Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Huy Nguyen
    @huynguy97

    That's not implemented. You realize that the filter would be the same on each line? Or did I miss something?

    Yes I do and that is what I need for identification reasons.

    But I already think I know how to fix it myself! If not, ill be back here.
    Pierre
    @p-l-
    {"templateID":"CVE-2018-15473","info":{"name":"OpenSSH Username Enumeration","author":["r3dg33k","daffainfo"],"tags":["network","openssh","cve","cve2018"],"description":"OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.","reference":["https://nvd.nist.gov/vuln/detail/cve-2018-15473"],"severity":"medium","classification":{"cve-id":["cve-2018-15473"],"cwe-id":["cwe-362"],"cvss-metrics":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","cvss-score":5.3}},"type":"network","host":"scanme.nmap.org","matched":"scanme.nmap.org:22","timestamp":"2021-10-28T17:16:15.931565-05:00"}
    I have a problem with this sample: it has no "ip" field, and the "host" and "matched" fields use a hostname, so we cannot know which IP this record is about. If my memory serves well, you (@0xtavian) had the "ip" field added by the Nuclei team so time ago, it would really be helpful here!
    Pierre
    @p-l-
    0xtavian
    @0xtavian
    sorry for the late reply. but this is awesome man! yea i thought we took care of that as well but its good to know they are on it. I actually had a convo recently ( shortly before i posted the new JSON structure in this chat ) with PD about a unified JSON that all of their tools can update dynamically, im not too sure how much of that idea they are implementing but i think they are taking some points from it.
    Pierre
    @p-l-
    Apart from that, the "network" templates can now be inserted (#1210) in ivre
    2 replies
    Huy Nguyen
    @huynguy97
    Is there an easy way to import only the latest performed scans in 'views'? For example, if I already have 10.000 results of category "HTTP" in views. I perform a new scan that has 1000 new results for the category "HTTP" and I only want to import these new 1000 when I do "ivre db2view --category HTTP". Saves a lot of time, especially as my database is expected to become bigger and bigger over time.
    Pierre
    @p-l-
    You have to tag those results with a specific category, e.g., _HTTP_20211107 (categories starting with a _ are hidden), and then run ivre db2view --category _HTTP_20211107. Otherwise, IVRE has no idea when a result has been inserted.
    Pierre
    @p-l-
    I have had a very hard time figuring out a regression in IVRE's tests. It seems to be a regression introduced in the Python interpreter.
    See https://bugs.python.org/issue45235
    This message https://bugs.python.org/issue45235#msg406079 shows a similar problem. The regression exists in Python 3.9.8 but not in 3.9.7.
    The regression has been introduced to Python versions 3.6 to 3.10. It is not clear when a bugfix release will be published, nor if it will cover versions lower than 3.9.
    2 replies
    Pierre
    @p-l-
    IVRE v0.9.17 just released! Will make a blog post soon for the most important changes
    tpenisso
    @tpenisso
    hi, what's the difference between nmap option "host_timeout" and ivre runscans option "--nmap-max-cpu" ?
    Pierre
    @p-l-
    host_timeout is, as you noted, an option passed to Nmap (so it is based on Nmap's good will). Also, this is a real timeout (in seconds) and it is applied for each host.
    --nmap-max-cpu, on the other hand, is a limit applied by the OS (it will kill Nmap if it exceeds it), only based on the CPU usage (if Nmap idles for a very long time, nothing happens), and it is applied for the whole Nmap process (even if it scans 1000 hosts)
    tpenisso
    @tpenisso
    thanks for your answer!
    Pierre
    @p-l-
    2300 stars on Github! Thanks! https://github.com/ivre/ivre/stargazers
    Pierre
    @p-l-
    Nils Putnins
    @thistehneisen
    Could anyone who is experienced with IVRE help me with a setup with the purpose of automating scans for different subnets?
    Would definitely send some coffee money.
    Pierre
    @p-l-
    Hi @thistehneisen, what kind of help would you need?
    Nils Putnins
    @thistehneisen
    Hi, @p-l-, basically I'd like to understand the best approach to set up IVRE for long-term use on Ubuntu Server 20.04 and how to (semi) automatically scan subnets of interest
    Pierre
    @p-l-
    I don't know what is you current knowledge of IVRE and network cartography tools so far, but I'll try to give a generic answer (sorry if it is too obvious or to vague).
    Basically, the first task is to identify what works best to scan your target: what protocols & ports, what tool(s), which options, etc. That depends on how large the target is, how deep the scan could/should be, how long the scan could/should last, etc. That part is not really covered by IVRE (even if IVRE comes with tools to run Nmap; maybe one of the ivre runscans* tools would be great for your use-case, but that depends on your use-case).
    Then, when you have decided on what you want to run, you should set-up a cron job or equivalent that will run the scan and insert it (in the scan purpose), and probably update the view purpose (that is, calling ivre scan2db and ivre db2view).
    If some of the tools you identify in the first step is not supported by IVRE, you would have another task to implement support for it in IVRE.
    Nils Putnins
    @thistehneisen
    Understandable that far, I'll have a look around on what's available by default and see what can be done. Which setup would you suggest from the ones available on https://ivre.rocks/#get-started? I see there's Docker possibility, but I also see that there's a repo for kali Linux. Might the repo be maybe be used on Ubuntu Server also, or you suggest Docker there?
    Pierre
    @p-l-
    I use "regular" (e.g., non-Docker) setups on Debian systems, usually using the distribution packages when they are available for the dependencies, and pip to install the dependencies missing from the distribution (if any) and IVRE itself
    (also, I use the development branch from git on my servers, but maybe you don't want that: you get more functionalities at the price of a bit of instability; your call!)
    Pierre
    @p-l-
    Early httpx (ProjectDiscovery, https://github.com/projectdiscovery/httpx) support in IVRE to be merged soon: ivre/ivre#1262
    itnsec
    @itnsec

