SkillAgentSearch skills...

Ioc2rpz.gui

ioc2rpz webgui

GenerateConvertImprove

Install / Use

/learn @Homas/Ioc2rpz.gui
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

ioc2rpz.gui

License

Short summary

ioc2rpz™: The DNS Security Solution - ioc2rpz™ is a powerful DNS server that transforms threat indicators into actionable Response Policy Zone (RPZ) feeds. It automates the update process, ensuring your network is protected against the latest threats, including malicious domains and IP addresses. By converting IOC feeds into RPZs, ioc2rpz™ acts as a crucial link between threat intelligence and DNS security, compatible with RPZ-supporting DNS servers like ISC Bind or PowerDNS.

Overview

ioc2rpz.gui is a web interface for ioc2rpz™. ioc2rzp is a custom DNS server which was built to automatically maintain and distribute RPZ feeds. You can watch a demo of ioc2rpz™ technology including ioc2rpz.gui on the following video.

<p align="center"><a href="http://www.youtube.com/watch?feature=player_embedded&v=bvhyMFa_mBM" target="_blank"><img src="https://github.com/Homas/ioc2rpz/blob/master/ioc2rpz_demo.png"></a></p>

Although ioc2rpz.gui was developed keeping security in mind it was not tested on penetrations and must be installed and used in restricted management networks.

Setup

You may setup ioc2rp.gui using following options:

  • Using a docker compose is a preferred installation method. In ioc2rpz.dc project you can find the docker-compose.yml file.
  • A docker container. It is the to install ioc2rpz.gui. Please refer the Docker Container section.
  • "run_ioc2rpz.gui.sh" script. "run_ioc2rpz.gui.sh" script is used to start services in a container and make required settings. To run the script:
    • check that all dependencies are installed
    • create /opt/ioc2rpz.gui, /opt/ioc2rpz.gui/www/io2cfg, /opt/ioc2rpz.gui/export-cfg directories;
    • download sources and copy them (maintaining the directory structure) to IO2_ROOT directory. By default to "/opt/ioc2rpz.gui";
    • comment last 2 lines (which start crontab and apache2 daemons);
    • execute the script with root permissions;
    • restart apache2 service.
  • To install it manually:
    • check that all dependencies are installed
    • create /opt/ioc2rpz.gui, /opt/ioc2rpz.gui/www/io2cfg, /opt/ioc2rpz.gui/export-cfg directories;
    • download sources and copy them (maintaining the directory structure) to "/opt/ioc2rpz.gui";
    • create a database by invoking "/opt/ioc2rpz.gui/scripts/init_db.php" script;
    • create a crontab which will execute "/opt/ioc2rpz.gui/scripts/publish_cfg.php" script every 10 seconds;
    • configure HTTP server.

Right now ioc2rpz.gui use only SQLite database with a database file stored in "/opt/ioc2rpz.gui/www/io2cfg" folder. Make sure that set up a relevant access permissions to the directory/db-file.

ioc2rpz™ configuration files are saved to "/opt/ioc2rpz.gui/export-cfg" folder.

The database initialization script also creates a sample configuration. You need to update public and management IP-addresses of ioc2rpz™ server before using it. If you already started ioc2rpz™ server please restart it or send a management signal to reload its configuration.

The init script doesn't create a default user. You should create the administrator after the first start. Please do it ASAP.

Dependencies

PHP7, SQLite, ISC Bind tools (dig only command). The following packets are required for Alpine Linux with Apache web-server:

bash openrc curl coreutils openssl apache2 libxml2-dev apache2-utils php7 php7-apache2 php7-session php7-json php7-curl apache2-ssl sqlite php7-sqlite3 php7-ctype bind-tools

If you use other Linux distribution or a web-server please find out required packages by yourself.

Docker Container

ioc2rpz.gui is available on the Docker Hub. Just search for ioc2rpz.gui

  • ioc2rpz.gui automatically create a sample configuration;
  • ioc2rpz.gui use 80/tcp, 443/tcp ports. The ports should be exposed to a host system;
  • ioc2rpz.gui use the following volumes:
    • "/opt/ioc2rpz.gui/export-cfg" to export ioc2rpz™ configurations. If you run ioc2rpz™ on the same host the folder should be shared;
    • "/opt/ioc2rpz.gui/www/io2cfg" to store SQLite database;
    • "/etc/apache2/ssl" to store SSL certificates.

You can start ioc2rpz.gui with the following command:

sudo docker run -d --name ioc2rpz.gui --log-driver=syslog  --restart always --mount type=bind,source=/home/ioc2rpz/cfg,target=/opt/ioc2rpz.gui/export-cfg --mount type=bind,source=/home/ioc2rpz/db,target=/opt/ioc2rpz.gui/www/io2cfg --mount type=bind,source=/home/ioc2rpz/ssl,target=/etc/apache2/ssl -p80:80 -p443:443 pvmdel/ioc2rpz.gui

where /home/ioc2rpz/cfg, /home/ioc2rpz/ssl, /home/ioc2rpz/db directories on a host system.

