# Configuration EE is configured using a file EnrichmentEngine.conf: ## Global section ```bash [Global] Host = "0.0.0.0" Port = 8000 Auth = 0 Auth_admin_password = "" SSL_Key = "" SSL_Cert = "" SSL_CA = "" ``` `Host` - ip address that the application uses `Port` - port that the application uses `Auth` - enable, disable authentication [1/0] `Auth_admin_password` - admin password `SSL_Key` - path to ssl key file `SSL_Cert` - path to ssl cert file `SSL_CA` - path to ssl ca file ## Memcached section ```bash [Memcached] Hosts = ["memcached-server:11211"] ``` `Hosts` - addresses used for connecting to memcached ## Kafka section ```bash [Kafka] #https://github.com/edenhill/librdkafka/blob/master/CONFIGURATION.md Config = {"bootstrap.servers": "localhost:9092"} Topic = "test" ``` `Config` - options to pass to kafka client `Topic` - topic name ## VirusTotal section ```bash [VirusTotal] Apikey = "" TTL = 0 Limit_calls = 9999 Limit_sec = 9999 ``` `Apikey` - VirusTotal application api key `TTL` - parameter specifying how long the data will be kept in cache memory `Limit_calls` - parameter specifying how many connections can be established in a given period `Limit_sec` - parameter specifying the period during which the connection limit will be checked ## Shodan section ```bash [Shodan] Apikey = "" TTL = 0 Limit_calls = 9999 Limit_sec = 9999 ``` `Apikey` - Shodan application api key `TTL` - parameter specifying how long the data will be kept in cache memory `Limit_calls` - parameter specifying how many connections can be established in a given period `Limit_sec` - parameter specifying the period during which the connection limit will be checked ## Censys section ```bash [Censys] ApiID = "" ApiSecret = "" TTL = 0 Limit_calls = 9999 Limit_sec = 9999 ``` `ApiID` – ID used for authenticating with API `ApiSecret` – secret used for authenticating with API `TTL` – parameter specifying how long the data will be kept in cache memory `Limit_calls` – parameter specifying how many connections can be established in a given period `Limit_sec` – parameter specifying the period during which the connection limit will be checked ## MISP section ```bash [MISP] List = ["microsoft-office365","microsoft-office365-cn","microsoft-office365-ip","amazon-aws"] TTL = 0 ``` `List` – parameter specifying the lists to be checked. All lists will be described below: https://github.com/MISP/misp-warninglists/tree/main/lists `TTL` – parameter specifying how long the data will be kept in cache memory ## SSLBL section ```bash [SSLBL] URL = "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv" TTL = 0 ``` `URL` – url adress to TOR feed `TTL` – parameter specifying how long the data will be kept in cache memory ## Alienvault section ```bash [Alienvault] APIKey = "" TTL = 1 Limit_calls = 9999 ``` `APIKey` – AlienVault application api key `TTL` – parameter specifying how long the data will be kept in cache memory `Limit_calls` – parameter specifying how many connections can be established in a given period `Limit_sec` – parameter specifying the period during which the connection limit will be checked ## TOR section ```bash [TOR] URL = "https://check.torproject.org/exit-addresses" TTL = 1 ``` `URL` – url adress to TOR feed `TTL` – parameter specifying how long the data will be kept in cache memory ## Spamhaus section ```bash [Spamhaus] Ip_list = ["SBL","XBL","PBL","AUTHBL"] Domains_list = ["DBL","ZRD"] APIKey = "" URL = "https://apibl.spamhaus.net/lookup/v1" TTL = 1 ``` `Ip_list` – parameter specifying the IP lists to be checked. All lists will be described below: `SBL` - The Spamhaus Block List Advisory is a database of IP addresses from which Spamhaus does not recommend the acceptance of electronic mail. `XBL` - The Spamhaus Exploits Block List is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits. `PBL` - The Policy Block List is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges. `AUTHBL` - Auth Blocklist `Domains_list` – parameter specifying the domain lists to be checked. All lists will be described below: `DBL` - The Domain Block List is a list of domain names with poor reputations. It is published in a domain DNSBL format. These domain reputations are calculated from many factors, and maintained in a database which in turn feeds the DBL zone itself. `ZRD` - Zero Reputation Domain, ZRD automatically adds newly-registered domains to a blocklist, allowing you to protect your customers from receiving emails from new malicious domains. `APIKey` – Spamhaus application api key `URL` – url adress to spamhaus api `TTL` - parameter specifying how long the data will be kept in cache memory