IntelOwl icon indicating copy to clipboard operation
IntelOwl copied to clipboard
verified publisher icon intelowlproject

[Analyzer] Replace Rendertron with Lookyloo

Open mlodic opened this issue 3 years ago • 6 comments

We added Rendertron as an optional additional analyzer to provide the chance to perform screenshot of sites, mainly with the goal to register and save phishing pages.

Recently, I found out the existence of this project from the CIRCL, Lookyloo (https://www.lookyloo.eu/docs/main/phishing-use-case.html) that, not only performs screenshots but also retrieves additional information that can be used to evaluate possible malicious sites. Considering that IntelOwl main targets are security analysts, it would make sense to provide a tool that is more suited for this specific use case instead of a more generic tool like Rendertron. Plus, right now there is no way to properly view the extracted screenshots .

We have 2 options: 1 - Integrate the full application: The creation of the analyzer should be straightforward thanks to the python library they provide (https://www.lookyloo.eu/docs/main/lookyloo-pylookyloo.html). The most long task would be to replace the Rendertron Docker Analyzer with the Lookyloo. The contributor could follow the installation guide here (https://www.lookyloo.eu/docs/main/install-lookyloo.html). Plus, we could serve the application via Nginx too but that would mean to add a lot of other additional problems to the table like authentication. Even if it would be powerful to perform such a strong integration, I am not sure that adding other GUIs to the default one would be a good thing for the project.

2 - We could just integrate the Screenshot utility they have, without having to install all the application. By leveraging the PlaywrightCapture module (https://twitter.com/lookyloo_app/status/1529160413618872322), we could just leverage some easy python code and have a similar result that we would have had with Rendertron. In this case, we would not need to keep an additional Docker Analyzer anymore with the consequence to reduce the overall weight of IntelOwl

mlodic avatar May 29 '22 08:05 mlodic

see #1393

mlodic avatar Jan 05 '23 16:01 mlodic

Just popping in, the documentation of all the tools is a bit of a mess, but you may want to also look at lacus, which is a standalone webservice that uses playwright in the backend without all the processing lookyloo does, but with better guardrails than using playwrightcapture directly.

That's what is used by ail now.

Rafiot avatar Mar 27 '24 12:03 Rafiot

@Rafiot thank you very much for your help! that's actually great idea!

mlodic avatar Mar 27 '24 13:03 mlodic

for reference: https://www.lookyloo.eu/docs/main/index.html#_lacus

mlodic avatar Mar 27 '24 13:03 mlodic

@mlodic so this should also be optional docker analyzer like the previous ones. Running in a docker container and then we can interact with it using pylacus right?

shivam-Purohit avatar Mar 28 '24 05:03 shivam-Purohit

yep

mlodic avatar Mar 28 '24 10:03 mlodic