Cont3xt

What is it

Cont3xt allows you to gather instant “cont3xt” related to indicators that you provide from a number of default enrichment integrations that include PassiveTotal, VirusTotal, Censys, Shodan, and more. You can build pivot links to public/private resources. Simplify your analytic life!

Cont3xt was first available in the Arkime 4.0 release.

MORE WORDS GO HERE.

Installation

cont3xt.js

You’ll need to run cont3xt.js from the cont3xt directory.

If not using anonymous mode, every user will need either the cont3xtUser or cont3xtAdmin role assigned to them. The cont3xtAdmin role will all the user to edit any link group.

Settings

By default settings live in a config.ini file. There are two types of settings that you may need to change: Settings with the cont3xt service itself and settings with the integrations. It is assumed that each user of Cont3xt will set up their own integration users/keys but it is possible to have global keys.

General

Create a [cont3xt] section

Setting Default Description
cacheTimeout 1h How long to cache results for integrations, can be overridden, can be overriden per intergration
cachePolicy shared Can be shared or user, if set to user then the cache is per user, can be overriden per intergration
port 3218 The port that the cont3xt service listens on
cont3xtHost empty What hostname to bind to
hstsHeader false Set the hsts header on requests to cont3xt
webBasePath / The base url for Cont3xt web requests. Must end with a / or bad things will happen.
certFile empty Public certificate to use for https, if not set then http will be used. keyFile must also be set.
keyFile empty Private certificate to use for https, if not set then http will be used. certFile must also be set.
userNameHeader anonymous Header to use for determining the username to check in the database for instead of using http digest. Set to digest to use http digest authentication.
userAgent cont3xt The http user-agent header to use when talking to remote services
geoLite2ASN   settings page
geoLite2Country   settings page

DB Settings

These also live in the [cont3xt] section.

Setting Default Description
dbUrl empty Either lmdb:DIRECTORY or an elasticsearch URL for storing cont3xt data.
elasticsearch http://localhost:9200 The elasticsearch URL to use, dbUrl overrides this setting
elasticsearchAPIKey empty See settings page
elasticsearchBasicAuth empty See settings page
elasticsearchTimeout 300 See settings page
esClientKey empty See settings page
esClientCert empty See settings page
esClientKeyPass empty See settings page
usersUrl empty Either lmdb:DIRECTORY or an elasticsearch URL for storing cont3xt users database. Can be the same that all Arkime tools use.
usersElasticsearch empty See settings page
usersPrefix empty See settings page
usersElasticsearchAPIKey empty See settings page
usersElasticsearchBasicAuth empty See settings page
passwordSecret password See settings page

Caching

Cont3xt can cache integration queries to speed up results and to lower the load on the integration services.

Create a [cache] section

Setting Default Description
type memory memory, redis, memcached, lmdb are supported. lmdb is recommend for a local disk cache and redis for a cached shared.
redisURL empty Format is redis://[:password@]host:port/db-number, redis-sentinel://[[sentinelPassword]:[password]@]host[:port]/redis-name/db-number, or redis-cluster://[:password@]host:port/db-number
memcachedURL empty Format is memcached://[user:pass@]server1[:11211],[user:pass@]server2[:11211],...
lmdbDir empty Path where to create the lmdb cache directory
cacheSize 100000 Maximum number of results to cache in memory, used for all but lmdb
cacheTimeout 24 hours In seconds the MAX time to cache any item, used by redis/memcachd

Common settings per integration

Every integration can have its own settings with keys, passwords and other things. Usually keys and passwords should be set per user in the UI, which will override these.

In each [integrationname] section

Setting Default Description
disabled false If set to true users can NOT use this integration
cacheTimeout cont3xt.cacheTimeout How long to cache results for this integration
cachePolicy cont3xt.cachePolicy Can be shared or user, if set to user then the cache is per user

Sample Configs

Possible configurations for cont3xt

Using elasticsearch

It is possible to setup cont3xt in the Arkime universe.

[cont3xt]
# Where all the cont3xt data is stored
elasticsearch=https://ESHOST1:9200,https://ESHOST2:9200

# Where the user database is. This might be the same as above
usersElasticsearch=https://USERESHOST1:9200,https://USERESHOST2:9200

# If using SSO uncomment below with the http header with the username in it
#userNameHeader=moloch_user

# default cache timeout
cacheTimeout=1d

# Configure local disk cache
[cache]
type=lmdb
lmdbDir=/opt/arkime/cont3xt-cache

##### INTEGRATION SETTINGS

[Threatstream]
# For threatstream we don't share the cache, it is per user
cachePolicy=user
#host=threatstreamonprem.host

[VirusTotal]
# For VT lets increase the timeout
cacheTimeout=1w

Using standalone

It is possible to setup cont3xt in a standalone deployment without elasticsearch. You will need to use the addUser script with the cont3xt.ini configurat file to add users.

[cont3xt]
# Where all the cont3xt data is stored
dbUrl=lmdb:///opt/arkime/cont3xt-db

# Where the user database is. This should be different than above
usersUrl=lmdb:///opt/arkime/cont3xt-users

# If using SSO uncomment below with the http header with the username in it
#userNameHeader=moloch_user

# default cache timeout
cacheTimeout=1d

# Configure local disk cache
[cache]
type=lmdb
lmdbDir=/opt/arkime/cont3xt-cache

##### INTEGRATION SETTINGS

[Threatstream]
# For threatstream we don't share the cache, it is per user
cachePolicy=user
#host=threatstreamonprem.host

[VirusTotal]
# For VT lets increase the timeout
cacheTimeout=1w

Known Issues

  • This document need to be improved before 4.0 release
Arkime Logo