A web interface to manage VT alerts locally (pulls them down from VT). Make it easier to search, filter, view, etc. Also has ability to check files in Crits. Written in PHP.

This will pull VT alerts via the JSON api, store them into Mongo, and delete the alert on VT.

WHY? I like to be able to quickly filter and search on ANY of the fields. Sort results. Quickly see duplicates. Integrate with Crits to validate if this is a new sample. View the yara syntax it alerted on. See if my AV detects it according to VT. Quickly remove false positives, like file type C (someone uploading snort or yara rules) or giant files sizes, or only wanting Win32 Exe files, etc.

• Set the configs in config.php
• Go to vt.php in browser

• VT Intel API Key
• VT Search API Key (optional for more data)
• PHP
• mongodb and mongo php

apt-get install php-pear

• http://pecl.php.net/pack/mongo (Download tgz)

sudo apt-get install php5-dev
phpize
./configure
make
sudo make install
sudo nano /etc/php5/apache2/php.ini
extension=mongo.so (add to file)

• Make vt.log writtable

• Still working on Download Feature
• If you want to see AV other than McAfee, change the name on line 295 of vt.php

print "<td>".$array['scans']['McAfee']."</td>";

• Mongo Settings (database and collection)
• Crits Settings (server and creds)
• VT Settings
  • Hunting API Key (VirusTotal Intelligence)
  • Searching API key (VirusTotal Private Mass API)
  • Delete Alerts from VT

• Samples = # of samples in DB
• Download = not working right now
• Delete = Delete record from DB
• Pull VT = Grab alerts from VT
• Pull Crits = Check if sample exists in Crits
• Log = Show Log
• Config = Show some configs
• Archive = Archive a sample

• PHP Short tags - http://stackoverflow.com/questions/2185320/how-to-enable-php-short-tags

  /etc/php5/apache2/php.ini:short_open_tag = On
  /etc/php5/cli/php.ini.ucf-old:short_open_tag = On
  /etc/php5/cli/php.ini:short_open_tag = On