2015-05-22 04:46 PM
Hi everyone!
I updated the post attaching the PPT used during my presentation at the RSA TechFest 2016. Everything that you need to know about the integration process that I developed is avaiable in the file attached.
This is a simple post to show how to integrate the RSA Malware Analysis with the Cuckoo Sandbox solution.
You will need:
Firstly, you need to enable the File Sharing Protocol on the Service - > Malware Analysis -> Config and then apply the change.
After that, connect through the SSH to your RSA Malware Analysis and change the share name from File Store to repository. Only to remove the space on share name.
Apply the change and restart the smb service.
Now, connect through SSH to your Cuckoo Sandbox (local). Run the steps below:
Finally, add a cron job to run the script every 5 minutes (in this case). However, you can parameterize the option that better to attendant your specific demand.
2015-05-26 09:47 AM
Thanks, this looks really interesting. I'm assuming the results from Cuckoo don't come back into Malware Analysis as scores? I.e. this just pushes one way, right?
2015-05-26 12:28 PM
Hi @Menwith_hill! Thanks for your question!
Yes, for sure! This is only the Part I.
I'm trying to make a two-way connection to show the results into Malware Anslysis as score. But is very difficult without any documentation to support.
2015-05-26 01:00 PM
I am watching this...
Is this dependent upon licensing for the malware engine? Can you have the limited usage license and still pump out everything to cuckoo?
2015-05-26 01:09 PM
When you say limited usage license, do you mean the free Malware Analysis in the SA server rather than the dedicated appliance?
2015-05-26 01:15 PM
Hi @Eric_the_Viking! Thanks for your question!
Yes, for sure! You can use the limited license.
2015-05-26 01:48 PM
I think that license only allows for items to be manually selected for scanning, I don't think you can send everything that way (at least that is what it is supposed to do).
2015-05-26 01:57 PM
He can setup the Malware Analysis (limited license) to work in Continuous Scan as well. However, this is limited only 100 analysis per day.
2015-05-26 02:40 PM
great post!
2017-10-05 08:32 AM
Is there an ability to integrate cuckoo windows host log data into the log portion of the SIEM? Specifically analyzing windows logs, and consuming them into via a log collection method? Interested to see if we could identify some potential alerting through log consumption mechanisms.