Debian: 10.6
IntelOwl: v2.1.0
IntelOwl was designed with the intent to help the community, in particular those researchers that can not afford commercial solutions, in the generation of threat intelligence data, in a simple, scalable and reliable way.
This project's first commit is Dec 31 2019 on Github, as of January 29, 2021, there are 1668 stars, 168 forks, 197 Pull Requests, 24 Open issues, and 99 Closed issues. So, the community is active.
The project leverages docker-compose for a classic server deployment. So, you need docker and docker-compose installed in your machine.
~# apt-get install docker docker-compose git -y
If don't support IPv6, to disable IPv6 on Debian 10, add 'ipv6.disable=1' to GRUB_CMDLINE_LINUX="" line in /etc/default/grub file, and exec following command:
~# update-grub2
~# reboot
git clone https://github.com/intelowlproject/IntelOwl
cd IntelOwl/docker
cp env_file_postgres_template env_file_postgres
cp env_file_app_template env_file_app
cp env_file_integrations_template env_file_integrations
Advanced additional configuration: OLD_JOBS_RETENTION_DAYS: Database retention, default 3 days. Change this if you want to keep your old analysis longer in the database. The configuration item is in the env_file_app file.
IntelOwl# python start.py prod up -d
IntelOwl# python start.py prod ps
Name Command State Ports
----------------------------------------------------------------------------------------------------------------------------------------
intel_owl_celery_beat /usr/local/bin/celery -A i ... Up
intel_owl_celery_worker_default /usr/local/bin/celery -A i ... Up
intel_owl_nginx /docker-entrypoint.sh ngin ... Up 0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
intel_owl_postgres docker-entrypoint.sh postgres Up 5432/tcp
intel_owl_rabbitmq docker-entrypoint.sh rabbi ... Up 15691/tcp, 15692/tcp, 25672/tcp, 4369/tcp, 5671/tcp, 5672/tcp
intel_owl_uwsgi ./docker//docker_entrypoint.sh Up 8001/tcp
IntelOwl# docker exec -ti intel_owl_uwsgi python3 manage.py createsuperuser
Example create user name is root, create a user named root.
Login in browser:
Intelowl supports about 100 available analyzers that you can use to generate or retrieve data about a suspicious file or observable. If you need from the analyzer gets threat intelligence, must get that analyzer's key. For example, use Virustotal public API to get threat intelligence, to registered and get API key, as shown below:
Add the public API key to 'VT_KEY=' line in env_file_app file.
- NOTE: * Must exec docker-compose build command after modifying env_file_app file. As follows:
IntelOwl# python start.py prod stop
IntelOwl# python start.py prod build
IntelOwl# python start.py prod up -d
Example add sha512 method to File_Info analyzer.
Find this module code file:
IntelOw/api_app/script_analyzers/file_analyzers/file_info.py
Add sha512 method in the file, git diff info:
# git diff api_app/script_analyzers/file_analyzers/file_info.py
diff --git a/api_app/script_analyzers/file_analyzers/file_info.py b/api_app/script_analyzers/file_analyzers/file_info.py
index b515a72..905cdb2 100644
--- a/api_app/script_analyzers/file_analyzers/file_info.py
+++ b/api_app/script_analyzers/file_analyzers/file_info.py
@@ -27,6 +27,7 @@ class FileInfo(FileAnalyzer):
results["md5"] = hashlib.md5(binary).hexdigest()
results["sha1"] = hashlib.sha1(binary).hexdigest()
results["sha256"] = hashlib.sha256(binary).hexdigest()
+ results["sha512"] = hashlib.sha512(binary).hexdigest()
results["ssdeep"] = pydeep.hash_file(self.filepath).decode()
cp api_app/script_analyzers/file_analyzers/file_info.py docker
cat <<EOF> ./docker/Dockerfile_for_modify_file_info
FROM intelowlproject/intelowl:v2.1.0
ENV PYTHONPATH /opt/deploy/intel_owl/api_app/script_analyzers/file_analyzers
COPY ./file_info.py \$PYTHONPATH
EOF
Git diff info of default.yml:
diff --git a/docker/default.yml b/docker/default.yml
index 9d214d9..2277940 100644
--- a/docker/default.yml
+++ b/docker/default.yml
@@ -10,7 +10,9 @@ services:
- ./env_file_postgres
uwsgi:
- image: intelowlproject/intelowl:${INTELOWL_TAG_VERSION}
+ build:
+ context: .
