Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add IVRE Analyzer #923

Merged
merged 5 commits into from
Mar 30, 2021
Merged

Add IVRE Analyzer #923

merged 5 commits into from
Mar 30, 2021

Conversation

p-l-
Copy link
Contributor

@p-l- p-l- commented Jan 9, 2021

Fixes #922.

@p-l- p-l- force-pushed the add-analyzer-ivre branch 3 times, most recently from 191906a to 4f7cbfe Compare January 9, 2021 18:50
@dadokkio dadokkio added category:new-analyzer New analyzer submitted status:needs-template Analyzer still needs a template for TheHive labels Jan 11, 2021
@dadokkio
Copy link
Contributor

It's possible to add mongodb ip as config in order to be able to use a separate docker instance of ivre?
Will you add templates and screenshots for long and short templates?

@p-l-
Copy link
Contributor Author

p-l- commented Jan 11, 2021
edited
Loading

Yes I want to add templates, that's just a "work in progress" PR so that others can have a look.
You normally configure IVRE using its config file (system-wide: /etc/ivre.conf, or user-specific: ~/.ivre.conf):

DB = "mongodb://192.168.0.1/ivre"

@dadokkio
Copy link
Contributor

It was the first time yesterday I've installed and used IVRE so I didn't know it [Probably a readme with some indication could be also useful 👼]

The "issue" is that cortex in my case is on a machine, while ivre is dockerized on another one.
So cortex doesn't know where the db is and I think is not able to read that conf too. Or I'm missing something?

@p-l-
Copy link
Contributor Author

p-l- commented Jan 12, 2021

I am currently in the process of improving the DBHttp backend so that one IVRE instance can access data through the another IVRE instance's HTTP server (using a configuration like DB = "http://192.168.0.1/cgi/". In the meantime, you can expose the MongoDB port of the ivredb container (usually 27017).

@dadokkio
Copy link
Contributor

Ok, it takes me time to understand properly your previous message.
I've added "/etc/ivre.conf" on cortex machine and now it's looking for db in the right place 👍
In any case, I think that having a file based conf is not so user-friendly when your run dockerized analyzer.

@p-l- p-l- force-pushed the add-analyzer-ivre branch from 4f7cbfe to d4c8dc5 Compare January 13, 2021 18:43
@p-l-
Copy link
Contributor Author

p-l- commented Jan 13, 2021

@dadokkio This should work as you'd expect now. What do you think?

@p-l- p-l- force-pushed the add-analyzer-ivre branch 2 times, most recently from 15ca055 to dfaf591 Compare January 14, 2021 00:57
@dadokkio
Copy link
Contributor

dadokkio commented Jan 14, 2021
edited
Loading

Yes, that should permit to use also the dockerized version of analyzer because in that case you don't have external files. The image is built, executed and then deleted as is.
I've made a little change to json and the test worked as expected 👍

@p-l- p-l- force-pushed the add-analyzer-ivre branch from c5d74b4 to a81b654 Compare January 15, 2021 22:10
@p-l- p-l- force-pushed the add-analyzer-ivre branch from a81b654 to 05f9f57 Compare February 17, 2021 14:47
@dadokkio
Copy link
Contributor

I was able to test also templates and they works fine.

image

Are you still in wip or can we consider this pull ok?
The only suggestion I can provide it's to create a README with some indication on how to start and configure everything.

@p-l- p-l- marked this pull request as ready for review March 29, 2021 23:44
@p-l-
Copy link
Contributor Author

p-l- commented Mar 29, 2021

Thanks a lot @dadokkio for your help. I think this PR is now ready for review, I hope I did not miss something else.

@p-l-
Copy link
Contributor Author

p-l- commented Mar 30, 2021

BTW I think the "status:needs-template" tag no longer applies.

@dadokkio dadokkio removed the status:needs-template Analyzer still needs a template for TheHive label Mar 30, 2021
@dadokkio dadokkio added this to the 3.0.0 milestone Mar 30, 2021
@dadokkio dadokkio merged commit a51ded7 into TheHive-Project:develop Mar 30, 2021
@p-l- p-l- deleted the add-analyzer-ivre branch March 30, 2021 12:18
@p-l-
Copy link
Contributor Author

p-l- commented Mar 30, 2021

Thanks @dadokkio!

This was referenced Apr 8, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
category:new-analyzer New analyzer submitted
Projects
None yet
Milestone
3.0.0
Development

Successfully merging this pull request may close these issues.
2 participants
@p-l- @dadokkio