search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.57k stars 1.71k forks source link

Cuckoo Package: MISP processing #1458

Open SparkyNZL opened 7 years ago

SparkyNZL commented 7 years ago

The MISP processing is working really well, only issue is, is that its pulling stuff out of "Analysis Comments" which is causing a lot of IOCs to be listed (eg 17000 have 8.8.8.8 in a comment field ) this causes addition of these to the report which is not that helpful :(

Perhaps a future improvement

:)

doomedraven commented 7 years ago

Check whitelist it should support it to ban them

SparkyNZL commented 7 years ago

yeah thats what i thought too, but either its not working or im being a retard, but most likely the latter

ive put in "/8.8.8.8/"

doomedraven commented 7 years ago

Why do you put slashes? Just ip without " also, and if that not work put some print in loading whitelist in misp module to verify if that loads correctly

SparkyNZL commented 7 years ago

in MISP you have to put it in as valid regex so it needs it ?

doomedraven commented 7 years ago

oh i see, maybe @jbremer removed it %) no idea how it disappeared 

whitelist = list()
# load whitelist if exists
if os.path.exists(os.path.join(CUCKOO_ROOT, "conf", "misp.conf")):
      whitelist = Config("misp").whitelist.whitelist
      if whitelist:
          whitelist = [ioc.strip() for ioc in whitelist.split(",")]

the config format should be updated to new format as config("mist:whitelist:whitelist") also you need check file in cwd, this is old code

SparkyNZL commented 7 years ago

Oh I was whitelisting in misp, you need to use regex php for that hence the format.

The domain whitelist is only that, it doesn't stop the matching in misp of https domains ir ip-addresses resolved from the whitelisted domains,

Which goes back to a ticket where @jbremer and I were discussing this, because all the stuff excluded in the whitelist ends up in moloch as well as othing network areas in cuckoo like https, http, dns this needs to be looked at later down the track as windows is generating more and more noise ;(

Sent from my spaceship...

On 24/04/2017 6:00 PM, "doomedraven" notifications@github.com wrote:

oh i see, maybe @jbremer https://github.com/jbremer removed it %) no idea how it disappeared

whitelist = list()

load whitelist if exists

if os.path.exists(os.path.join(CUCKOO_ROOT, "conf", "misp.conf")): whitelist = Config("misp").whitelist.whitelist if whitelist: whitelist = [ioc.strip() for ioc in whitelist.split(",")]

the config format should be updated to new format as config("mist:whitelist:whitelist")

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/1458#issuecomment-296531464, or mute the thread https://github.com/notifications/unsubscribe-auth/AQ_imJe9EnPUp-85OZjaGHrQUJU-l9pZks5rzDqWgaJpZM4NFBWU .

doomedraven commented 7 years ago

i will send you noise shutdown in slack

likekabin commented 7 years ago

@doomedraven can you add me to slack group? my slack nick: thank you very much!

doomedraven commented 7 years ago

no, i don't have right for that, there is public IRC ;)

jbremer commented 7 years ago

@denmilu If you want I can add you to our Slack, though!

likekabin commented 7 years ago

@jbremer Very happy to hear that. My Slack is: tranpnam . Thank you very much!