[Feature]: Display each HTTP transaction to the target and its Resource Hash

[maaaaz]

Is your feature request related to a problem? Please describe.

It would be great, to have, just like urlscan.io, for each captured website, the list of each HTTP transactions performed and to have for each transaction, its Resource Hash in order to be able to look for similar websites having the same transactions (find copycat malicious websites)

Describe the solution you'd like

The very same information as displayed in a urlscan.io scan, in the "HTTP" tab.

Describe alternatives you've considered

No response

Additional context

No response

[Rafiot]

Just to make sure I understand the feature: you want a dedicated page/panel that lists all the transactions (HTTP tab on urlscan.io) of a capture with the ressource hash so you can pivot on it?
Similar to what we have on the hostnode popup, but all at one place?

Isn't it what you have when you click on Ressources Capture? Assuming we'd add the name as asked in the other issue (#745)

[maaaaz]

you want a dedicated page/panel that lists all the transactions (HTTP tab on urlscan.io) of a capture with the ressource hash so you can pivot on it?

Yes exactly !

---

Similar to what we have on the hostnode popup, but all at one place?

I don't know, where is that "hostnode" popup ? You mean the "Ressources in tree" modal window ?

---

Isn't it what you have when you click on Ressources Capture? Assuming we'd add the name as asked in the other issue (#745)

First, it seems that requests shown in the "Ressources Capture" window does not follow the chronological order (this is counter-intuitive): with the following example (https://lookyloo.circl.lu/tree/4530f488-1451-4e0f-bad7-831107fe8a4c), I had first to sort (arrow up) the "Captures total" column to have, what it seems to be, the chronological order.

Then, do you confirm that the first request (the GET "/" request) shown by Lookyloo is the same first request shown on urlscan.io : because, really, this is useful request to pivot and find similar (malicious) websites !

Anyway, try to perform a diff between:

• https://lookyloo.circl.lu/tree/4530f488-1451-4e0f-bad7-831107fe8a4c
• https://urlscan.io/result/d416594f-592b-460b-9757-c03a86347aba/#transactions

As you may have understood, it would be great to mimic what urlscan.io is doing, because their platform is great, but still, a commercial project which can change drastically change rules at any time. And ineluctably, it will. And we will all get disappointed.

Please make Lookyloo as great as urlscan.io :-)
We all need such a free platform !

[Rafiot]

Similar to what we have on the hostnode popup, but all at one place?

I don't know, where is that "hostnode" popup ? You mean the "Ressources in tree" modal window ?

Sorry, that's the name I use internally. It is the popup you get when you click on a domain on the tree. For each request/response, you have the ressources and correlations. This popup is a bit of a mess and I need to improve it.

Isn't it what you have when you click on Ressources Capture? Assuming we'd add the name as asked in the other issue (#745)

First, it seems that requests shown in the "Ressources Capture" window does not follow the chronological order (this is counter-intuitive): with the following example (https://lookyloo.circl.lu/tree/4530f488-1451-4e0f-bad7-831107fe8a4c), I had first to sort (arrow up) the "Captures total" column to have, what it seems to be, the chronological order.

Right, I understand. The Ressources Capture modal is sorted by frequency of that ressource in the Lookyloo instance. The issue with chronological order is that as all the requests are happening more or less at the same. Having one response after another in a list doesn't mean they are related, as they can be triggered by completely different parts of the tree. I can have a page that displays the HAR directly in a similar was as urlscan.io, but you loose the context.

Then, do you confirm that the first request (the GET "/" request) shown by Lookyloo is the same first request shown on urlscan.io : because, really, this is useful request to pivot and find similar (malicious) websites !

Yes, the first node on the tree is a GET on the URL. If the URL is just a hostname, it is a GET on /, but it can be an URL with a lot more parameters, as long as I can pass it to the browser.

Anyway, try to perform a diff between:

* https://lookyloo.circl.lu/tree/4530f488-1451-4e0f-bad7-831107fe8a4c

* https://urlscan.io/result/d416594f-592b-460b-9757-c03a86347aba/#transactions

As you may have understood, it would be great to mimic what urlscan.io is doing, because their platform is great, but still, a commercial project which can change drastically change rules at any time. And ineluctably, it will. And we will all get disappointed.

Please make Lookyloo as great as urlscan.io :-) We all need such a free platform !

There is a lot of logic and pointing out the targets of the phishing sites and so on that I'll probably not have in Lookyloo any time soon, the two platforms are pretty complementary. But yes, the goal of Lookyloo is to allow an easy(er) analysis of malicious or just weird URLs, so thank you for the nice words, and keep opening feature requests :)

[maaaaz]

Clear, thank you very much and keep up that good work !