Open fjimca opened 6 years ago
adulau
commented
6 years ago Hi,
Have you tried to directly used the MISP report module in Cuckoo?
https://github.com/cuckoosandbox/cuckoo/blob/master/cuckoo/reporting/misp.py
I suppose the JSON file is maybe more recent, we didn't try the module recently.
Let us know if the default cuckoo reporting module works for you.
fjimca
commented
6 years ago Yes, I have.
But the problem is that when I config the cuckoo module, I must config the parameter "reporting.conf:url" and the parameter "reporting.conf-apikey" to access a MISP instance. Due to MISP and Cuckoo are in separated networks, the reporting module fails with an error.
I think that this configuration could be used for connecting directly MISP and Cuckoo not for generating a .json file. https://blog.rootshell.be/2017/01/25/quick-integration-misp-cuckoo/
2018-01-23 16:48:27,593 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "MISP": Traceback (most recent call last): File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process current.run(self.results) File "/opt/cuckoo/modules/reporting/misp.py", line 109, in run self.misp = pymisp.PyMISP(url, apikey, False, "json") File "/usr/local/lib/python2.7/dist-packages/pymisp/api.py", line 113, in init raise PyMISPError('Unable to connect to MISP ({}). Please make sure the API key and the URL are correct (http/https is required): {}'.format(self.root_url, e)) PyMISPError: Unable to connect to MISP (http://xxxxxxxxxxxxxx). Please make sure the API key and the URL are correct (http/https is required): ('Connection aborted.', gaierror(-3, 'Temporary failure in name resolution')) 2018-01-23 16:48:34,732 [lib.cuckoo.core.scheduler] INFO: Task #33: reports generation completed (path=/opt/cuckoo/storage/analyses/33) 2018-01-23 16:48:34,762 [lib.cuckoo.core.scheduler] INFO: Task #33: analysis procedure completed
trismegistusX
commented
6 years ago Use the patched files for the reporting and processing conf files for cuckoo to import directly into MISP, works for me:
Overview: https://blog.rootshell.be/2017/01/25/quick-integration-misp-cuckoo/
Recommend to create a separate user account for cuckoo in MISP to track the imports (assign a new email address for it)
If you can't connect Cuckoo to MISP, put another MISP instance in the same part of the Cuckoo network and then sync the 2 MISP servers.
nkd071819
commented
5 years ago Is there any update on this issue?
adulau
commented
5 years ago Cuckoo did many updates in the report module in the past weeks. Did you try with a recent version of Cuckoo?
adulau
commented
5 years ago And we recently merged an updated version of the Cuckoo import module https://github.com/MISP/misp-modules/pull/322
Hi
I have tried to integrate Cuckoo within MISP. My Cuckoo is deployed in an isolate network, so we need to import IOCs into MISP from a Cukoo's generated JSON file.
I activated the Cuckooimport module to populate attributes form Cuckoo in a previous created MISP event.
I analized a malware file with Cuckoo and exported the report analysis to a file.
I have tried to import all generated .json files (report.json and also file.json and task.json) to MISP but all of files I tried to import failed.
I would like to know what is wrong. (We have looked for documentation...).
Would you provide us a feasible cuckoo .json file in order to compare your .json file with ours .json files?
Thank you in advance.