Gordon is a personal project to help people in their "cyber threat hunting" tasks. The name Gordon come from the fictional character Commissioner James Gordon (DC Comics).

Gordon website is made with Bootstrap, JQuery and Datatables. The logo (shield with wen) is part of Material icons and others small SVG icons come from Heroicons. All backend (request, engine, result processing) is developed with Python 3 invoked in AWS Lambda functions.

For any question or remark, you can contact me on Twitter - @mhgeay (Marc-Henry GEAY, France).

Architecture

I published a post on Medium to describe the arcitecture.

Gordon overview

Gordon requests on your behalf sources:

  1. After sending your observables, Gordon verifies your request, parses and splits your observables into type lists : IPv4, FQDN, URL, MD5, SHA-1, SHA-256 and Email.

  2. Your observables list is sent to a queue that will dispatch to different engines depending on the type. Each engine can manage and search one observable type.

  3. Engine will query the source API and keep a summary of relevant threat and risk records regarding your observables ; then engine stores the results in a file.

  4. Engine results are merged into a consolidated final results list that you can export.

Security & privacy considerations

Security

Observables are only searched in open security databases' existing records, no new request or scan against observables are made. However, live DNS lookup (engine 7) could be considred as an exception.

Results stored in database by Gordon are available during 7 days. After this delay all copies are definitely deleted.

Gordon strives to protect your requests and results against third parties by:

  • Using UUID version 4 as request ID to ensure minimum confidentiality.
  • Encrypting all request and result data with lastest security standards offered by the hosting provider (AWS) : TLS v1.3 for data in motion and AES-256 for data in rest. Encryption keys are managed by AWS.
  • Applying stricly the Least Privileges principe on all involved systems.
  • Keeping the minimal information about requests and results content: only timestamps, Request ID and potential error logs are stored 7 days.
  • Blocking non-compliant requests.

Lastly, hosting and requested sources providers may, technically, be aware of what you looking for.

Privacy

All dependencies are hosted on Gordon website (JQuery, Datatables, Bootstrap). Web metrics are collected for anaytics with Clicky.
Following statistic data is collected and shared here: volume of analysis request, observable and for each observable type.

How to use it ?

Paste one or more observable in the text field, click on "Analyze!", you will be redirected into a waiting page and get results few seconds after.

Engines list

See dedicated page

Sharing & blog posts about Gordon

Thank you for people sharing my personal project:

Legal notice - French law

This website is hosted by Amazon Web Services (abuse@amazonaws.com) in the United States.

You have the right to oppose, query, access and rectify your personal information by contacting me.

All website data, including personal data, is stored in a state outside the European Union (United States).

The purpose of the processing for which the data is intended is described above (Security & privacy considerations chapter). Its purpose is to protect the website and to provide technical data to identify bugs.