Dockerize your custom Analyzers and Responders

Since Cortex version 3.0, Analyzers and Responders can be executed as docker containers, and this is useful in several ways. The first - and i'm sure developers will agree - is that you do not have to bother with libraries and dependencies ; download an image, run it, trash it!

We provide up-to-date docker images for all programs publicly available on our repository (https://github.com/TheHive-Project/Cortex-Analyzers). To use them, you just need to specify the catalog in the application.conf file for Cortex:

analyzer {
  urls = [
    "https://download.thehive-project.org/analyzers.json"
  ]
}

What if you use custom and private Analyzers and Responders ?

If you are using your own programs and want them to be processed as docker containers, you can. You need to:

  • Build your images
  • Build your catalog file
  • Register the built catalog file in Cortex

Build your images

You need to build your docker image for each Analyzer/Responder. The publicly available list (https://github.com/TheHive-Project/Cortex-Analyzers) are built with the Dockerfile template below except if a custom Dockerfile is present in the folder:

FROM python:3

WORKDIR /worker
COPY . {worker_name}

RUN test ! -e {worker_name}/requirements.txt || pip install --no-cache-dir -r{worker_name}/requirements.txt

ENTRYPOINT {command}

Update variables accordingly

This file is also in the repository: Cortex-Analyzers/Dockerfile_template at master · TheHive-Project/Cortex-Analyzers · GitHub

Build your catalog

A catalog is required for Analyzers and Responders. A catalog is a list of flavor definitions (typically the json definition of the flavor) and for each of them the dockerImage attribute is added with the name of the associated image.

This catalog, when registered in Cortex's configuration file, allows the discovery of the available Analyzers or Responders and tells Cortex how to run each worker using the dockerImage attribute.

Below is an example of a catalog file that contains a single analyzer - notice the dockerImage attribute line 30:

[
  {
    "name": "DShield_lookup",
    "version": "1.0",
    "author": "Xavier Xavier, SANS ISC",
    "url": "https://github.com/xme/thehive/Cortex-Analyzers",
    "license": "AGPL-V3",
    "description": "Query the SANS ISC DShield API to check for an IP address reputation.",
    "dataTypeList": [
      "ip"
    ],
    "baseConfig": "DShield",
    "config": {
      "service": "query"
    },
    "registration_required": false,
    "subscription_required": false,
    "free_subscription": true,
    "service_homepage": "https://isc.sans.edu/",
    "service_logo": {
      "path": "assets/dshield.png",
      "caption": "logo"
    },
    "screenshots": [
      {
        "path": "assets/long_report.png",
        "caption": "DShield: long report"
      }
    ],
    "dockerImage": "cortexneurons/dshield_lookup:1.0"
  }
]

Register your catalogs in Cortex configuration

Update your Cortex configuration file (/etc/cortex/application.conf) with your own catalog; e.g. for Analyzers at line 4:

analyzer {
  urls = [
    "https://download.thehive-project.org/analyzers.json"
    "/opt/Custom-Analyzers/analyzers/analyzers.json"
  ]
}

Then restart Cortex.

build.sh

This program allows you to build your own images AND catalogs. It assumes your folders of custom Analyzers and Responders are respectively stored in analyzers and responders folders - (dependencies: jq and docker).

Custom-Analyzers
├── analyzers/
│   └── My_custom_analyzer/
└── responders/
    └── My_custom_responder/
        ├── customresponderflavor.json
        ├── Dockerfile
        ├── program.py*
        ├── README.md
        └── requirements.txt

To use it, update the variable DOCKER_REPOSITORY first (for example with the name of your team). Enter the folder of your own programs and run it.

cd ./Custom-Analyzers
./path/to/build.sh 

Once finished, you should find your docker images built, and catalogs as well in ./analyzers/analyzers.json and ./responders/responders.json.

#!/usr/bin/env bash

###
# This program assumes your analyzers and responders folder looks like: 
#
#     Custom-Analyzers
#     ├── analyzers/
#     │   └── My_custom_analyzer/
#     └── responders/
#         └── My_custom_responder/
#             ├── customresponderflavor.json
#             ├── Dockerfile
#             ├── program.py*
#             ├── README.md
#             └── requirements.txt
#
# Usage: 
# Update DOCKER_REPOSITORY variable
# cd ./Custom-Analyzers
# bash /path/to/build.sh 
###

# Set your docker repository name
DOCKER_REPOSITORY=ilovestrangebee

build_image() {
	  JSON=$1
    cat << EOF > /tmp/default_dockerfile
FROM python:3
WORKDIR /worker
ARG workername
ARG command
COPY . \$workername
RUN test ! -e \$workername/requirements.txt || pip install --no-cache-dir -r \$workername/requirements.txt
ENTRYPOINT \$command
EOF

    DEFAULT_DOCKERFILE=/tmp/default_dockerfile
	  TAG=`cat ${JSON} | jq -r '( "'"$DOCKER_REPOSITORY"'" + "/" + (.name | ascii_downcase) + ":" + (.version))'`
    WORKER_NAME=`cat ${JSON} | jq -r '(.version)'`  
    COMMAND=`cat ${JSON} | jq -r '(.command)'`
    DIRNAME=`dirname ${JSON}`
	  WORKER_NAME=`basename ${DIRNAME}`
    if test -f ${DIRNAME}/Dockerfile
    then
	      docker build -t ${TAG} `dirname ${JSON}`
    else
		  docker build --build-arg workername=${WORKER_NAME} --build-arg command=${COMMAND} -f ${DEFAULT_DOCKERFILE} -t ${TAG} `dirname ${JSON}`
    fi
}

build_catalog() {
    DIR=$1
    echo '[' > ${DIR}/${DIR}.json
    

    first=1
    for JSON in ${DIR}/*/*.json
    do
		  build_image ${JSON} 
        if test -z "${first}"
        then
    	      echo ',' >> ${DIR}/${DIR}.json
        else
    	      first=
        fi  
        jq 'del(.command) + { dockerImage: ("'"$DOCKER_REPOSITORY"'" + "/" + (.name | ascii_downcase) + ":" + (.version)) }' ${JSON} >> ${DIR}/${DIR}.json
    done

    echo ']' >> ${DIR}/${DIR}.json
}

build_catalog analyzers
build_catalog responders

Documentation

This guide has also been added on our dedicated documentation website: https://thehive-project.github.io/Cortex-Analyzers/dev_guides/dockerize-your-custom-analyzers-responders/