Skip to content

Vulners#

README

Vulners-analyzer#

This analyzer consists of 2 parts. 1. Vulners_IOC: As a result of collaboration between Vulners and RST Threat Feed, the idea was to send IOC analysis results through theHive analyzer: blog post 2. Vulners_CVE: Vulners have a strong vulnerability database. This data is useful if: "if the case (incident) is related to the exploitation of a vulnerability, then the analyst (manually / automatically) can add it to observables and quickly get all the basic information on it in order to continue analyzing the case."

Vulners API key required.

Setting up analyzer#

  • copy the folders "Vulners" analyzer & "Vulners" into your Cortex analyzer path
  • install necessary python modules from the requirements.txt (pip install -r requirements.txt)
  • restart Cortex to initialize the new Responder "systemctl restart cortex"

Get your Vulners api key: Vulners API

Add your Vulners API in Cortex settings: API key in Cortex

Add Observable type in TheHive#

By default theHive does not have a "cve" type to be observables, so we have to add it to Administrator Settings:

add observable

Run the Analyzer in TheHive#

Network IOCs:#

Short template:

Short IOC template

Long template:

Long IOC template

Long_IOC_threat_template

Vulnerabilities:#

Short template:

Short CVE template

Long template:

Long CVE template

Vulners_CVE#

Author: Dmitry Uchakin, Vulners team
License: AGPL-V3
Version: 1.0
Supported observables types:
- cve
Registration required: True
Subscription required: True
Free subscription: True
Third party service: https://vulners.com

Description#

Get information about CVE from powerful Vulners database.

Configuration#

key API key for Vulners
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

Templates samples for TheHive#

Long template for CVE

Vulners_IOC#

Author: Dmitry Uchakin, Vulners team
License: AGPL-V3
Version: 1.0
Supported observables types:
- url
- domain
- ip
Registration required: True
Subscription required: True
Free subscription: True
Third party service: https://vulners.com

Description#

Get information from the RST Threat Feed, which integrated with Vulners, for a domain, url or an IP address.

Configuration#

key API key for Vulners
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

Templates samples for TheHive#

Vulners API key for analyzer

Long template for network IOCs (ip, url, domain)

Short template for network IOCs (ip, url, domain)