# Big picture and goal

It is time consuming and frankly moderately interesting to handle the submission and treatment of spams and phishing things people would like to report to you, either because it is your job or because your that person who knows computer in your family or friends group.

In this workshop, we will see show how to integrate opensource tools that will make your life easier, empower the people reporting thing to you, and hopefully reduce your work load.

Please make sure before attending this workshop that you can install python 3 software on your device, and your device should preferably be running Ubuntu 22.04 or more recent. As the workshop is relatively short and depending on how many people will attend, we may not have time to do a lot of sysadmin work during the workshop.

The tools we will use are the following:

* Lookyloo (to analyze URLs) - https://lookyloo.circl.lu/ - https://lookyloo-demo.yoyodyne-it.eu/
* Pandora (to analyze files) - https://pandora.circl.lu/ - https://pandora-demo.yoyodyne-it.eu/
* Lacus (optionally, to capture the URLs when you have a lot of them) - https://github.com/ail-project/lacus
* An URL monitoring interface (to compare a specific URL over time) - https://monitor.circl.lu/ - https://monitoring-demo.yoyodyne-it.eu/
* Phishtank Lookup (to check if a URL is known or not) - https://phishtankapi.circl.lu/

We will also see how to integrate Lookyloo and Pandora to handle the cases where the URL points to a file, and where the file is a web document, or it contains URLs.

Integration with 3rd party services:

* MISP (to share the indicators) - https://www.misp-project.org/
* Ticketing system (to manage interactions with other entities, typically take down requests)
* Validate if URL is known with VirusTotal, PhishtankLookup, URLScan, URLHaus
* Validate if a file is known with Virustotal, ManwareBazaar, HybridAnalysis, MwDB, JoeSandbox
* Add contextual information with SaneJS, uWhoisd, Hashlookup

This is the outcome we'd like to have at the end of this workshop (except AIL, we don't have enough time for that):

<img src="BigPicture.png" width="1200"> 

# How this workshop will work

## Local installation of all the things

### Barebone - If you're running a recent linux distribution

#### System packages (apt packages, please find alternatives if you're using another distribution)

```bash
apt install build-essential python3-dev whois tor git cmake libtool libssl-dev jq
```

Notes:
* whois, only if you want to use uwhoisd
* tor, if you want to capture .onion websites, or use tor as a proxy

#### Tools to install from other sources (repos / manual)

* poetry: `curl -sSL https://install.python-poetry.org | python3 -`

  * NOTE: do not forget to add `export PATH="/home/ubuntu/.local/bin:$PATH"` in your bash config file, and reload it.

Each project has an install guide. Out of convenience start by cloning all the projects below in the same directory:

* redis: https://github.com/redis/redis
* [optional] lacus: https://github.com/ail-project/lacus (not required, you can also trigger the captures directly from lookyloo)
* lookyloo: https://github.com/Lookyloo/lookyloo
* monitoring: https://github.com/Lookyloo/monitoring
* [optional] uWhoisd: https://github.com/Lookyloo/uwhoisd

For pandora:

* kvrocks: https://github.com/apache/kvrocks (it takes a very long time to compile)
* pandora: https://github.com/pandora-analysis/pandora

Clone all the thing:

```bash
git clone https://github.com/redis/redis
git clone https://github.com/ail-project/lacus
git clone https://github.com/Lookyloo/lookyloo
git clone https://github.com/Lookyloo/monitoring
git clone https://github.com/Lookyloo/uwhoisd
git clone https://github.com/apache/kvrocks
git clone https://github.com/pandora-analysis/pandora
```

Compile Redis:

```bash
cd redis
git checkout 7.2
make
cd ..
```

Compile kvrocks:

```bash
cd kvrocks
git checkout 2.6
./x.py build
cd ..
```

Install the projects:

* [Optional] Install lacus: https://github.com/ail-project/lacus#installation
* Install Lookyloo: https://www.lookyloo.eu/docs/main/install-lookyloo.html
* Install Monitoring: https://github.com/Lookyloo/monitoring#installation
* [Optional] Install uWhoisd: https://www.lookyloo.eu/docs/main/install-lookyloo.html#_install_uwhoisd_optional
* Install pandora: https://github.com/pandora-analysis/pandora#installation

### Docker - If you very much know what you're doing and can debug dockerfiles

Use the dockerfiles for lookyloo and pandora, it will spin up most of what you need.

## Use connect the tools together

### Lookyloo

Initialize an admin account to have access to all the functionalities: `"users": {}` ->  `"users": {"admin": "password"}` in `config/generic.json`

* Lacus (optional): To use lacus as a capture layer, configure it in `config/generic.json`, key `remote_lacus`
* Monitoring: To monitor captures, configure it in `config/generic.json`, key `monitoring`
* Email / notification: To setup reporting, configure it in `config/generic.json`, key `email`
* MISP: To search/push to a MISP instance, configure it in `config/modules.json`, key `MultipleMISPs`
* Pandora: To push files to pandora,  configure it in `config/modules.json`, key `Pandora`

### Lookyloo Monitoring

* Lookyloo: if needed (running on another machine), set `lookyloo_url` in `config/generic.json`
* Email / notification: configure `email` in `config/generic.json`

### Pandora

* Lookyloo: if needed (running on another machine), set `lookyloo_url` in `config/generic.json`
* MISP: Configure `misp` in `config/generic.json`
* Email submission: Configure `email_smtp_auth` in `config/generic.json`

## Use the web interfaces

* Lookyloo: https://lookyloo-demo.yoyodyne-it.eu/ (https://lookyloo-demo.yoyodyne-it.eu/login -> admin - hacklu2023)
* Lacus: https://lacus-demo.yoyodyne-it.eu/
* Monitoring: https://monitoring-demo.yoyodyne-it.eu/ (https://monitoring-demo.yoyodyne-it.eu/login -> admin - hacklu2023)
* Pandora: https://pandora-demo.yoyodyne-it.eu/submit (https://pandora-demo.yoyodyne-it.eu/admin -> admin - hacklu2023)
 
* Use http://training.misp-community.org/
    * TODO: get a bunch of accounts

* Forward a mail to `pandora-demo@yoyodyne-it.eu`, preferably as an attachment. 

* Access the mailbox of the investigation team: `investigation-demo@yoyodyne-it.eu` - `<password given during the workshop>` - `mail.vinot.info` - STARTTLS - normal password

## Use the APIs

=> the integration notebook

