Configuration options
Artemis can be configured by setting the following variables in the .env file (in the form of VARIABLE_NAME=VARIABLE_VALUE
directives, e.g. SCANNING_PACKETS_PER_SECOND=5):
Data
- DB_CONN_STR
Connection string to the MongoDB database.
- REDIS_CONN_STR
Connection string to Redis.
Limits
- REQUESTS_PER_SECOND
Default: 0
E.g. when set to 2, Artemis will make sure no more than 2 HTTP/MySQL connect/… requests take place per second, sleeping if needed.
- REQUEST_TIMEOUT_SECONDS
Default: 10
Default request timeout (for all protocols).
- SCANNING_PACKETS_PER_SECOND
Default: 100
E.g. when set to 100, Artemis will send no more than 100 port scanning packets per seconds per port scanner instance.
- TASK_TIMEOUT_SECONDS
Default: 21600
What is the maximum task run time (after which it will get killed).
Locking
- DEFAULT_LOCK_EXPIRY_SECONDS
Default: 172800
Requires LOCK_SCANNED_TARGETS to be enabled. Locks are not permanent, because a service that has acquired a lock may get restarted or killed. This is the lock default expiry time.
- LOCK_SCANNED_TARGETS
Default: False
Whether Artemis should strive to make at most one module scan a target at a given time. Therefore when locking is enabled, setting e.g. SCANNING_PACKETS_PER_SECOND to 100 and SECONDS_PER_REQUEST to 2 will cause that no IP receives 100 port scanning packets per second and 1 HTTP/MySQL/… request per 2 seconds. Due to the way this behavior is implemented, we cannot guarantee that a host will never be scanned by more than one module.
- LOCK_SLEEP_MAX_SECONDS
Default: 0.5
see LOCK_SLEEP_MIN_SECONDS.
- LOCK_SLEEP_MIN_SECONDS
Default: 0.1
Requires LOCK_SCANNED_TARGETS to be enabled. When a resource is locked using artemis.resource_lock.ResourceLock, a retry will be performed in the next LOCK_SLEEP_MIN_SECONDS..LOCK_SLEEP_MAX_SECONDS seconds.
- SCAN_DESTINATION_LOCK_MAX_TRIES
Default: 2
Requires LOCK_SCANNED_TARGETS to be enabled. Amount of times module will try to get a lock on scanned destination (with sleeps inbetween) before rescheduling task for later.
Miscellaneous
- BLOCKLIST_FILE
Default: None
A file that determines what should not be scanned or reported
- CONTENT_PREFIX_SIZE
Default: 10240
In order not to overload the DB and bandwidth, this determines how long the downloaded content would be (in bytes).
- CUSTOM_USER_AGENT
Default:
Custom User-Agent string used by Artemis (if not set, the library defaults will be used, different for requests, Nuclei etc.)
- LOGGING_FORMAT_STRING
Default: [%(levelname)s] - [%(asctime)s] %(filename)s - in %(funcName)s() (line %(lineno)d): %(message)s
Logging format string (according to the syntax in https://docs.python.org/3/library/logging.html#logrecord-attributes)
- MAX_NUM_TASKS_TO_PROCESS
Default: 200
After this number of tasks processed, each scanning module will get restarted. This is to prevent situations such as slow memory leaks.
- NUM_DNS_RESOLVER_RETRIES
Default: 3
Number of times a DNS query will be retried if failed. This helps reduce the number of e.g. mail-related false positives, where a failed DNS query may result with a “no DMARC” message.
- SUBDOMAIN_ENUMERATION_TTL_DAYS
Default: 10
If we request a domain for subdomain enumeration, we will save that it has already been enumerated, so that e.g. if we requested crtsh enumeration on example.com and received www.example.com, crtsh enumeration on www.example.com won’t happen in SUBDOMAIN_ENUMERATION_TTL_DAYS days. This is the TTL of such markers.
- VERIFY_REVDNS_IN_SCOPE
Default: True
By default, Artemis will check whether the reverse DNS lookup for an IP matches the original domain. For example, if we encounter the 1.1.1.1 ip which resolves to new.example.com, Artemis will check whether it is a subdomain of the original task domain. This is to prevent Artemis from randomly walking through the internet after encountering a misconfigured Reverse DNS record (e.g. pointing to a completely different domain). The downside of that is that when you don’t provide original domain (e.g. provide an IP to be scanned), the domain from the reverse DNS lookup won’t be scanned. Therefore this behavior is configurable and may be turned off.
