Real time IP analysis/threat detection using the Virus Total and Shodan API. Included with a full web GUI and perfect for running in the background.
Demo of Web interface: https://notgoogle.com/report/index.php
The results on the page above are real SSH login attempts to my public web server.
Requirements: PHP 7+ php 7 sqlite pip
Note: Default log location: /var/log/auth.log
- Git clone this repo
- Insert Virus Total API key into
virustotal-report.py
. - Insert Shodan API key into
shodan-report.py
- run
pip install -r requirements.txt
- run
./comb-start.sh
Generating the Virus Total API keys:
- Login or create an account on Virus total
- Once logged in click on your name in the top right > API key.
Note: This API is limited, 4 request per minute.
- Head over to https://developer.shodan.io/
- Create an account
- you will see 'Show API Key' at the top of the page.
PHP has a built in simple HTTP server, currently binded to 127.0.0.1:80 in ./comb-start.sh
Note: The web UI can be located in the ./report folder, currently 75 results are loaded in from the database, possiblily repeats. Each result "card" uses VT and Shodan analysis results. Green = Virus Total. Yellow = Shodan.
.
├── report # Index.php, css/ js/
├── comb-start.sh # Bash script for starting Web server
├── requirements.txt # Required python packages
├── shodan-report.py # Place shodan API key in this file
├── virustotal-report.py # Place Virus Total API key in this file
└── README.md
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change. (I know the Web interface is ugly, i'll be adjusting this)
Please make sure to update tests as appropriate.