evebox icon indicating copy to clipboard operation
evebox copied to clipboard

Published 20 hours ago verified publisher icon jasonish

Lookup sources

Open elhijo opened this issue 9 years ago • 2 comments

Hi,

Thanks for your nice job, evebox is efficient and useful for us. Would you think it possible to add, as it exist in Snorby, a lookup source feature. You already have an "ip report" link in the drop down menu near an ip address, you might add a customizable field to point to any site one prefer to have info about an ip address, like https://www.robtex.com/?dns=${ip}.

Thanks !

elhijo avatar Oct 10 '16 16:10 elhijo

Yes, so this is planned, at least mentally. Right now we just use the DNS info that Suricata was able to pull off the wire, but this is often not a enough.

I was thinking of the equivalant of "dig -x {ip}" and "whois {ip}" perhaps with some links to external tools, or a preferred external tool.

The lookups would be done by the EveBox server, so would originate there, but probably have to be enabled server side as well, as doing DNS lookups on alerting traffic is a potential information leakage.

Any more thoughts on this while I plan it out?

jasonish avatar Oct 10 '16 16:10 jasonish

What i like with the possibility to choose an external site to make lookup is that you can get a bit more context, like ip reputation and the fact that the request don't originate from our network., plus, you can choose the one you prefer.

elhijo avatar Oct 11 '16 08:10 elhijo

Closing. Will consider on per source bases, and there is a way to add your own custom hooks now.

jasonish avatar Feb 15 '24 04:02 jasonish