IntelOwl icon indicating copy to clipboard operation
IntelOwl copied to clipboard
verified publisher icon intelowlproject

New plugin subtype: Scanners

Open mlodic opened this issue 3 years ago • 1 comments

Inheriting from issue #814 there was the temptation to add active scanners to IntelOwl.

IntelOwl framework allows to easily add external integrations and calls to external services. So some people suggested to add active scanners to this project too. At first we avoided to add those because the goal was different. However right now the tool is ready to accept another form of plugin, that we could call "scanner" and categorize them differently from the other already existing plugins.

Just to be as accurate as possible. Analyzers plugins would differ from scanners plugins based only on the fact that the first would NEVER contact the network observables they analyze, while the other would ALWAYS contact the network observables they analyze. Considering the various implications regarding contacting possible malicious infrastructure, it makes sense to separate them from each other.

The contributor who would take this task would need to touch several parts of the applications to provide everything that is required to have this new plugin to run correctly.

Consequence of this change:

  • rendertron and Thug_URL_Info analyzers are the only active ones ATM and would require to be moved to the "scanner" type

mlodic avatar Jan 04 '23 15:01 mlodic

On a second thought, due to the similarity of the "scanners" with the "analyzers" it could make sense that the "scanner" would be a subtype of "analyzers" to simplify code management.

The peculiarity of this kind of analyzers, in terms of configuration would be:

  • They should all inherit from the "Scanner" base analyzer which inherits from the "Analyzer" class
  • They cannot ever be executed with TLP:RED.
  • The should all share a new flag called "is_scanner" so we can properly do logic on this. This should be added in the Plugin view as a new column.
  • we would need to provide the chance to the users to add a list of global proxies to use during active scans. This can be added in the plugin configuration of the user (a new section dedicated to this in the GUI). The "Scanners" cannot be executed if there is no configuration of the proxies. (One configuration of the proxies can be "none" but it should be explicitly selected by the user). Plus, this configuration, could be added also at the organization level.
  • I would create a default Playbook with the all the available scanners (remember to remove the scanners from the free to use playbook)
  • I would create a custom Visualizer for that Playbook where it could be possibile to show the analyzers results in a prettier way. For instance, I would expect a section of the visualization dedicated to the screenshot collected of the selected URLs.
  • IntelOwl should support IP Ranges as input, only for this type of Plugin.

mlodic avatar Jan 05 '23 16:01 mlodic

thinking about this again and given the complexity of such customization, we decided to opt out from this option and implement scanners like normal analyzers.

mlodic avatar Mar 29 '24 16:03 mlodic

Hey @mlodic, is there any work for scanners started ?

moonpatel avatar Mar 30 '24 10:03 moonpatel

thinking about this again and given the complexity of such customization, we decided to opt out from this option and implement scanners like normal analyzers.

Soo . . . should https://github.com/intelowlproject/IntelOwl/issues/1393#issuecomment-1372453230 be disregarded ?

TEMHITHORPHE avatar Mar 31 '24 19:03 TEMHITHORPHE