Integration with 3rd party tools

All the 3rd party modules are configured in config/modules.json and the sample file is config/modules.json.sample.

This document will explain the different capabilities of the modules and how to configure them.

SaneJS

This module will search the hash (sha512) of every content received for a capture, and give contextual information in the investigation popup.

SaneJS uses CDNJS as a datasource. If the hash matches, you will see the library name, version and exact file matching in CDNJS.

The module is enabled by default, as SaneJS is publicly available, but you can change that by setting the enabled to false in config/modules.json, section SaneJS.

allow_auto_trigger is currently not used.

uWhoisd

This module will do a whois lookup for the domains (including CNAMEs) and IPs listed in the investigation pop-up.

uWhoisd queries the whois servers using the command line whois command.

The module is not enabled by default. In order to use it, you need to run your own instance of uWhoisd and configure the ipaddress and port accordingly in config/modules.json, and set enabled to true in section UniversalWhois.

allow_auto_trigger will automatically trigger a whois lookup for each domains, CNAMEs, and IPs for all the redirected nodes up to the one containing the rendered page.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

Virus Total

VirusTotal is well known for having a huge database of malicious binaries, but it can also analyze URLs, and will give you information about them.

By default the module will only submit the URL for analysis to Virus Total is you set autosubmit to true in config/modules.json, section VirusTotal.

The only URLs passed to the module are the ones up to the rendered page, the content loaded after we reach this page aren’t queried to limit the number of request.

The module is not enabled by default because you need to create an account, and use an API key.

Important: the query limit for a standard API key is 4/minute so you will hit it very fast if you do not have a paid plan with them.

allow_auto_trigger will automatically trigger a query (and submit if enabled) for each URLs in the redirected nodes up to the one containing the rendered page.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

MISP

Connecting Lookyloo to MISP - Open Source Threat Intelligence Platform will make it possible to share captures within your sharing community.

To use this module, you need to have access to a MISP instance and set at least an url and an apikey in config/modules.json, section MISP. You may also want to set verify_tls_cert to false if you’re using a self-signed certificate, and modify the timeout if the MISP instance is very slow.

allow_auto_trigger is currently not used.

Important: the MISP publish and lookup features are only available for authenticated users.

The recommended way to use it is to create a dedicated user on your MISP instance, with access to an API key. If you want to allow your Lookyloo users to set tags to the captures before they submit it, you need to:

  1. Create the tags on MISP side

  2. Mark them as favorite for the dedicated user

Note: If you want to publish the events on creation, the dedicated user must have the publisher rights.

Push to a MISP instance

The module is disabled by default. In order to enable it, you need to set enable_push to true in config/modules.json, section MISP.

You can also add a list of default tags that will be attached to every event created by Lookyloo in default_tags, and automatically publish the MISP events by setting auto_publish to true (in that case, the user must have the publisher permission in MISP).

If everything is working as it should, you will see a link in the top menu of the tree page. Otherwise, look at the Lookyloo logs, it is probably because your MISP instance is unreachable.

Lookup on a MISP instance

The module is disabled by default. In order to enable it, you need to set enable_lookup to true in config/modules.json, section MISP.

If everything is working as it should, you will see a link in the top menu of the tree page. Otherwise, look at the Lookyloo logs, it is probably because your MISP instance is unreachable.

Phishing initiative

Phishing Initiative is a database of known phishing websites.

By default the module will only submit the URL for analysis to Phishing Initiative if you set autosubmit to true in config/modules.json, section PhishingInitiative.

The only URLs passed to the module are the ones up to the rendered page, the content loaded after we reach this page aren’t queried to limit the number of request.

The module is not enabled by default because you need to create an account, and use an API key.

allow_auto_trigger will automatically trigger a query (and submit if enabled) for each URLs in the redirected nodes up to the one containing the rendered page.

Note: allow_auto_trigger is ignored if auto_trigger_modules in config/generic.json is false.

IntelMQ

IntelMQ is an Open-Source OSINT processing tool.

Starting with IntelMQ 3.0, the LookyLoo expert bot enqueues a screenshotting task at the configured LookyLoo instance and saves the (public) LookyLoo link in the event data.