Modules
Bruter
- BRUTER_FALSE_POSITIVE_THRESHOLD
Default: 0.1
A threshold in case bruter finds too many files on a server and we want to skip this as a false positive. 0.1 means 10%.
- BRUTER_FOLLOW_REDIRECTS
Default: True
If set to True, bruter will follow redirects. If to False, a redirect will be interpreted that a URL doesn’t exist, thus decreasing the number of false positives at the cost of losing some true positives.
Crtsh
- CRTSH_NUM_RETRIES
Default: 10
How many times should we try to obtain subdomains list.
- CRTSH_SLEEP_ON_RETRY_SECONDS
Default: 30
How long to sleep between tries.
DNSScanner
- ZONE_TRANSFER_SIZE_REPORTING_THRESHOLD
Default: 2
The number of domains below which zone transfer won’t be reported.
DomainExpirationScanner
- DOMAIN_EXPIRATION_TIMEFRAME_DAYS
Default: 14
The scanner warns if the domain’s expiration date falls within this time frame from now.
Gau
- GAU_ADDITIONAL_OPTIONS
Default:
Additional command-line options that will be passed to gau (https://github.com/lc/gau).
JoomlaScanner
- JOOMLA_VERSION_AGE_DAYS
Default: 30
After what number of days we consider the Joomla version to be obsolete.
Nuclei
- NUCLEI_ADDITIONAL_TEMPLATES
Default: http/vulnerabilities/generic/basic-xss-prober.yaml,http/exposures/configs/dompdf-config.yaml,http/exposures/configs/ftp-credentials-exposure.yaml,http/exposures/configs/prometheus-metrics.yaml,http/exposures/files/core-dump.yaml,http/misconfiguration/server-status.yaml,http/misconfiguration/server-status-localhost.yaml,http/misconfiguration/db-command-history.yaml,http/misconfiguration/shell-history.yaml,http/misconfiguration/springboot/springboot-env.yaml,http/misconfiguration/springboot/springboot-threaddump.yaml,http/misconfiguration/springboot/springboot-httptrace.yaml,http/misconfiguration/springboot/springboot-logfile.yaml,http/misconfiguration/springboot/springboot-dump.yaml,http/misconfiguration/springboot/springboot-trace.yaml,http/misconfiguration/springboot/springboot-auditevents.yaml,http/misconfiguration/proxy/open-proxy-external.yaml,http/exposures/logs/roundcube-log-disclosure.yaml,http/exposures/files/ds-store-file.yaml,http/misconfiguration/elasticsearch.yaml
A comma-separated list of Nuclei templates to be used besides the standard list. vulnerabilities/generic/crlf-injection.yaml was present here but is not anymore due to a significant number of false positives.
- NUCLEI_CHECK_TEMPLATE_LIST
Default: True
Whether to check that the downloaded Nuclei template list is not empty (may fail e.g. on Github CI when the Github API rate limits are spent).
- NUCLEI_MAX_BATCH_SIZE
Default: 100
How many sites to scan at once. This is the maximum batch size - we will try to obtain NUCLEI_MAX_BATCH_SIZE sites to scan from the queue, but if per-IP locking is enabled, then we will filter ones that are already scanned by other modules.
- NUCLEI_SUSPICIOUS_TEMPLATES
Default: custom:xss-inside-tag-top-params,http/misconfiguration/google/insecure-firebase-database.yaml,http/cnvd/2020/CNVD-2020-23735.yaml,http/vulnerabilities/other/ecshop-sqli.yaml
A comma-separated list of Nuclei templates to be reviewed manually if found as they are known to return false positives.
