IVRE#
README
IVRE#
Get intelligence from an IVRE instance.
Requirements#
You need an access to an IVRE instance. Unlike most analyzers, IVRE does not exist as a public service but is an open-source tool: you need to install and run your own instance. The repository is on GitHub.
To learn more about IVRE (and its "purposes"), you can read the documentation, particularly about the principles, and some use cases.
Supply the following parameters to the analyzer in order to use it:
db_url(string): the IVRE instance database URL (format: same as IVRE's configuration; default: use IVRE's configuration)db_url_data(string): the IVRE instance database URL for the data purpose (idem)db_url_passive(string): the IVRE instance database URL for the passive purpose (idem)db_url_scans(string): the IVRE instance database URL for the scans purpose (idem)use_data(boolean): should the analyzer use the data purpose?use_passive(boolean): should the analyzer use the passive purpose?use_scans(boolean): should the analyzer use the scans purpose?
IVRE#
Author: Pierre Lalet
License: AGPL-V3
Version: 1.0
Supported observables types:
- autonomous-system
- certificate_hash
- domain
- fqdn
- ip
- network
- port
- user-agent
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: https://ivre.rocks/
Description#
Fetch details from an IVRE instance.
Configuration#
| use_data | Use data from the data purpose (MaxMind) |
|---|---|
| Default value if not configured | True |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | True |
| use_passive | Use data from the passive purpose |
|---|---|
| Default value if not configured | True |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | True |
| use_scans | Use data from the scans (nmap) purpose |
|---|---|
| Default value if not configured | True |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | True |
| db_url | The URL of the IVRE database (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| db_url_data | The URL of the IVRE database for the data purpose (e.g., maxmind:///usr/share/ivre/geoip or http://host/cgi); defaults to using IVRE's configuration |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| db_url_passive | The URL of the IVRE database for the passive purpose (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| db_url_scans | The URL of the IVRE database for the scans (nmap) purpose (e.g., mongodb://host/ivre or http://host/cgi); defaults to using IVRE's configuration |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
Templates samples for TheHive#
No template samples to display.