Merge pull request #923 from p-l-/add-analyzer-ivre

analyzers/IVRE/IVRE.json

@@ -0,0 +1,86 @@
+{
+  "name": "IVRE",
+  "version": 1.0,
+  "author": "Pierre Lalet",
+  "license": "AGPL-V3",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "service_homepage": "https://ivre.rocks/",
+  "description": "Fetch details from an IVRE instance.",
+  "dataTypeList": [
+    "autonomous-system",
+    "certificate_hash",
+    "domain",
+    "fqdn",
+    "ip",
+    "network",
+    "port",
+    "user-agent"
+  ],
+  "command": "IVRE/ivre_analyzer.py",
+  "baseConfig": "IVRE",
+  "configurationItems": [
+    {
+      "name": "use_data",
+      "description": "Use data from the data purpose (MaxMind)",
+      "type": "boolean",
+      "multi": false,
+      "required": true,
+      "defaultValue": true
+    },
+    {
+      "name": "use_passive",
+      "description": "Use data from the passive purpose",
+      "type": "boolean",
+      "multi": false,
+      "required": true,
+      "defaultValue": true
+    },
+    {
+      "name": "use_scans",
+      "description": "Use data from the scans (nmap) purpose",
+      "type": "boolean",
+      "multi": false,
+      "required": true,
+      "defaultValue": true
+    },
+    {
+      "name": "db_url",
+      "description": "The URL of the IVRE database (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "db_url_data",
+      "description": "The URL of the IVRE database for the data purpose (e.g., maxmind:///usr/share/ivre/geoip or http://host/cgi); defaults to using IVRE's configuration",
+      "type": "string",
+      "multi": false,
+	"required": false
+    },
+    {
+      "name": "db_url_passive",
+      "description": "The URL of the IVRE database for the passive purpose (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "db_url_scans",
+      "description": "The URL of the IVRE database for the scans (nmap) purpose (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration",
+      "type": "string",
+      "multi": false,
+      "required": false
+    }
+  ],
+  "config": {
+    "check_tlp": false,
+    "max_tlp": 3,
+    "check_pap": false,
+    "max_pap": 3,
+    "auto_extract": false
+  },
+  "service_logo": {
+    "path": "assets/ivre_logo.png",
+    "caption": "Logo"
+  }
+}

analyzers/IVRE/README.md

@@ -0,0 +1,31 @@
+### IVRE
+
+Get intelligence from an [IVRE](https://ivre.rocks/) instance.
+
+#### Requirements
+
+You need an access to an IVRE instance. Unlike most analyzers, IVRE
+does not exist as a public service but is an open-source tool: you
+need to install and run your own instance. The repository is [on
+GitHub](https://github.com/cea-sec/ivre).
+
+To learn more about IVRE (and its "purposes"), you can read the
+documentation, particularly about [the
+principles](https://doc.ivre.rocks/en/latest/overview/principles.html),
+and some [use
+cases](https://doc.ivre.rocks/en/latest/usage/use-cases.html).
+
+Supply the following parameters to the analyzer in order to use it:
+
+- `db_url` (string): the IVRE instance database URL (format: same as IVRE's
+  configuration; default: use IVRE's configuration)
+- `db_url_data` (string): the IVRE instance database URL for the data purpose
+  (idem)
+- `db_url_passive` (string): the IVRE instance database URL for the passive purpose
+  (idem)
+- `db_url_scans` (string): the IVRE instance database URL for the scans purpose
+  (idem)
+- `use_data` (boolean): should the analyzer use the data purpose?
+- `use_passive` (boolean): should the analyzer use the passive purpose?
+- `use_scans` (boolean): should the analyzer use the scans purpose?
+