Integration with 3rd party tools

All the 3rd party modules are configured in config/modules.json and the sample file is config/modules.json.sample.

This document will explain the different capabilities of the modules and how to configure them.

SaneJS

This module will search the hash (sha512) of every content received for a capture, and give contextual information in the investigation popup.

SaneJS uses CDNJS as a datasource. If the hash matches, you will see the library name, version and exact file matching in CDNJS.

The module is enabled by default, as SaneJS is publicly available, but you can change that by setting the enabled to false in config/modules.json, section SaneJS.

allow_auto_trigger is currently not used.

uWhoisd

This module will do a whois lookup for the domains (including CNAMEs) and IPs listed in the investigation pop-up.

uWhoisd queries the whois servers using the command line whois command.

The module is not enabled by default. In order to use it, you need to run your own instance of uWhoisd and configure the ipaddress and port accordingly in config/modules.json, and set enabled to true in section UniversalWhois.

allow_auto_trigger will automatically trigger a whois lookup for each domains, CNAMEs, and IPs for all the redirected nodes up to the one containing the rendered page.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

Phishtank Lookup (v1.9+)

Phishtank is a service that analizes and validates phishing webistes, they also provide an hourly dump of the currently active phishing URLs they’re aware of. In order to avoid too many queries on the public API, we developped a simple standalone system called Phishtank Lookup that loads the hourly dump and makes it accessible via its API.

The only URLs passed to the module are the ones up to the rendered page. Soon, we will add a lookup for the IP address and URLs of all the entries on the tree.

The module is not enabled by default. In order to use it, you can either use the public instance, or install your own instance of Phishtank Lookup.

To enable it, set enabled to true in section Phishtank. If you install your own instance, you need to set the url key to the appropriate value (e.g. http://127.0.0.1:5300). If you use the public instance, you can leave it to null and it will default back to it.

allow_auto_trigger to true (default if the module is enabled) will automatically trigger a lookup.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

Virus Total

VirusTotal is well known for having a huge database of malicious binaries, but it can also analyze URLs, and will give you information about them.

By default the module will only submit the URL for analysis to Virus Total is you set autosubmit to true in config/modules.json, section VirusTotal.

The only URLs passed to the module are the ones up to the rendered page, the content loaded after we reach this page aren’t queried to limit the number of request.

The module is not enabled by default because you need to create an account, and use an API key.

Important: the query limit for a standard API key is 4/minute so you will hit it very fast if you do not have a paid plan with them.

allow_auto_trigger will automatically trigger a query (and submit if enabled) for each URLs in the redirected nodes up to the one containing the rendered page.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

urlscan.io (v1.8+)

urlscan.io is a service to scan and analyze websites. It is quite similar to Lookyloo that way, but is aimed at identifying malicious activities, and has a very different approach to represent a capture.

The similarity and differences make it a great complement to Lookyloo.

By default the module will only submit the initial URL (with referer and user-agent) for analysis to urlscan.io is you set autosubmit to true in config/modules.json, section UrlScan.

The module is not enabled by default because you need to create an account, and use an API key (you need to create an account).

There are a few options to configure the visibility of the captures you’re making on urlscan.io, and you can configure it with the force_visibility key:

  • false (default): unlisted on urlscan.io side for hidden captures on Lookyloo, public for the others

  • "key": default visibility as configured on urlscan.io for the API key you’re using

  • "public", "unlisted" or "private": all the captures will use the same visibility

Important: The API key is rate limited and you should keep an eye on the quotas, especially since they vary depending on the visibility you’re using.

allow_auto_trigger will automatically submit the URL (if autosubmit is enabled) for each URLs. Be careful with the quotas of the key you’re using with this feature.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

MISP

Connecting Lookyloo to MISP - Open Source Threat Intelligence Platform will make it possible to share captures within your sharing community.

To use this module, you need to have access to a MISP instance and set at least an url and an apikey in config/modules.json, section MISP. You may also want to set verify_tls_cert to false if you’re using a self-signed certificate, and modify the timeout if the MISP instance is very slow.

allow_auto_trigger is currently not used.

Important: the MISP publish and lookup features are only available for authenticated users.

The recommended way to use it is to create a dedicated user on your MISP instance, with access to an API key. If you want to allow your Lookyloo users to set tags to the captures before they submit it, you need to:

  1. Create the tags on MISP side

  2. Mark them as favorite for the dedicated user

Note: If you want to publish the events on creation, the dedicated user must have the publisher rights.

Push to a MISP instance

The module is disabled by default. In order to enable it, you need to set enable_push to true in config/modules.json, section MISP.

You can also add a list of default tags that will be attached to every event created by Lookyloo in default_tags, and automatically publish the MISP events by setting auto_publish to true (in that case, the user must have the publisher permission in MISP).

If everything is working as it should, you will see a link in the top menu of the tree page. Otherwise, look at the Lookyloo logs, it is probably because your MISP instance is unreachable.

Lookup on a MISP instance

The module is disabled by default. In order to enable it, you need to set enable_lookup to true in config/modules.json, section MISP.

If everything is working as it should, you will see a link in the top menu of the tree page. Otherwise, look at the Lookyloo logs, it is probably because your MISP instance is unreachable.

Phishing initiative

Phishing Initiative is a database of known phishing websites.

By default the module will only submit the URL for analysis to Phishing Initiative if you set autosubmit to true in config/modules.json, section PhishingInitiative.

The only URLs passed to the module are the ones up to the rendered page, the content loaded after we reach this page aren’t queried to limit the number of request.

The module is not enabled by default because you need to create an account, and use an API key.

allow_auto_trigger will automatically trigger a query (and submit if enabled) for each URLs in the redirected nodes up to the one containing the rendered page.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

IntelMQ

IntelMQ is an Open-Source OSINT processing tool.

Starting with IntelMQ 3.0, the LookyLoo expert bot enqueues a screenshotting task at the configured LookyLoo instance and saves the (public) LookyLoo link in the event data.