Configuration

EE is configured using a file EnrichmentEngine.conf:

Global section

[Global]
Host = "0.0.0.0"
Port = 8000
Auth = 0
Auth_admin_password = ""
SSL_Key = ""
SSL_Cert = ""
SSL_CA = ""

Host - ip address that the application uses
Port - port that the application uses
Auth - enable, disable authentication [1/0]
Auth_admin_password - admin password
SSL_Key - path to ssl key file
SSL_Cert - path to ssl cert file
SSL_CA - path to ssl ca file

Memcached section

[Memcached]
Hosts = ["memcached-server:11211"]

Hosts - addresses used for connecting to memcached

Kafka section

[Kafka]
#https://github.com/edenhill/librdkafka/blob/master/CONFIGURATION.md
Config = {"bootstrap.servers": "localhost:9092"}
Topic = "test"

Config - options to pass to kafka client
Topic - topic name

VirusTotal section

[VirusTotal]
Apikey = ""
TTL = 0
Limit_calls = 9999
Limit_sec = 9999

Apikey - VirusTotal application api key
TTL - parameter specifying how long the data will be kept in cache memory
Limit_calls - parameter specifying how many connections can be established in a given period
Limit_sec - parameter specifying the period during which the connection limit will be checked

Shodan section

[Shodan]
Apikey = ""
TTL = 0
Limit_calls = 9999
Limit_sec = 9999

Apikey - Shodan application api key
TTL - parameter specifying how long the data will be kept in cache memory
Limit_calls - parameter specifying how many connections can be established in a given period
Limit_sec - parameter specifying the period during which the connection limit will be checked

Censys section

[Censys]
ApiID = ""
ApiSecret = ""
TTL = 0
Limit_calls = 9999
Limit_sec = 9999

ApiID – ID used for authenticating with API
ApiSecret – secret used for authenticating with API
TTL – parameter specifying how long the data will be kept in cache memory
Limit_calls – parameter specifying how many connections can be established in a given period
Limit_sec – parameter specifying the period during which the connection limit will be checked

MISP section

[MISP]
List = ["microsoft-office365","microsoft-office365-cn","microsoft-office365-ip","amazon-aws"]
TTL = 0

List – parameter specifying the lists to be checked. All lists will be described below:
https://github.com/MISP/misp-warninglists/tree/main/lists

TTL – parameter specifying how long the data will be kept in cache memory

SSLBL section

[SSLBL]
URL = "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv"
TTL = 0

URL – url adress to TOR feed
TTL – parameter specifying how long the data will be kept in cache memory

Alienvault section

[Alienvault]
APIKey = ""
TTL = 1
Limit_calls = 9999

APIKey – AlienVault application api key
TTL – parameter specifying how long the data will be kept in cache memory
Limit_calls – parameter specifying how many connections can be established in a given period
Limit_sec – parameter specifying the period during which the connection limit will be checked

TOR section

[TOR]
URL = "https://check.torproject.org/exit-addresses"
TTL = 1

URL – url adress to TOR feed
TTL – parameter specifying how long the data will be kept in cache memory

Spamhaus section

[Spamhaus]
Ip_list = ["SBL","XBL","PBL","AUTHBL"]
Domains_list = ["DBL","ZRD"]
APIKey = ""
URL = "https://apibl.spamhaus.net/lookup/v1"
TTL = 1

Ip_list – parameter specifying the IP lists to be checked. All lists will be described below:
SBL - The Spamhaus Block List Advisory is a database of IP addresses from which Spamhaus does not recommend the acceptance of electronic mail.
XBL - The Spamhaus Exploits Block List is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.
PBL - The Policy Block List is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer’s use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.
AUTHBL - Auth Blocklist
Domains_list – parameter specifying the domain lists to be checked. All lists will be described below:
DBL - The Domain Block List is a list of domain names with poor reputations. It is published in a domain DNSBL format. These domain reputations are calculated from many factors, and maintained in a database which in turn feeds the DBL zone itself.
ZRD - Zero Reputation Domain, ZRD automatically adds newly-registered domains to a blocklist, allowing you to protect your customers from receiving emails from new malicious domains.
APIKey – Spamhaus application api key
URL – url adress to spamhaus api
TTL - parameter specifying how long the data will be kept in cache memory