- Python 79.4%
- HTML 12.5%
- CSS 7.8%
- Dockerfile 0.3%
Andreas Feldt
0d53405408
Some checks are pending
Build and Push Docker Container / build_and_push (push) Waiting to run
|
||
|---|---|---|
| .github/workflows | ||
| .vscode | ||
| app | ||
| .gitignore | ||
| .python-version | ||
| docker-compose.yml | ||
| fetch_response_cache.sqlite | ||
| LICENSE | ||
| README.md | ||
| requirements.txt | ||
| TODO.md | ||
thryx
A lightweight web tool for enriching Indicators of Compromise (IOCs) such as IPs, domains, URLs, and hashes using multiple threat intelligence providers.
Features
- Web-based Interface: Simple, clean web UI for querying IOCs
- Multiple Providers: Integrates with various threat intelligence sources for comprehensive enrichment
- Caching: Uses Redis for response caching to improve performance
- Docker Support: Easy deployment with Docker Compose
- Extensible: Modular provider system for adding new intelligence sources
Supported IOC Types
- IPv4 addresses
- IPv6 addresses
- Domains
- URLs (automatically converted to domains)
- MD5 hashes
- SHA1 hashes
- SHA256 hashes
Providers
thryx integrates with the following threat intelligence providers:
- AbuseIPDB: IP reputation and abuse reports
- AlienVault OTX: Open Threat Exchange data
- CIRCL Hash Lookup: Hash-based malware lookup
- Shodan: Internet-connected device information
- ThreatFox: Malware IOC database from abuse.ch
- VirusTotal: Comprehensive file, URL, and IP analysis
- WHOIS: Domain registration information
Installation
Prerequisites
- Docker and Docker Compose
- API keys for the providers you want to use (optional but recommended)
Quick Start with Docker
-
Clone the repository:
git clone https://github.com/yourusername/thryx.git cd thryx -
Create a
.envfile with your API keys:ABUSEIPDB_API_KEY=your_abuseipdb_key SHODAN_API_KEY=your_shodan_key ALIENVAULT_API_KEY=your_alienvault_key VIRUSTOTAL_API_KEY=your_virustotal_key -
Start the application:
docker-compose up --build -
Open your browser to
http://localhost:8000
Manual Installation
-
Clone the repository and navigate to the directory
-
Install Python dependencies:
pip install -r requirements.txt -
Set up Redis (for caching):
# Using Docker docker run -d -p 6379:6379 redis:alpine -
Set environment variables for API keys
-
Run the application:
flask --app app/app run --debug
Configuration
Configure the application using environment variables:
REDIS_HOST: Redis host (default: localhost)REDIS_PORT: Redis port (default: 6379)ABUSEIPDB_API_KEY: AbuseIPDB API keySHODAN_API_KEY: Shodan API keyALIENVAULT_API_KEY: AlienVault OTX API keyVIRUSTOTAL_API_KEY: VirusTotal API key
API keys are optional - providers without keys will be skipped during enrichment.
Usage
- Open the web interface in your browser
- Enter an IOC (IP, domain, hash, etc.) in the search box
- Click "Search" or press Enter
- View enriched results from all available providers
- Click on provider links to view detailed information on their websites
Development
Project Structure
thryx/
├── app/
│ ├── api/ # API endpoints
│ ├── modules/ # Core functionality
│ ├── providers/ # Intelligence provider integrations
│ ├── static/ # CSS, icons
│ ├── templates/ # HTML templates
│ └── Dockerfile
├── docker-compose.yml
├── requirements.txt
└── README.md
Adding New Providers
- Create a new file in
app/providers/ - Implement a class with:
name: Provider namesupported_query_types: List of supported IOC typesbase_url: API base URLapi_key_env_var: API key environment variablesearch(query): Method to query the provider
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Submit a pull request
License
This project is licensed under the Apache License 2.0. - see the LICENSE file for details.
Disclaimer
This tool is for educational and research purposes. Users are responsible for complying with the terms of service of all integrated providers and applicable laws when using this tool.