Integration with 3rd party tools
All the 3rd party modules are configured in config/modules.json
and the sample file is config/modules.json.sample
.
This document will explain the different capabilities of the modules and how to configure them.
SaneJS
This module will search the hash (sha512) of every content received for a capture, and give contextual information in the investigation popup.
SaneJS uses CDNJS as a datasource. If the hash matches, you will see the library name, version and exact file matching in CDNJS.
The module is enabled by default, as SaneJS is publicly available, but you can change that by
setting the enabled
to false
in config/modules.json
, section SaneJS
.
allow_auto_trigger
is currently not used.
uWhoisd
This module will do a whois lookup for the domains (including CNAMEs) and IPs listed in the investigation pop-up.
uWhoisd queries the whois servers using the command line whois command.
The module is not enabled by default. In order to use it, you need to run your own instance
of uWhoisd and configure the ipaddress
and port
accordingly in config/modules.json
, and set enabled
to true
in section UniversalWhois
.
allow_auto_trigger
will automatically trigger a whois lookup for each domains, CNAMEs, and IPs
for all the redirected nodes up to the one containing the rendered page.
Note: allow_auto_trigger
is ignored if auto_trigger_modules
in config/generic.json
is false
.
Pandora (v1.15+)
This module allows to submit a downloaded file to a Pandora instance.
The module is not enabled by default but if you have a pandora instance available, you simply need to se the url
key to the appropriate value (ex.: https://my.pandora.instance
).
RiskIQ (v1.14+)
This module triggers a request against the Passive DNS endpoint of RiskIQ for the domain of the final URL (after all the redirects).
The module is not enabled by default because you need to create an account, and use an API key.
Important: the query limit for a standard API key is very low, so you will hit it very fast if you do not have a paid plan with them.
Note: allow_auto_trigger
is ignored if auto_trigger_modules
in config/generic.json
is false
.
Hashlookup (v1.10+)
This module generates the hash (SHA1) of all the ressources of a capture and search them on Hashlookup. Hashlookup is a public API to lookup hash values against known database of files (the list of sources is on the website).
The module isn’t enabled by default. If you want to enable it, you need to set
enabled
to true
in config/modules.json
, section Hashlookup
, and you will use the
public instance.
allow_auto_trigger
will automatically trigger a lookup for all the ressources
immediately after the capture is done. If you turn it to false
, the lookup will be triggered
when you click on Hashlookup hits
in the menu of the capture page.
Note: The link to view the hits will only be visible to authenticated users.
Note: allow_auto_trigger
is ignored if auto_trigger_modules
in config/generic.json
is false
.
Phishtank Lookup (v1.9+)
Phishtank is a service that analizes and validates phishing webistes, they also provide an hourly dump of the currently active phishing URLs they’re aware of. In order to avoid too many queries on the public API, we developped a simple standalone system called Phishtank Lookup that loads the hourly dump and makes it accessible via its API.
The only URLs passed to the module are the ones up to the rendered page. Soon, we will add a lookup for the IP address and URLs of all the entries on the tree.
The module is not enabled by default. In order to use it, you can either use the public instance, or install your own instance of Phishtank Lookup.
To enable it, set enabled
to true
in section Phishtank
.
If you install your own instance, you need to set the url
key to the appropriate value (e.g. http://127.0.0.1:5300
).
If you use the public instance, you can leave it to null
and it will default back to it.
allow_auto_trigger
to true
(default if the module is enabled) will automatically trigger a lookup.
Note: allow_auto_trigger
is ignored if auto_trigger_modules
in config/generic.json
is false
.
Virus Total
VirusTotal is well known for having a huge database of malicious binaries, but it can also analyze URLs, and will give you information about them.
By default the module will only submit the URL for analysis to Virus Total is you set
autosubmit
to true
in config/modules.json
, section VirusTotal
.
The only URLs passed to the module are the ones up to the rendered page, the content loaded after we reach this page aren’t queried to limit the number of request.
The module is not enabled by default because you need to create an account, and use an API key.