- NUCLEI_TEMPLATES_TO_SKIP
Default: dns/azure-takeover-detection.yaml,dns/elasticbeantalk-takeover.yaml,http/cves/2021/CVE-2021-43798.yaml,http/exposed-panels/pagespeed-global-admin.yaml,http/cves/2021/CVE-2021-24917.yaml,http/exposures/files/travis-ci-disclosure.yaml,http/vulnerabilities/other/rockmongo-xss.yaml,http/exposed-panels/adobe/aem-sling-login.yaml,http/exposed-panels/alfresco-detect.yaml,http/exposed-panels/backpack/backpack-admin-panel.yaml,http/exposed-panels/bolt-cms-panel.yaml,http/exposed-panels/concrete5/concrete5-panel.yaml,http/exposed-panels/contao-login-panel.yaml,http/exposed-panels/craftcms-admin-panel.yaml,http/exposed-panels/django-admin-panel.yaml,http/exposed-panels/drupal-login.yaml,http/exposed-panels/ez-publish-panel.yaml,http/exposed-panels/joomla-panel.yaml,http/exposed-panels/kentico-login.yaml,http/exposed-panels/liferay-portal.yaml,http/exposed-panels/magnolia-panel.yaml,http/exposed-panels/neos-panel.yaml,http/exposed-panels/netlify-cms.yaml,http/exposed-panels/strapi-panel.yaml,http/exposed-panels/tikiwiki-cms.yaml,http/exposed-panels/typo3-login.yaml,http/exposed-panels/umbraco-login.yaml,http/exposed-panels/wordpress-login.yaml,http/exposed-panels/axigen-webmail.yaml,http/exposed-panels/squirrelmail-login.yaml,http/exposed-panels/horde-webmail-login.yaml,http/exposed-panels/horde-login-panel.yaml,http/exposed-panels/zimbra-web-login.yaml,http/exposed-panels/zimbra-web-client.yaml,http/exposed-panels/icewarp-panel-detect.yaml,http/exposed-panels/tomcat/tomcat-exposed-docs.yaml,http/exposed-panels/arcgis/arcgis-rest-api.yaml,http/exposed-panels/fortinet/fortinet-fortigate-panel.yaml,http/exposed-panels/checkpoint/ssl-network-extender.yaml,http/exposed-panels/pulse-secure-panel.yaml,http/exposed-panels/pulse-secure-version.yaml,http/exposed-panels/cisco/cisco-anyconnect-vpn.yaml,http/exposed-panels/cas-login.yaml,http/exposed-panels/casdoor-login.yaml,http/exposed-panels/openam-panel.yaml,http/exposed-panels/webeditors-check-detect.yaml,http/exposed-panels/dynamicweb-panel.yaml,http/exposed-panels/jira-detect.yaml,http/exposed-panels/magento-admin-panel.yaml,http/exposed-panels/mantisbt-panel.yaml,http/exposed-panels/mautic-crm-panel.yaml,http/exposed-panels/opencart-panel.yaml,http/exposed-panels/osticket-panel.yaml,http/exposed-panels/bigbluebutton-login.yaml,http/exposed-panels/ilias-panel.yaml,http/exposed-panels/opensis-panel.yaml,http/exposed-panels/projectsend-login.yaml
Comma-separated list of Nuclei templates not to be executed. See artemis/config.py for the rationale behind skipping particular templates.
- NUCLEI_TEMPLATE_GROUPS_FILE
Default: /opt/artemis/modules/data/nuclei_template_groups.json
A path (inside Docker container) of a file with JSON dictionary of template group assignments: {“template1”: “group1”, “template2”: “group2”, …}. If a template is assigned to a group, instead of the template, the whole group will be reported as the detected template name. Therefore, due to findings deduplication, only one instance of such vulnerability will be reported. This is useful to detect situations when multiple .env detectors detect a single file or multiple XSS templates are triggered on a single page.
PortScanner
- CUSTOM_PORT_SCANNER_PORTS
Default:
Custom port list to scan in CSV form (replaces default list).
- PORT_SCANNER_MAX_NUM_PORTS
Default: 100
The number of open ports we consider to be too much and a false positive - if we observe more open ports, we trim by performing an intersection of the result with the list of 100 most popular ones.
- PORT_SCANNER_TIMEOUT_MILLISECONDS
Default: 5000
Port scanner: milliseconds to wait before timing out
Postman
- POSTMAN_MAIL_FROM
Default: from@example.com
Sender e-mail address that will be used to test whether a server is an open relay or allows sending e-mails to any address.
