Find file Copy path
1aa5a35 Sep 24, 2018
2 contributors

Users who have contributed to this file

@p-l- @fmonjalet
308 lines (207 sloc) 9.96 KB

What is it?

IVRE (Instrument de veille sur les réseaux extérieurs) or DRUNK (Dynamic Recon of UNKnown networks) is a network recon framework, including tools for passive recon (flow analytics relying on Bro, Argus, Nfdump, fingerprint analytics based on Bro and p0f and active recon (IVRE uses Nmap to run scans, can use ZMap as a pre-scanner; IVRE can also import XML output from Nmap and Masscan).

The advertising slogans are:

  • (in French): IVRE, il scanne Internet.
  • (in English): Know the networks, get DRUNK!

The names IVRE and DRUNK have been chosen as a tribute to "Le Taullier".


IVRE is a framework. Meaning it does not come with ready-to-run scripts to daemonize actions, etc. You need to do that work yourself, as it strongly depends on what system you use, your environment, and what you want to do.

External programs / dependencies

IVRE relies on:

  • Python 2 (version 2.6 minimum), or 3 (version 3.3 minimum). Python 2.6 compatibility is important to make sure IVRE works with RHEL and CentOS version 6.

    • the Bottle module,
    • the Crypto module,
    • the pymongo module, version 2.7.2 minimum.
    • optionally PIL, to trim screenshots.
    • optionally py2neo to use the flow module, version 3 minimum.
    • optionally sqlalchemy and psycopg2 to use the experimental PostgreSQL backend.
  • Nmap version 7.25BETA2 minimum (actually, earlier versions can be used by setting script_timeout to None in each scan template).

  • optionnaly ZMap and/or Masscan

  • Bro (version 2.3 minimum), Argus, Nfdump& p0f (version 2, will not work with version 3) for the passive fingerprint and flow modules.

  • MongoDB, version 2.6 minimum (tests are run with versions 2.6.12, 3.0.15, 3.2.21, 3.4.17, 3.6.8, 4.0.2 and 4.1.3).

  • optionnaly Neo4j for the flow module.

  • optionnaly PostgreSQL, version 9.5 minimum (tests are run with versions 9.5.10, 9.6.6 and 10.1), for the experimental PostgreSQL backend.

  • a web server (successfully tested with Apache and Nginx, should work with anything capable of serving static files and run a Python-based CGI), although a test web server is distributed with IVRE (ivre httpd).

  • Dokuwiki or another Wiki to use as a notepad. Dokuwiki can also be used to display the documentation.

  • a web browser (successfully tested with recent versions of Firefox and Chromium).

  • Maxmind GeoIP free databases.

  • optionally Tesseract, if you plan to add screenshots to your Nmap scan results.

  • optionally Docker & Vagrant (version 1.6 minimum)

IVRE comes with (refer to the LICENSE-EXTERNAL file for the licenses):


See the INSTALL file. You can also try to use Docker to easily setup and run an IVRE architecture.

Passive recon

The following steps will show some examples of passive network recon with IVRE. If you only want active (for example, Nmap-based) recon, you can skip this part.

Using Bro

You need to run bro (2.3 minimum, regularly tested with 2.5.2) with the option -b and the location of the passiverecon/bare.bro file. If you want to run it on the eth0 interface, for example, run (replace /usr/share/ivre by the appropriate location; use python -c 'import ivre.config; print(ivre.config.guess_prefix())' if you cannot find it):

# mkdir logs
# LOG_PATH=logs/passiverecon \
> bro -b /usr/share/ivre/bro/ivre/passiverecon/bare.bro -i eth0

If you want to run it on the capture file (capture needs to a PCAP file), run:

$ mkdir logs
$ LOG_PATH=logs/passiverecon \
> bro -b /usr/share/ivre/bro/ivre/passiverecon/bare.bro -r capture

This will produce log files in the logs directory. You need to run a ivre passivereconworker to process these files. You can try:

$ ivre passivereconworker --directory=logs

This program will not stop by itself. You can (p)kill it, it will stop gently (as soon as it has finished to process the current file).

You can also send the data from bro to the database without using intermediate files:

$ bro -b /usr/share/ivre/bro/ivre/passiverecon/bare.bro [option] \
> | ivre passiverecon2db

Using p0f

To start filling your database with information from the eth0 interface, you just need to run (passiverecon is just a sensor name here):

# ivre p0f2db -s passiverecon iface:eth0

And from the same capture file:

$ ivre p0f2db -s passiverecon capture

Using the results

You have two options for now:

  • the ivre ipinfo command line tool

  • the db.passive object of the ivre.db Python module

For example, to show everything stored about an IP address or a network:

$ ivre ipinfo
$ ivre ipinfo

See the output of ivre help ipinfo.

To use the Python module, run for example:

$ python
>>> from ivre.db import db
>>> db.passive.get(db.passive.flt_empty)[0]

For more, run help(db.passive) from the Python shell.

Active recon


The easiest way is to install IVRE on the "scanning" machine and run:

# ivre runscans --routable --limit 1000 --output=XMLFork

This will run a standard scan against 1000 random hosts on the Internet by running 30 nmap processes in parallel. See the output of ivre help runscans if you want to do something else.

When it's over, to import the results in the database, run:

$ ivre scan2db -c ROUTABLE-CAMPAIGN-001 -s MySource -r scans/ROUTABLE/up

Here, ROUTABLE-CAMPAIGN-001 is a category (just an arbitrary name that you will use later to filter scan results) and MySource is a friendly name for your scanning machine (same here, an arbitrary name usable to filter scan results; by default, when you insert a scan result, if you already have a scan result for the same host address with the same source, the previous result is moved to an "archive" collection (fewer indexes) and the new result is inserted in the database).

There is an alternative to installing IVRE on the scanning machine that allows to use several agents from one master. See the AGENT file, and the commands ivre {runscansagent|runscansagentdb} for the master.

Using the results

You have three options:

  • the ivre scancli command line tool

  • the db.nmap object of the ivre.db Python module

  • the web interface

CLI: ivre scancli

To get all the hosts with the port 22 open:

$ ivre scancli --port 22

See the output of ivre help scancli.

Python module

To use the Python module, run for example:

$ python
>>> from ivre.db import db
>>> db.nmap.get(db.nmap.flt_empty)[0]

For more, run help(db.nmap) from the Python shell.

Web interface

The interface is meant to be easy to use, it has its own documentation.


IVRE is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

IVRE is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with IVRE. If not, see the web site.


Try ivre help for the CLI commands, help() under Python and the "HELP" button in the web interface.

Have a look at the FAQ!

Feel free to contact the author and offer him a beer if you need help!

If you don't like beer, a good scotch or any other good alcoholic beverage will do (it is the author's unalienable right to decide whether a beverage is good or not).


Code contributions (pull-requests) are of course welcome!

The project needs scan results and capture files that can be provided as examples. If you can contribute some samples, or if you want to contribute some samples and would need some help to do so, or if you can provide a server to run scans, please contact the author.


For both support and contribution, the repository on Github should be used: feel free to create a new issue or a pull request!

You can also try to use the e-mail dev on the domain, or to join the IRC chan #ivre on Freenode.

This file is part of IVRE. Copyright 2011 - 2018 Pierre LALET