This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to integrate the RSA Malware Analysis with the Cuckoo Sandbox

Anonymous
Not applicable

‎2015-05-22 04:46 PM

Hi everyone!

 

I updated the post attaching the PPT used during my presentation at the RSA TechFest 2016. Everything that you need to know about the integration process that I developed is avaiable in the file attached.

This is a simple post to show how to integrate the RSA Malware Analysis with the Cuckoo Sandbox solution.

You will need:

  • RSA Security Analytics for Packet with Malware Analysis
  • Cuckoo Sandbox (local)

 

Firstly, you need to enable the File Sharing Protocol on the Service - > Malware Analysis -> Config and then apply the change.

Cuckoo01.png

 

After that, connect through the SSH to your RSA Malware Analysis and change the share name from File Store to repository. Only to remove the space on share name.

 

Cuckoo02.png

Apply the change and restart the smb service.

Now, connect through SSH to your Cuckoo Sandbox (local). Run the steps below:

  • Install the mount.cifs package
  • Make a directory /mnt/rsamalware
  • Make a script file rsamalware.sh (image below) on Cuckoo’s utils directory and set as an executable file. Note: Change your_rsa_malware by the correct IP address

 

Cuckoo03.png

 

Finally, add a cron job to run the script every 5 minutes (in this case). However, you can parameterize the option that better to attendant your specific demand.

Preview file
17496 KB
13 REPLIES 13

Anonymous
Not applicable

‎2015-05-26 09:47 AM

Thanks, this looks really interesting. I'm assuming the results from Cuckoo don't come back into Malware Analysis as scores? I.e. this just pushes one way, right?

Anonymous
Not applicable
In response to Anonymous

‎2015-05-26 12:28 PM

Hi @Menwith_hill! Thanks for your question!

 

Yes, for sure! This is only the Part I.

 

I'm trying to make a two-way connection to show the results into Malware Anslysis as score. But is very difficult without any documentation to support.

0 Likes

RSAAdmin
Beginner
Beginner

‎2015-05-26 01:00 PM

I am watching this...

 

Is this dependent upon licensing for the malware engine?  Can you have the limited usage license and still pump out everything to cuckoo?

Anonymous
Not applicable
In response to RSAAdmin

‎2015-05-26 01:09 PM

When you say limited usage license, do you mean the free Malware Analysis in the SA server rather than the dedicated appliance?

Anonymous
Not applicable
In response to RSAAdmin

‎2015-05-26 01:15 PM

Hi @Eric_the_Viking! Thanks for your question!


Yes, for sure! You can use the limited license.

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2015-05-26 01:48 PM

I think that license only allows for items to be manually selected for scanning, I don't think you can send everything that way (at least that is what it is supposed to do).

Anonymous
Not applicable
In response to Anonymous

‎2015-05-26 01:57 PM

He can setup the Malware Analysis (limited license) to work in Continuous Scan as well. However, this is limited only 100 analysis per day.

0 Likes

Anonymous
Not applicable

‎2015-05-26 02:40 PM

great post!

JoeGumke
Beginner
Beginner

‎2017-10-05 08:32 AM

Is there an ability to integrate cuckoo windows host log data into the log portion of the SIEM? Specifically analyzing windows logs, and consuming them into via a log collection method? Interested to see if we could identify some potential alerting through log consumption mechanisms.

© 2022 RSA Security LLC or its affiliates. All rights reserved.