Skip to content

Analyzers

Jump to bottom
Jerome Leonard edited this page Jan 31, 2017 · 17 revisions

Cortex analyzers

Analyzers are autonomous application managed and run by Cortex core engine.

Analyzers sit in this dedicated GitHub repository : Cortex-Analyzers

Analyzers are included in the Cortex binary package but you have to get them from this repository if you decided to build Cortex from sources.

Pre-requisites

Provided analyzers are written in Python. They don't require any build phase but their dependencies have to be installed.

First install system package dependencies, required by some of them:

apt-get install python-pip python2.7-dev ssdeep libfuzzy-dev libfuzzy2 libimage-exiftool-perl

Each analyzer comes with its requirements.txt file (pip compatible). You can install all requirements with the following commands:

cd analyzers
sudo pip install $(cat */requirements.txt | sort -u)

From repository

If you want to get up-to-date analyzers, you can clone the GitHub repository:

git clone https://github.com/CERT-BDF/Cortex-Analyzers

Don't forget to configure analyzers directory in Cortex configuration:

analyzer {
  path = "path/to/analyzers"
}

Configuration

Analyzers configuration is stored in Cortex configuration file (application.conf) in analyzer.config section. There is one subsection for each analyzer group. The configuration provided to analyzer is the merge of:

  • the global configuration: all item in analyzer.config.global section. This settings are applied for all analyzers. It is particularly useful for proxy settings (cf. example below)
  • the analyzer group configuration. Some analyzers shares configuration items, VirusTotal API key for all VirusTotal analyzers for example. Group name can be found in JSON description file in analyzer folder, under baseConfig key.
  • the analyzer configuration defined in JSON description file, under config key.

Here is the complete configuration you should provide to make all analyzers work:

analyzer {
  path = "path/to/Cortex-Analyzers/analyzers"
  config {
    global {
      proxy {
        http="http://PROXY_ADDRESS:PORT",
        https="http://PROXY_ADDRESS:PORT"
      }
    }
    DNSDB {
      server="https://api.dnsdb.info"
      key="..."
    }
    DomainTools {
      username="..."
      key="..."
    }
    VirusTotal {
      key="..."
    }
    Hippocampe {
      url="..."
    }
    OTXQuery {
      key="..."
    }
    PhishTank {
      key="..."
    }
    PhishingInitiative {
      key="..."
    }
  }
}

Documentation has been moved here

Clone this wiki locally