    Early httpx (ProjectDiscovery, https://github.com/projectdiscovery/httpx) support in IVRE to be merged soon: ivre/ivre#1262

    works great ! Thanks !!!

    Pierre
    @p-l-
    You're welcome!
    itnsec
    @itnsec
    Hello ivre's fans. i've got some old records in my database that reach an error while executing db2view
    WARNING:ivre:Will not handle record with schema_version 19 ...
    what 's the best way to mitigate ? is there a possible conversion or shall i reinit my db ?
    1 reply
    AG
    @mzpqnxow
    @p-l- did you see robertdavidgraham/masscan#646
    I think you were part of the discussion on the issue initially. I’m left it alone because i had no data showing it was necessary
    Finally ran into something in my scope that was filtering option-less syn packets
    1 reply
    nbandodk
    @nbandodk
    Hello! I was wondering if IVRE has an update script? Or is the only way to update ivre is to rebuild it from the github repo?
    Pierre
    @p-l-
    Hi! It depends on how you have installed it. Usually, with pip, the command pip install -U ivre should work!
    nbandodk
    @nbandodk
    Thanks! And does ivre have the ability to search/filter on results ingested from nuclei? so far i have been only able to search/filter on nmap results and not on nuclei or httpx results.
    Pierre
    @p-l-
    Yes, Nuclei / httpx results can be inserted using the very same command than for Nmap results
    Pierre
    @p-l-
    Also, you can use pip install -U git+https://github.com/ivre/ivre to install IVRE's current development version rather than the latest "stable" release available
    nbandodk
    @nbandodk
    This message was deleted
    Screen Shot 2022-02-03 at 9.22.13 AM.png
    so the way we have http fields above...... is there a way to do the same with "http-nuclei" results?
    Screen Shot 2022-02-03 at 9.23.20 AM.png
    so for example i want to find all "wordpress" instances found by nuclei <-- is there a way to do this?
    Pierre
    @p-l-
    something like script:http-nuclei:/Wordpress/ should work, even if that's not exactly what you would like
    nbandodk
    @nbandodk
    Thank you! that helps a lot
    حسین شادی
    @ho3einshadi:matrix.org
    [m]
    hi how we can install on windows 10?
    Pierre
    @p-l-
    hi, no idea... (not a Windows user) but it should work (IVRE has received some patches to work on Windows). Try and let us know how it works?
    underknowledge
    @underknowledge:matrix.org
    [m]
    ah, nice to be back, fyi, you can use matrix ( flufychat, element hydrogen) to join this room '#ivre_ivre:gitter.im '
    Pierre
    @p-l-
    https://twitter.com/IvreRocks/status/1511982035912507395
    IVRE now uses SSL blacklist data from abuse.ch to add tags for known bad certificates and JA3 (client) fingerprints (the former can be used with both data from passive sensors and from active network scans, while the latter will only be useful for passive sensors).
    I don't have huge datasets, but I already did find interesting stuffs using that (interestingly enough, there are both a certificate and a JA3 fingerprint from the blacklist in IVRE's tests dataset, so the expected number of hosts with tags had to be updated with this new feature).
    tpenisso
    @tpenisso
    hi @p-l- , I did an upgrade of IVRE to the last version (0.9.17) on my server that makes the scans and which exposes the web interface. But, this warning appears on the IHM : "WARNING: 1 document displayed has been inserted by a more recent version of IVRE. Please update IVRE!"
    I don't understand why I have this warning...
    FYI, the python librarie IVRE is ran in a virtual environment (python 3.9.12) and I put the path of virtualenv in the app.wsgi. This config (executed IVRE in a virtualenv + path in app.wsgi) worked for the v0.9.15 .
    Any idea ?
    7 replies
    Pierre
    @p-l-
    @/all I'm about to release IVRE v0.9.18. If you have unresolved issues, bugs-but-you-are-not-sure, etc., now is a good time to tell me!