Important: the query limit for a standard API key is 4/minute so you will hit it very fast if you do not have a paid plan with them.
allow_auto_trigger
will automatically trigger a query (and submit if enabled) for each URLs
in the redirected nodes up to the one containing the rendered page.
Note: allow_auto_trigger
is ignored if auto_trigger_modules
in config/generic.json
is false
.
urlscan.io (v1.8+)
urlscan.io is a service to scan and analyze websites. It is quite similar to Lookyloo that way, but is aimed at identifying malicious activities, and has a very different approach to represent a capture.
The similarity and differences make it a great complement to Lookyloo.
By default the module will only submit the initial URL (with referer and user-agent)
for analysis to urlscan.io is you set autosubmit
to true
in config/modules.json
, section UrlScan
.
The module is not enabled by default because you need to create an account, and use an API key (you need to create an account).
There are a few options to configure the visibility of the captures you’re making on urlscan.io,
and you can configure it with the force_visibility
key:
-
false
(default):unlisted
on urlscan.io side for hidden captures on Lookyloo,public
for the others -
"key"
: default visibility as configured on urlscan.io for the API key you’re using -
"public"
,"unlisted"
or"private"
: all the captures will use the same visibility
Important: The API key is rate limited and you should keep an eye on the quotas, especially since they vary depending on the visibility you’re using.
allow_auto_trigger
will automatically submit the URL (if autosubmit
is enabled) for each URLs.
Be careful with the quotas of the key you’re using with this feature.
Note: allow_auto_trigger
is ignored if auto_trigger_modules
in config/generic.json
is false
.
MISP
Connecting Lookyloo to MISP - Open Source Threat Intelligence Platform will make it possible to share captures within your sharing community.
To use this module, you need to have access to a MISP instance
and set at least an url
and an apikey
in config/modules.json
, section MISP
.
You may also want to set verify_tls_cert
to false
if you’re using a self-signed certificate,
and modify the timeout
if the MISP instance is very slow.
allow_auto_trigger
is currently not used.
Important: the MISP publish and lookup features are only available for authenticated users.
Recommended setup on MISP side
The recommended way to use it is to create a dedicated user on your MISP instance, with access to an API key. If you want to allow your Lookyloo users to set tags to the captures before they submit it, you need to:
-
Create the tags on MISP side
-
Mark them as favorite for the dedicated user
Note: If you want to publish the events on creation, the dedicated user must have the publisher rights.
Push to a MISP instance
The module is disabled by default. In order to enable it, you need to set enable_push
to true
in
config/modules.json
, section MISP
.
You can also add a list of default tags that will be attached to every event created by Lookyloo
in default_tags
, and automatically publish the MISP events by setting auto_publish
to true
(in that case, the user must have the publisher permission in MISP).
If everything is working as it should, you will see a link in the top menu of the tree page. Otherwise, look at the Lookyloo logs, it is probably because your MISP instance is unreachable.
Lookup on a MISP instance
The module is disabled by default. In order to enable it, you need to set enable_lookup
to true
in
config/modules.json
, section MISP
.
If everything is working as it should, you will see a link in the top menu of the tree page. Otherwise, look at the Lookyloo logs, it is probably because your MISP instance is unreachable.
Phishing initiative
Phishing Initiative is a database of known phishing websites.
By default the module will only submit the URL for analysis to Phishing Initiative if you set
autosubmit
to true
in config/modules.json
, section PhishingInitiative
.
The only URLs passed to the module are the ones up to the rendered page, the content loaded after we reach this page aren’t queried to limit the number of request.
The module is not enabled by default because you need to create an account, and use an API key.
allow_auto_trigger
will automatically trigger a query (and submit if enabled) for each URLs
in the redirected nodes up to the one containing the rendered page.
Note: allow_auto_trigger
is ignored if auto_trigger_modules
in config/generic.json
is false
.
IntelMQ
IntelMQ is an Open-Source OSINT processing tool.
Starting with IntelMQ 3.0, the LookyLoo expert bot enqueues a screenshotting task at the configured LookyLoo instance and saves the (public) LookyLoo link in the event data.