Cassava is a library and web UI for analyzing IOCs with multiple APIs.

Either clone this repo and install the Python package or install directly with pip. Using a virtualenv is not required, but since Cassava has many dependencies it is highly recommend.

Git clone:

virtualenv venv
source venv/bin/activate

Git clone and install:

git clone https://github.com/BechtelCIRT/cassava.git
python cassava/setup.py install

Or Pip installation:

pip install cassava

The run_cassava.py script can initialize a database and a template config file:

run_cassava.py --initdb --initconfig

This will immediately start the Cassava web UI which can be accessed at http://localhost:5000. Add VirusTotal or OpenDNS API keys to cassava_config.py and restart (ctrl-c then re-run script) to enable those APIs.

The auto-generated cassava_config.py template will look like this:

DB_PATH = 'sqlite:///cassava.db'
OPENDNS_APIKEY = ''
VT_API_KEY = ''
PROXIES = {'http_proxy' : None, 'https_proxy' : None}

Add your VirusTotal API key and OpenDNS if you've got one. This is technically optional, but you won't get much out of Cassava without it.

Active whois lookups:

In [1]: import cassava
In [2]: cassava.whois('github.com')
Out[2]:
{'contacts': {'admin': {'city': u'San Francisco',
   'country': u'US',
   'email': u'hostmaster@github.com',
   'name': u'GitHub Hostmaster',
    ...
 'whois_server': [u'whois.markmonitor.com']}

• Add DomainTools API
• Support full VirusTotal API
• Add more built-in active tools (nmap, traceroute, ???)
• Add export functions (to JSON, CSV, and possibly STIX or related formats)
• Change web UI to override Scrypture defaults
• Add historical analysis capabilities, better management tools
• Come up with a cool logo