+ dockerfile: ./Dockerfile_for_modify_file_info
container_name: intel_owl_uwsgi
volumes:
- ../configuration/intel_owl.ini:/etc/uwsgi/sites/intel_owl.ini
@@ -50,7 +52,9 @@ services:
container_name: intel_owl_rabbitmq
celery_beat:
- image: intelowlproject/intelowl:${INTELOWL_TAG_VERSION}
+ build:
+ context: .
+ dockerfile: ./Dockerfile_for_modify_file_info
container_name: intel_owl_celery_beat
restart: unless-stopped
command: /usr/local/bin/celery -A intel_owl.celery beat --uid www-data --gid www-data --pidfile=/tmp/celerybeat.pid --schedule=/tmp/celerybeat-schedule
@@ -65,7 +69,9 @@ services:
- postgres
celery_worker_default:
- image: intelowlproject/intelowl:${INTELOWL_TAG_VERSION}
+ build:
+ context: .
+ dockerfile: ./Dockerfile_for_modify_file_info
container_name: intel_owl_celery_worker_default
restart: unless-stopped
python start.py prod down
python start.py prod build
python start.py prod up -d
After adding the sha512 function, as shown below:
Please to reference:
https://intelowl.readthedocs.io/en/latest/Contribute.html#how-to-add-a-new-analyzer
The project provides a template file to configure Nginx to serve HTTPS: configuration/intel_owl_nginx_https. You should change ssl_certificate, ssl_certificate_key and server_name in that file. Then you should modify the nginx service configuration in default.yml:
- change intel_owl_nginx_http with intel_owl_nginx_https
- copy your ssl_certificate, ssl_certificate_key to nginx image
Generate your own ssl_certificate, ssl_certificate_key:
IntelOwl$ openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout nginx-selfsigned.key -out nginx-selfsigned.crt
Git diff info of configuration/intel_owl_nginx_https:
diff --git a/configuration/intel_owl_nginx_https b/configuration/intel_owl_nginx_https
index 525644c..2dab089 100644
--- a/configuration/intel_owl_nginx_https
+++ b/configuration/intel_owl_nginx_https
@@ -3,11 +3,11 @@ upstream django {
server uwsgi:8001 fail_timeout=30s;
}
-server {
- listen 80;
- server_name intel_owl.com;
- return 301 https://intel_owl.com$request_uri;
-}
+#server {
+# listen 80;
+# server_name intel_owl.com;
+# return 301 https://intel_owl.com$request_uri;
+#}
server {
@@ -15,8 +15,8 @@ server {
ssl on;
ssl_protocols TLSv1.2;
- ssl_certificate certificate_chain.chain.crt;
- ssl_certificate_key private_key.key;
+ ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+ ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
server_name intel_owl.com;
Git diff info of docker/default.yml:
diff --git a/docker/default.yml b/docker/default.yml
index 9d214d9..2277940 100644
--- a/docker/default.yml
+++ b/docker/default.yml
@@ -36,7 +38,7 @@ services:
restart: unless-stopped
hostname: nginx
volumes:
- - ../configuration/intel_owl_nginx_http:/etc/nginx/conf.d/default.conf
+ - ../configuration/intel_owl_nginx_https:/etc/nginx/conf.d/default.conf
- nginx_logs:/var/log/nginx
- static_content:/var/www/static
Git diff info of Dockerfile_nginx:
diff --git a/docker/Dockerfile_nginx b/docker/Dockerfile_nginx
index de2d7da..1661d2e 100644
--- a/docker/Dockerfile_nginx
+++ b/docker/Dockerfile_nginx
@@ -4,5 +4,9 @@ FROM intelowlproject/intelowl_ng:v1.7.0 AS angular-prod-build
# Stage 2: Inject the build artifacts into nginx container
FROM library/nginx:1.19-alpine
+ENV PRIKEYPATH /etc/ssl/private/
COPY --from=angular-prod-build /usr/src/app/dist /var/www/angular_build
-VOLUME /var/log/nginx
\ No newline at end of file
+COPY ./nginx-selfsigned.key $PRIKEYPATH
+COPY ./nginx-selfsigned.crt /etc/ssl/certs/nginx-selfsigned.crt
+COPY ./configuration/intel_owl_nginx_https /etc/nginx/conf.d/default.conf
+VOLUME /var/log/nginx
Rebuild and up intel_owl project:
IntelOwl# python start.py prod down
IntelOwl# python start.py prod build
IntelOwl# python start.py prod up -d
https://intelowl.readthedocs.io/en/latest/index.html
https://github.com/intelowlproject/IntelOwl