A simple application that extracts your IoCs from garbage input and checks their reputation using multiple services.
🌐 demo.cyberbro.net
Inspired by Cybergordon and IntelOwl.
This project aims to provide a simple and efficient way to check the reputation of your observables using multiple services, without having to deploy a complex solution.
- Effortless Input Handling: Paste raw logs, IoCs, or fanged IoCs, and let our regex parser do the rest.
- Multi-Service Reputation Checks: Verify observables (IP, hash, domain, URL, Chrome extension IDs) across multiple services like OpenCTI, VirusTotal, AbuseIPDB, IPInfo, Spur.us, MDE, Google Safe Browsing, Shodan, Abusix, Phishtank, ThreatFox, URLscan, Github, Google...
- Detailed Reports: Generate comprehensive reports with advanced search and filter options.
- High Performance: Leverage multithreading for faster processing.
- Automated Observable Pivoting: Automatically pivot on domains, URL and IP addresses using reverse DNS and RDAP.
- Accurate Domain Info: Retrieve precise domain information from ICANN RDAP (next generation whois).
- Abuse Contact Lookup: Accurately find abuse contacts for IPs, URLs, and domains.
- Export Options: Export results to CSV and autofiltered well formatted Excel files.
- MDE Integration: Check if observables are flagged on your Microsoft Defender for Endpoint (MDE) tenant.
- OpenCTI Integration: Get stats (number of incidents, indicators) from OpenCTI and the latest Indicator if available.
- Proxy Support: Use a proxy if required.
- Data Storage: Store results in a SQLite database.
- Grep.App: Search for observables with Grep.App API (fast GitHub searches).
- Analysis History: Maintain a history of analyses with easy retrieval and search functionality.
- Accessible to everyone from beginners to experts. No gatekeeping here.
- Chrome extensions IDs lookup: Retrieve the name of Chrome extensions from ID, and get CTI data about it.
- Lightweight & Easy Deployment: Simple to set up and use.
- Advanced TLD Verification: Uses
tldextractto accurately extract root domains, helping RDAP lookups. - Pragmatic Information Gathering: Utilizes GitHub and Google indexed results to catch what other engines might miss.
- CTI Report Integration: Leverages IoC.One for IoC-related CTI reports in HTML or PDF.
- EDR Integration: Integrates with solutions like Microsoft Defender for Endpoint to check if observables were seen in YOUR environment.
Tip
If you are lazy, you need Docker.
Do a git clone ; copy secrets-sample.json to secrets.json ; docker compose up then go to localhost:5000. Yep, that's it!
- To get started, clone the repository
git clone https://github.com/stanfrbd/cyberbro
cd cyberbrocp secrets-sample.json secrets.json
Note
Don't have API keys? No problem, just copy the secrets-sample.json to secrets.json and leave all like this. Be careful if a proxy is used.
You will be able to use all free engines!
- Fill values (including proxy if needed) in the
secrets.jsonfile.
{
"virustotal": "token_here",
"abuseipdb": "token_here",
"ipinfo": "token_here",
"google_safe_browsing": "token_here",
"proxy_url": "",
"mde_tenant_id": "tenant_here",
"mde_client_id": "client_id_here",
"mde_client_secret": "client_secret_here",
"shodan": "token_here",
"opencti_api_key": "token_here",
"opencti_url": "https://demo.opencti.io"
}- Obtain API keys from the official documentation of each service.
- Microsoft Defender for Endpoint (MDE) is a paid service and can be skipped if you don't have an account (unchecked by default).
Important
You can modify the configuration via the GUI at http://127.0.0.1:5000/config.
This endpoint is disabled by default for security reasons, as it is not protected.
To enable it, set app.config['CONFIG_PAGE_ENABLED'] = True at the beginning of app.py.
This is not recommended for public or team use, as it exposes your API keys.
docker compose up # use -d to run in background and use --build to rebuild the image- Go to http://127.0.0.1:5000 and Enjoy.
Don't forget to edit the
secrets.jsonbefore building the image.
- Clone the repository and install the requirements.
You might want to create a venv before installing the dependencies.
pip install -r requirements.txt- Run the app with
gunicorn(clean mode).
gunicorn -w 4 -t 4 -b 0.0.0.0:5000 app:app- Run the app with in development mode.
python3 app.pySee all screenshots
Caution
If you intend to use this in a production environment, use well configured Reverse Proxy + WAF to prevent security issues.
Chrome and Edge are still waiting but it is available in dev mode. Check the wiki
- The API is available at
/api/and can be accessed via the GUI or command-line.
There are currently 3 endpoints:
/api/analyze- Analyze a text and return analysis ID (JSON)./api/is_analysis_complete/<analysis_id>- Check if the analysis is complete (JSON)./api/results/<analysis_id>- Retrieve the results of a previous analysis (JSON).
curl -X POST "http://localhost:5000/api/analyze" -H "Content-Type: application/json" -d '{"text": "20minutes.fr", "engines": ["reverse_dns", "rdap"]}'{
"analysis_id": "e88de647-b153-4904-91e5-8f5c79174854",
"link": "/results/e88de647-b153-4904-91e5-8f5c79174854"
}curl "http://localhost:5000/api/is_analysis_complete/e88de647-b153-4904-91e5-8f5c79174854"{
"complete": true
}curl "http://localhost:5000/api/results/e88de647-b153-4904-91e5-8f5c79174854"[
{
"observable": "20minutes.fr",
"rdap": {
"abuse_contact": "",
"creation_date": "2001-07-11",
"expiration_date": "2028-01-08",
"link": "https://rdap.nic.fr/domain/20minutes.fr",
"name_servers": [
"ns-1271.awsdns-30.org",
"ns-748.awsdns-29.net",
"ns-16.awsdns-02.com",
"ns-1958.awsdns-52.co.uk"
],
"organization": "",
"registrant": "20 MINUTES FRANCE SAS",
"registrant_email": "[email protected]",
"registrar": "GANDI",
"update_date": "2024-11-18"
},
"reverse_dns": {
"reverse_dns": [
"13.249.9.82",
"13.249.9.92",
"13.249.9.83",
"13.249.9.129"
]
},
"reversed_success": true,
"type": "FQDN"
}
]Note
The dedicated wiki page gives all the names of usable engines.
- VirusTotal
- AbuseIPDB
- IPquery
- IPinfo
- Google Safe Browsing
- Microsoft Defender for Endpoint
- Shodan
- Spur.us
- Abusix
- Phishtank
- OpenRDAP
- ICANN
- Github
- ThreatFox
- URLscan
- Ioc.One
- OpenCTI
- Grep.App
Note
Any questions? Check the wiki or raise an issue
For the advanced config (tuning of supervisord.conf before deployment, selection of visible engines, change /api/ prefix...), check the dedicated wiki page.
A huge thank you to all the amazing contributors who made pull requests and helped improve this project:
- Florian PILLOT who reworked engines (refactoring and optimizations).
- Axel who develops Ioc.One and added a specific User-Agent allowing scraping of Ioc[.]One.
Your contributions are greatly appreciated!
MIT License
Copyright (c) 2025 stanfrbd
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
The logo used in this project is free for personal and commercial use and can be found here.