Docker Compose

You can deploy ioc2rpz™ and ioc2rpz.gui using docker compose. The docker-compose.yml file can be found in ioc2rpz.dc repository.

ioc2rpz™ on AWS

You can run ioc2rpz™ and ioc2rpz.gui on AWS. For relatively small deployments (several hundreds thousands indicators) even free tier is enough. The video below shows how to setup ioc2rpz™ and ioc2rpz.gui on AWS using ECS.

<p align="center"><a href="http://www.youtube.com/watch?feature=player_embedded&v=C-y4p5TXt8s" target="_blank"><img src="https://github.com/Homas/ioc2rpz/blob/master/ioc2rpz_aws_setup.png"></a></p>

ioc2rpz™ configuration

Configuration workflow

To configure ioc2rpz™ server you need to:

  1. Create TSIG Keys for management and response policy zones transfers;
  2. Create a server record;
  3. Add sources;
  4. (optional) Add whitelists;
  5. Create a response policy zone;
  6. Publish the ioc2rpz™ configuration;
  7. (optional) Export RPZs configuration in a required format.

TSIG keys

TSIG keys are used for ioc2rpz™ server management and RPZ transfer. It is not required to use TSIG keys for zone transfers but highly recommended.

To add a new TSIG key navigate to "Configuration" --> "TSIG keys" and press the "+" button. The TSIG key and it's name automatically generated. You may generate a name and/or a key by using the "Generate" button or provide your values. ioc2rpz™ supports md5, sha256, sha512 hash algorithms so you need to select required algorithm. Some DNS servers do not support all algorithms. The "Management key" checkbox is used to distinguish keys which are used to manage ioc2rpz™. These keys can not be used for RPZ transfers.

The action menu next to each TSIG key allows you to view, edit and remove the key.

Servers

Server tab is used to generate configurations and manages ioc2rpz™ servers. You can manage multiple ioc2rpz™ servers on a single ioc2rpz™.gui instance. ioc2rpz.gui supports publishing configuration files to a local directory, mounted directory or remote server via scp.

To add a server navigate to "Configuration" --> "Servers" and press the "+" button. All fields except "Management stations IPs" are required. "Server's Public IP/FQDN" is used only in the export DNS configurations. "Server's MGMT IP/FQDN" is used to manage ioc2rpz™ service. The public and management IP-addresses are not exposed into ioc2rpz™ configuration. If you select "Disabled" checkbox when you still can change the server's configuration in the GUI but it will not be published.

<p align="center"><img src="https://github.com/Homas/ioc2rpz.gui/blob/dev/ioc2rpz.gui_scp_configuration.png"></a></p>

To manage multiple ioc2rpz™ servers you need:

  • if multiple ioc2rpz™ instances are running on the same host or remote directory mounted to the server - define distinct configuration file names or locations per server.
  • if configuration should be uploaded by SCP:
  1. Configure SCP path (like on the screenshot).
  2. Add public and private SSH keys to [Installation_Directory]/cfg/[Remote_server_name]_rsa.pub and [Installation_Directory]/cfg/[Remote_server_name]_rsa E.g. for io2core-de3 you should create io2core-de3_rsa.pub and io2core-de3_rsa. (see line 54 in this file: https://github.com/Homas/ioc2rpz.gui/blob/master/scripts/publish_cfg.php)
  3. Add the public ssh key to ~/.ssh/authorized_keys on the remote server for the management user.

The servers action menu allows you to view, edit, clone and remove servers, export and publish server's configuration. You may force publishing server's configuration independent on any changes.

Sources

A source is a feed of malicious indicators. FQDNs, IPv4 and IPv6-addresses are supported. A source is a text file or a feed of text data. Indicators should be separated by newline/carriage return characters (/n,/r or both /r/n).

To create a source navigate to "Configuration" --> "Sources" and press the "+" button. Fill the following fields and press "Ok":

  • source name;
  • source URL for full source transfer (AXFR). ioc2rpz™ can use http/https/ftp and local files to fetch indicators. Prefix "file:" is used for local files. Basic HTTP authentication is supported as well. You should include username/password in the URL in the following format "https://username:password@host.domain";
  • source path for incremental source transfer (IXFR). AXFR,IXFR paths support keywords to shorten URLs and provide zone update timestamps:
    • [:AXFR:] - full AXFR path. Can be used only in IXFR paths;
    • [:FTimestamp:] - timestamp when the source was last time updated (e.g. 1507946281)
    • [:ToTimestamp:] - current timestamp;
  • REGEX which is used to extract indicators and their expiration time. The first match is an indicator, the second match is an expiration time. The expiration time is an optional parameter. If the field is left empty, a default REGEX will be used ("^([A-Za-z0-9][A-Za-z0-9\-\._]+)[^A-Za-z0-9\-\._]*.*$"). none is used if no REGEX is required (the source contains IOCs one per line w/o an expiration date).

The action menu allows you to view, edit, clone and remove sources.

Allowlists

Allowl

Homas

View profile

View on GitHub
GitHub Stars17
CategoryDevelopment
Updated6mo ago
Forks5
Homas/ioc2rpz.gui

Languages

PHP

Security Score

77/100

Audited on Oct 6, 2025

No findings