- POSTMAN_MAIL_TO
Default: to@example.com
Recipient e-mail address, e.g. for open relay testing.
SSHBruter
- ADDITIONAL_BRUTE_FORCE_SLEEP_SECONDS
Default: 20
Some SSH servers drop connections after a large number of tries in a short time period. This is to combat this behavior.
Shodan
- SHODAN_API_KEY
Default:
Shodan API key so that Shodan vulnerabilities will be displayed in Artemis.
VCS
- VCS_MAX_DB_SIZE_BYTES
Default: 5242880
Maximum size of the VCS (e.g. SVN) db file.
WordPressBruter
- WORDPRESS_BRUTER_STRIPPED_PREFIXES
Default: www
Wordpress_bruter extracts the site name to brute-force passwords. For example, if it observes projectname.example.com it will bruteforce projectname123, projectname2023, … This list describes what domain prefixes to strip (e.g. www) so that we bruteforce projectname123, not www123, when testing www.projectname.example.com.
WordPressScanner
- WORDPRESS_VERSION_AGE_DAYS
Default: 90
After what number of days we consider the WordPress version to be obsolete. This is a long threshold because WordPress maintains a separate list of insecure versions, so “old” doesn’t mean “insecure” here.
PublicSuffixes
- ADDITIONAL_PUBLIC_SUFFIXES
Default:
Additional domains that will be treated as public suffixes (even though they’re not on the default Public Suffix List).
- ALLOW_SCANNING_PUBLIC_SUFFIXES
Default: False
Whether we will scan a public suffix (e.g. .pl) if it appears on the target list. This may cause very large number of domains to be scanned.
Reporting
- MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_HIGH
Default: 60
If a high-severity report has already been seen earlier - how much time needs to pass for a second report to be generated.
- MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_LOW
Default: 240
If a low-severity report has already been seen earlier - how much time needs to pass for a second report to be generated.
- MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_MEDIUM
Default: 120
If a medium-severity report has already been seen earlier - how much time needs to pass for a second report to be generated.
- REPORTING_DEDUPLICATION_COMMON_HTTP_PORTS
Default: 80,443
Ports that we will treat as “standard http/https ports” when deduplicating vulnerabilities - that is, if we observe identical vulnerability of two standard ports (e.g. on 80 and on 443), we will treat such case as the same vulnerability. This is configurable because e.g. we observed some hostings serving mirrors of content from port 80 on ports 81-84.
- REPORTING_MAX_VULN_AGE_DAYS
Default: 50
When creating e-mail reports, what is the vulnerability maximum age (in days) for it to be reported.
- REPORTING_SEPARATE_INSTITUTIONS
Default:
Sometimes even if we scan example.com, we want to report subdomain.example.com to a separate contact, because it is a separate institution. This variable should contain a comma-separated list of such subdomains.
Blocklist
You may exclude some systems from being scanned or included in the reports. To do that, set the BLOCKLIST_FILE environment
variable to a path to a blocklist file (it needs to be placed in the ./shared directory which is mounted to all scanning containers
as /shared).
The blocklist file is a yaml file with the following syntax:
- mode: 'block_scanning_and_reporting' (to block both scanning and reporting) or
'block_reporting_only' (if you want the scanning to be performed but want the
issues to be skipped from automatic e-mail reports)
domain_and_subdomains: null or the domain to be filtered (this will also filter its
subdomains)
subdomains: null or a domain - this setting will filter out only subdomains of this domain,
but not the domain itself
ip_range: null or the ip range to be filtered (to filter a single ip address,
use the xxx.xxx.xxx.xxx/32 syntax)
until: null or a date (YYYY-MM-DD) until which the filter will be active
karton_name: null or the name of a scanning module
report_target_should_contain: null or the string that must occur in the target for
the report to be blocklisted - this parameter can be used only when 'mode' is set
to 'block_reporting_only'.
report_type: null (which will block all reports) or a string containing
the type of reports that will be blocked (e.g. "misconfigured_email") - this
parameter can be used only when 'mode' is 'block_reporting_only'.
There may be multiple entries in a blocklist file, each with syntax described above.
Advanced: Karton configuration
Artemis is based on the Karton framework (https://github.com/CERT-Polska/karton). Please refer to the Karton documentation for more information.