Configure

Fine tune ThreatPipes to your own needs.

Global settings

ThreatPipes Global Setting

License settings

You can enter your license key (obtained from the downloads page) here.

Server settings

You can change the way ThreatPipes runs scans including modifying the DNS server used and user-agent submitted by ThreatPipes in a request.

Proxy settings

ThreatPipes proxy settings

Performing reconnaissance manually is time consuming and often tedious, but there are also challenges with automating it:

  • Many search engines will present CAPTCHAs or simply block you once they suspect automated activity

  • You may wish to preserve your anonymity during reconnaissance, so as not to give an early indication to your target that you are gathering information

This is where a proxy (inc. Tor) becomes useful. You use a proxy by entering the details of it.

Here is each option explained:

  • SOCKS Server Type: Simply set the value as per your proxy. Use "TOR" to route requests through a TOR circuit.

  • SOCKS Server IP Address: Should be the IP Address of your proxy. Use 127.0.0.1 if you want to use Tor locally.

  • SOCKS Server TCP Port: Whatever port your proxy uses. The default Tor proxy port is 9050.

  • Pass DNS through the SOCKS Proxy?: This is a SOCKS-specific option which doesn’t apply when using Tor as your proxy. In the case of Tor, all requests going through Tor are resolved through the Tor service, not locally. See the caveat below about DNS in general however.

  • The port Tor is taking control commands on: This is the port you have Tor listening on for control commands, enabling ThreatPipes to instruct it to re-circuit as needed. Unless modified, this will be 9051. Note, you must install the TOR client on the server for this to work.

One very critical caveat is that the use of Tor only applies to TCP connectivity because Tor explicitly does not support UDP, and thus any DNS look-ups performed directly by ThreatPipes DNS module will go directly to your configured DNS server.

Stream settings

ThreatPipes Stream Settings

It is possible to stream data collected by a ThreatPipes scan over TCP when starting the scan. You can where data should be streamed under server settings.

Storage settings

By default, ThreatPipes will limit the size of the response it stores from each module. The default setting is to limit responses to 1024 bytes to optimise storage.

When using modules that deliver large responses, for example, the body of a HTML page, this will mean a large portion of the response will be cut.

To avoid this issue, you can increase the maximum bytes to store for any piece of information retrieved.

Setting this value to 0 will place no limit on response size for storage. Be careful with this using unlimited storage, as this can quickly increase the size of the ThreatPipes database.

Correlation rule settings

ThreatPipes correlation rule settings

It is not possible to modify correlation rule settings at this time.

Scan profile settings

ThreatPipes Scan profiles

You can create custom scan profiles that can be used to run scans using pre-selected modules.

You can configure a scan profile by setting the scan profile:

  • Name: Used in UI

  • Slug: Used to start scans via the API

  • Description: User in UI

  • Modules: That will be enabled during the scan

It is possible to modify a scan profile at any time should you need to change it.

Module settings

Each module has its own functionality. For many modules you can control some of the functionality through module by entering custom settings.

You can do this in the ThreatPipes UI under settings.

Modules that require authentication or API keys

ThreatPipes modules that require API keys

Many ThreatPipes modules require API keys or credentials to authenticate to a third-party service in order to function properly.

The easiest way to see if a module needs an API key is in the ThreatPipes settings menu. Modules requiring authentication will be displayed with a padlock alongside their name.

When an API key or credentials have been set, the padlock will be shown as green. Note, ThreatPipes does not validate if the credentials or keys are valid, just that they have been entered.

API keys can be imported and exported between ThreatPipes instances using the “Import API Keys” and “Export API Keys” functions.

Scans can still be started using a module that requires an API key, even if the API key is not set. If you run a scan using modules that requires an API key, they will return 0 or a limited set of results. It will also result in a number of scan errors.

Modules that require locally installed software

The following ThreatPipes modules require the tools to be installed locally:

User Management

All users in ThreatPipes have the same privileges. Simply put, all users have the same privileges your account does, including the ability to:

To add a user:

ThreatPipes add user
  1. Navigate to User Management

  2. Select the + icon

  3. Enter the username and password for the new user

Note, you will need to manually send the username and password to the new user. It is strongly recommended you advise them to change their password on first login.

To delete a user:

ThreatPipes user management
  1. Navigate to User Management

  2. Select the trash can icon for the user you wish to delete

Note, you cannot delete your own account. Another user must do this for you.

Note, deleting a user will not remove any scan data or setting configured by that user.

Changing your password:

ThreatPipes user profile
  1. Navigate to My Account

  2. Enter an confirm the new password

Note, only the account owner can change their password.

Resetting your API key:

You will need a license to use the API. Purchase a license here.

  1. Navigate to My Account

  2. Enter an confirm the new password

Note, only the account owner can reset their API key.

API keys can be regenerated at any time. Regenerating an API key will immediately invalidate your existing key (and break any integrations).