What do you expect to be able to search in Cuckoo?

[jbremer]

This is a general question for our users: what do you want to be able to search in Cuckoo Web interface? We're currently rebuilding our search capabilities and fulfilling our users needs would be a great way to make search as useful as possible. Please leave us a note here or privately and we'll add it to the list of search possibilities. See also #1327 for the actual issue on the new searching. Keep in mind that we will be doing a combination of searching in MongoDB and (optionally) ElasticSearch, so some searches may be limited to users running ElasticSearch.

List of searchable indicators so far:

• IP addresses contacted
• Domain names (being analyzed and domains captured during analyses)
• Hashes (analyzed samples and dropped files)
• Mutexes
• Filenames
• Cuckoo Signatures matched
• Yara Rules matched
• Suricata/Snort rules matched
• Processes and their command-line arguments executed (thanks @doomedraven)

[doomedraven]

Process arguments params would be great too

[Maijin]

Be able to search on All Strings from the memory

[doomedraven]

Search in buffers/arguments in behavior?

[lehuff]

Searching for partial registry keys would be great, same with files/paths that have been accessed/deleted/dropped. These two types of searches would probably be restricted to ES though.

[SparkyNZL]

Most of the things in the static analysis as this is what I use to finger print malware families.

[juju4]

go more into behavioral indicators like

• process tree, with arguments, owner
• sigma (https://github.com/Neo23x0/sigma) signature candidate based on process tree, event/log generated or else

Thanks for the great work and sharing with community!

[SparkyNZL]

Would be great to have the signed malware cert info in here to :) eg serial number and MD5 of the cert company etc

[SparkyNZL]

yara results,

[hunterbr72]

define a closer search scope, e.g. find this string in the API call parameter FILE