WISE - With Intelligence See Everything

WISE is a framework for integrating data feeds into Arkime. The data feeds can be sourced from local files, remote URLs, or commercial services such as OpenDNS, Emerging Threats Pro, and others. The data feeds can set almost any Arkime field or even create new Arkime fields. Think of WISE as the next and better version of the tagger plugin.

WISE requires a plugin be installed on each arkime-capture instance, another plugin for each viewer instance and that a wiseService process be running. The wiseService process can be shared by multiple arkime-capture servers, even if they are in different arkime clusters. Choosing the machine that the wiseService runs on is important and the networking setup is crucial. The arkime-capture process connects to the wiseService AND the wiseService will need to reach out to any commercial services (if configured). All lookups are double cached, first in the wiseService so the remote service isn’t queried too often and then in the arkime-capture process for load reduction. Maximum cache times and number of items are configurable.

WISE was first available with Arkime 0.11.3

Installation

The wiseService is the proxy and aggregator between arkime-capture and the various data sources. All the arkime-capture processes need to be able to reach it. If using external or commercial services then wiseService also needs to be able to reach those services. So pay attention to the networks available and machine setup.

  • Pick a host on the correct networks and install Arkime, wiseService lives in /opt/arkime/wiseService
  • Initial install can be done with /opt/arkime/bin/Configure --wise.

You’ll want to visit the settings page.

Caching

WISE uses multiple caches to speed up queries.

The wise.so plugin caches all results returned by wiseService, documented here. This cache will have all recent results, no matter the wise data source, so that the capture process doesn’t need to communicate with wiseService for reoccurring traffic.

The wiseService also caches all results returned by external sources, documented here

WISE UI

There is a WISE User Interface to view/edit/delete your WISE Sources and to update your WISE configuration and cache. It also allows a user to query and view statistics about your configured WISE Sources.

To build and run the WISE UI, check out our README.

View the WISE Config Gallery to browse for ideas or contribute your own!

What does WISE know?

WISE is http query-able so you can verify what it knows.

Type

  • ip
  • email
  • md5
  • domain
  • url

Query Source

/[sectionname]/[type]/[value]

Query a particular source

Query all Sources

/[type]/[value]

Query all sources

Display all values for Source

/dump/[sectionname]

Display all elements for a particular source

Known Issues

  • When configured, if wiseService is down, arkime-capture will not start (current running are fine)
Arkime Logo