Shodan¶

Release Notes¶

A function to lookup IP Addresses in Shodan

screenshot: main

This is a simple function which takes IP Address artifacts and returns the results from https://www.shodan.io/.

It will update the description of the artifact and add a note to the incident with the Vulnerabilities, Ports and more from Shodan.

You will need an API key for Shodan - https://developer.shodan.io/billing/signup

Resilient platform >= v35.0.0
An Integration Server running resilient_circuits>=33.0.0
- To set up an Integration Server see: ibm.biz/res-int-server-guide
- If using API Keys, minimum required permissions are:
  - Org Data: Read, Edit
  - Function: Read

With App Host, all the run-time components are pre-built. Perform the following steps to install and configure:

Download the app-fn_shodan-x.x.x.zip.
In Resilient navigate to Adiminstrator Settings > Apps
Click the Install button and select the downloaded app-fn_shodan-x.x.x.zip. This will install the associated customizations.
Once installed, navigate to the app’s Configuration tab and edit the app.config file updating the [resilient] section as necessary and updating the [fn_shodan] section as necessary.

Download the app-fn_shodan-x.x.x.zip.
Copy the .zip to your Integration Server and SSH into it.
Unzip the package:
```
$ unzip app-fn_shodan-x.x.x.zip
```
Install the package:
```
$ pip install fn_shodan-x.x.x.tar.gz
```
Import the configurations into your app.config file:
```
$ resilient-circuits config -u -l fn-shodan
```
Import the fn_shodan customizations into the Resilient platform:
```
$ resilient-circuits customize -y -l fn-shodan
```

Open the config file, scroll to the bottom and edit your fn_shodan configurations:

$ nano ~/.resilient/app.config

Config	Required	Example	Description
shodan_apikey	Yes	`xxxxxxxxxxxxxxxxxx`	Your Shodan API Key
http_proxy	No	`http://127.0.0.1:3000`	Your HTTP Proxy
https_proxy	No	`https://127.0.0.1:3000`	Your HTTPS Proxy

Save and Close the app.config file.
[Optional]: Run selftest to test the Integration you configured:
```
$ resilient-circuits selftest -l fn-shodan
```
Run resilient-circuits or restart the Service on Windows/Linux:
```
$ resilient-circuits run
```

SSH into your Integration Server.
Uninstall the package:
```
$ pip uninstall fn-shodan
```
Open the config file, scroll to the [fn_shodan] section and remove the section or prefix # to comment out the section.
Save and Close the app.config file.

There are several ways to verify the successful operation of a function.

When viewing an incident, use the Actions menu to view Action Status.
By default, pending and errors are displayed.
Modify the filter for actions to also show Completed actions.
Clicking on an action displays additional information on the progress made or what error occurred.

A separate log file is available to review scripting errors.
This is useful when issues occur in the pre-processing or post-processing scripts.
The default location for this log file is: /var/log/resilient-scripting/resilient-scripting.log.

By default, Resilient logs are retained at /usr/share/co3/logs.
The client.log may contain additional information regarding the execution of functions.

The log is controlled in the .resilient/app.config file under the section [resilient] and the property logdir.
The default file name is app.log.
Each function will create progress information.
Failures will show up as errors and may contain python trace statements.

Name	Version	Author	Support URL
fn_shodan	2.0.0	Resilient Labs	https://ibm.biz/resilientcommunity