by cli.
    example:
    # bitninjacli --whitelist --add=1.2.3.4 --comment="I trust this IP"

[--module=WAFManager] [--enabled|--disabled]
    Enable or disable the waf module locally.

[--module=PortHoneypot] [--enabled|--disabled]
    Enable or disable the PortHoneypot module locally.

[--reloadiptables]
    You can reload Bitninja specific iptables rules with it.

[--remove-rules]
    Remove every BitNinja related iptables rules and ipsets. Use only when Agent exited abnormally.

[--webhoneypot] [--file=/path/ot/file]
    You can make a specific file to a honeypot.

[--module=MalwareDetection] [--enabled|--disabled]
    You can start or stop MalwareDetection manually, if Bitninja is running.

[--module=MalwareDetection] [--scan=/path/to/dir/]
    You can manually start MalwareDetection scan on a specific directory.

[--module=OutboundWAF] [--enabled|--disabled]
    You can start or stop OutboundWAF manually, if Bitninja is running.

[--module=SslTerminating] [--enabled|--disabled]
    You can start or stop SslTerminating manually, if Bitninja is running.


[--module=SslTerminating] [--reload]
    You can reload SslTerminating haproxy.cfg,  if Bitninja is running.


[--module=SslTerminating] [--regenerate]
    You can regenerate SslTerminating haproxy.cfg, if Bitninja is running.

[--licenseinfo]
    Queries the current license information. It can be free, trial, ok (means pro license), no_payment

[--restore=/path/to/file]
    Restores file from quarantine.

[--add-file-to-signature-set=/path/to/malware][--comment="Your comment about why is the file a malware"]
    Add a file to your local Malware Detection's md5 signature set.
    Comment will be part of the malware's name. E.g.: {MD5}User added <your_comment_goes_here>.
    Default comment is the path to the file added to the signature set.

USE THIS WITH CAUTION!
[--waf-honeypotify-uri=/path/to/malware]
    Add a web uri to a local Virtual honeypot uri list. This list file will be created at /opt/bitninja-waf/etc/UserRules/user_malware_uris.data
    Example use case: You found a web shell under public_html/uploads/images/Shell.php
    With adding images/Shell.php to this list, every POST request will be caught by waf, if enabled.
    # bitninjacli --waf-honeypotify-uri=images/Shell.php

Module Options

BitNinja CLI offers control over its modules with:

--module=ModuleName

Every module can receive the following commands:

--stop/--start/--restart

They will stop/start/restart BitNinja module processes. It can be useful for example, when AntiFlood module bans your attacking IP address and puts it in the local blacklist while you’re testing the agent. In this case, you can use the following command to test further:

bitninjacli --module=AntiFlood --stop

Almost every module can receive the following commands:

--enabled/--disabled/--reload

‘Enabled’ will activate the module and it will start detection. ‘Disabled’ will stop the detection, but the module process itself will still run. With ‘reload’ you can reload the module configuration without the need of restarting the Agent.

Unfortunately not every module is compatible with these command options. See the available options on the module pages.