Skip to content

Analyzers

Jump to bottom
To-om edited this page Jan 30, 2017 · 17 revisions

Cortex analyzers

Analyzers are included in the Cortex binary package but they are in a dedicated GitHub repository Cortex-Analyzers. Currently, analyzers are autonomous application, hosted in Cortex server.

Pre-requisites

Provided analyzers are written in Python. They don't require any build phase but their dependencies must be installed. First install system package dependencies:

apt-get install python-pip python2.7-dev ssdeep libfuzzy-dev libfuzzy2 libimage-exiftool-perl

Each analyzer comes with its requirements.txt file (pip compatible). You can install all requirements with the following commands:

cd analyzers
sudo pip install $(cat */requirements.txt | sort -u)

From repository

If you want to get up-to-date analyzers, you can clone the GitHub repository:

git clone https://github.com/CERT-BDF/Cortex-Analyzers

Don't forget to configure analyzers directory in Cortex configuration:

analyzer {
  path = "path/to/analyzers"
}

Configuration

Analyzers configuration is stored in Cortex configuration file (application.conf) in analyzer.config section. There is one subsection for each analyzer group. The configuration provided to analyzer is the merge of:

  • the global configuration: all item in analyzer.config.global section. This settings are applied for all analyzers. It is particularly useful for proxy settings (cf. example below)
  • the analyzer group configuration. Some analyzers shares configuration items, VirusTotal API key for all VirusTotal analyzers for example. Group name can be found in JSON description file in analyzer folder, under baseConfig key.
  • the analyzer configuration defined in JSON description file, under config key.

Here is the complete configuration you should provide to make all analyzers work:

analyzer {
  path = "path/to/analyzers"
  config {
    global {
      proxy {
        http="http://127.0.0.1:3128",
        https="http://127.0.0.1:3128"
      }
    }
    DNSDB {
      server="https://api.dnsdb.info"
      key="..."
    }
    DomainTools {
      username="..."
      key="..."
    }
    VirusTotal {
      key="..."
    }
    Hippocampe {
      url="..."
    }
    OTXQuery {
      key="..."
    }
    PhishTank {
      key="..."
    }
    PhishingInitiative {
      key="..."
    }
  }
}

Documentation has been moved here

Clone this wiki locally