AILOnionLookup#
README
AIL OnionLookup Analyzer#
Checks the existence of Tor hidden services (.onion domains) and retrieves their associated metadata using the AIL (Analysis Information Leak) framework.
Description#
This analyzer validates and looks up onion domains through the AIL onion-lookup service to gather intelligence on dark web services. It enriches results with categorized tags based on the MISP dark-web taxonomy for law enforcement.
Supported Data Types#
domain- .onion domainsurl- URLs containing .onion hostnamesfqdn- Fully qualified domain names ending in .onion
Configuration#
| Parameter | Description | Default |
|---|---|---|
base_url |
Base URL of the onion-lookup service | https://onion.ail-project.org |
timeout |
HTTP timeout in seconds | 30 |
verify_tls |
Verify TLS certificate | true |
Output#
Returns metadata about the onion service including: - First/last seen timestamps - Page titles and languages - Categorized tags with descriptions - Detection counts for security analysis
Preview#
References#
AIL_OnionLookup#
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- domain
- url
- fqdn
Registration required: False
Subscription required: False
Free subscription: False
Third party service: N/A
Description#
Checks the existence of Tor hidden services and retrieving their associated metadata. Onion-lookup relies on an AIL instance to obtain the metadata.
Configuration#
| base_url | Base URL of the onion-lookup service (no trailing slash) |
|---|---|
| Default value if not configured | https://onion.ail-project.org |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| timeout | HTTP timeout in seconds |
|---|---|
| Default value if not configured | 30 |
| Type of the configuration item | number |
| The configuration item can contain multiple values | None |
| Is required | False |
| verify_tls | Verify TLS certificate |
|---|---|
| Default value if not configured | True |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | None |
| Is required | False |
Templates samples for TheHive#
No template samples to display.