This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[Netwitness-MA] SMB sharing with Checkpoint TE Sandbox

HongtaeJin
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2016-10-18 02:40 AM

Recently, I started new SA4P project with Checkpoint TE(Sandbox) and need to provide MA analysis result files to TE Sandbox.

I used Samba server which is built-in MA and rsync tools which is syncronized with directories and files because TE Sandbox is able to hook files throuth CIFS among the devices(In my case, CIFS mounted between SA device and MA device).

Here is the configuration steps.

 

1. Configure Samba in MA device

1.1) Edit /etc/samba/smb.conf

================================= smb.conf =================================
[File Store]
comment = RSA Malware Prevention File Store Content
path = /var/lib/rsamalware/spectrum/repository/files
browseable = yes
writable = yes
valid users = root
#read only = yes
#guest only = yes
==============================================================================

1.2) reload samba configuration
# smbpasswd -a root
# service smb restart
# service smb reload

 

2. Puppet receipt configuration to allow CIFS communication port.

Edit /etc/puppet/modules/malware-analysis/manifests/init.pp

==============================================================================

firewall {'3 SMB 139 IN':
chain => 'INPUT',
iniface => $management_interface,
proto => 'tcp',
source => $sa_server,
dport => 139,
state => ['NEW','ESTABLISHED'],
action => 'accept'
}

firewall {'4 SMB 139 OUT':
chain => 'OUTPUT',
outiface => $management_interface,
proto => 'tcp',
sport => 139,
state => 'ESTABLISHED',
action => 'accept'
}

firewall {'5 SMB 445 IN':
chain => 'INPUT',
iniface => $management_interface,
proto => 'tcp',
source => $sa_server,
dport => 445,
state => ['NEW','ESTABLISHED'],
action => 'accept'
}

firewall {'6 SMB 445 OUT':
chain => 'OUTPUT',
outiface => $management_interface,
proto => 'tcp',
sport => 445,
state => 'ESTABLISHED',
action => 'accept'
}

==============================================================================

 

3. Mount CIFS file system from MA in SA device

# yum install cifs-utils.x86_64 --> SA need to install cifs-utils for CIFS mount

# mount -t cifs -o guest //10.35.95.99/File\ Store /var/MAFiles

 

 

4. Syncronize SA folder with MA repository folder(/var/lib/rsamalware/spectrum/repository/files) using rsync when it is updated by MA.

# rpm -qa |grep rsync(check rsync rpm)
# mkdir /var/MASync
# rsync -avzh /var/MAFiles /var/MASync

 

5. Register following shell scripts in cron tab to syncronize MA-SA foler every 5 minutes.

# cat rsync.sh

==============================================================================

#/bin/sh

MA_DIR=/var/netwitness/ipdbextractor/MAFiles
SA_DIR=/root/rsync

IS_MOUNT=$(/bin/df |/bin/grep "\/var\/netwitness\/ipdbextractor\/MAFiles"|/usr/bin/wc -l)

if [ $IS_MOUNT -eq 1 ]; then
/bin/date >> $SA_DIR/rsync_$(/bin/date '+%Y-%m-%d').log
/usr/bin/rsync -avzh $MA_DIR $SA_DIR >> $SA_DIR/rsync_$(date '+%Y-%m-%d').log

else
/bin/mount -t cifs -o user='root',password='netwitness' //10.158.201.33/File\ Store $MA_DIR

fi

==============================================================================

 

Hope this helps!

© 2022 RSA Security LLC or its affiliates. All rights reserved.