stanfrbd/cyberbro

A simple application that extracts your IoCs from garbage input and checks their reputation using multiple CTI services.

Cyberbro

A simple application that extracts your IoCs from garbage input and checks their reputation using multiple services.
Inspired by Cybergordon and IntelOwl.

This project aims to provide a simple and efficient way to check the reputation of your observables using multiple services, without having to deploy a complex solution.

Features

• Effortless Input Handling: Paste raw logs, IoCs, or fanged IoCs, and let our regex parser do the rest.
• Multi-Service Reputation Checks: Verify observables (IP, hash, domain, URL) across multiple services like VirusTotal, AbuseIPDB, IPInfo, Spur.us, IP Quality Score, MDE, Google Safe Browsing, Shodan, Abusix, Phishtank, ThreatFox, Github, Google...
• Detailed Reports: Generate comprehensive reports with advanced search and filter options.
• High Performance: Leverage multithreading for faster processing.
• Automated Observable Pivoting: Automatically pivot on domains, URL and IP addresses using reverse DNS and RDAP.
• Accurate Domain Info: Retrieve precise domain information from ICANN RDAP (next generation whois).
• Abuse Contact Lookup: Accurately find abuse contacts for IPs, URLs, and domains.
• Export Options: Export results to CSV and autofiltered well formatted Excel files.
• MDE Integration: Check if observables are flagged on your Microsoft Defender for Endpoint (MDE) tenant.
• Proxy Support: Use a proxy if required.
• Data Storage: Store results in a SQLite database.
• Analysis History: Maintain a history of analyses with easy retrieval and search functionality.

Getting Started - TL;DR

Tip

If you are lazy, you need Docker.
Do a git clone ; copy secrets-sample.json to secrets.json ; docker compose up then go to localhost:5000. Yep, that's it!

Getting Started

• To get started, clone the repository

git clone https://github.com/stanfrbd/cyberbro
cd cyberbro

Edit the config file (mandatory)

cp secrets-sample.json secrets.json

Note

Don't have API keys? No problem, just copy the secrets-sample.json to secrets.json and leave all like this. Be careful if a proxy is used.
You will be able to use all free engines!

• Fill values (including proxy if needed) in the secrets.json file.

{
    "virustotal": "token_here",
    "abuseipdb": "token_here",
    "ipinfo": "token_here",
    "google_safe_browsing": "token_here",
    "proxy_url": "",
    "mde_tenant_id": "tenant_here",
    "mde_client_id": "client_id_here",
    "mde_client_secret": "client_secret_here",
    "ip_quality_score": "token_here",
    "shodan": "token_here"
}

• Obtain API keys from the official documentation of each service.
• Microsoft Defender for Endpoint (MDE) is a paid service and can be skipped if you don't have an account (unchecked by default).

Important

You can modify the configuration via the GUI at http://127.0.0.1:5000/config.
This endpoint is disabled by default for security reasons, as it is not protected.
To enable it, set app.config['CONFIG_PAGE_ENABLED'] = True at the beginning of app.py.
This is not recommended for public or team use, as it exposes your API keys.

Launch the app

Lazy and easy - use docker

docker compose up # use -d to run in background and use --build to rebuild the image

• Go to http://127.0.0.1:5000 and Enjoy.

Don't forget to edit the secrets.json before building the image.

The old way

• Clone the repository and install the requirements.

You might want to create a venv before installing the dependencies.

pip install -r requirements.txt

• Run the app with gunicorn (clean mode).

gunicorn -w 4 -t 4 -b 0.0.0.0:5000 app:app

• Run the app with in development mode.

python3 app.py

Screenshots

See all screenshots

Caution

This is still a development server, not intended for production.
Some misconfigurations may lead to security issues.

API and third-party services

• VirusTotal
• AbuseIPDB
• IPquery
• IPinfo
• Google Safe Browsing
• IP Quality Score
• Microsoft Defender for Endpoint
• Shodan
• Spur.us
• Abusix
• Phishtank
• OpenRDAP
• ICANN
• Google
• Github
• ThreatFox
• Ioc.One

Note

Any questions? Check the wiki or raise an issue

License

        DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
                    Version 2, December 2004 

 Copyright (C) 2004 Sam Hocevar <sam@hocevar.net> 

 Everyone is permitted to copy and distribute verbatim or modified 
 copies of this license document, and changing it is allowed as long 
 as the name is changed. 

            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 

  0. You just DO WHAT THE FUCK YOU WANT TO.