search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.53k stars 1.7k forks source link

Cuckoo 2.06 MISP customisation #2635

Open k41zen opened 5 years ago

k41zen commented 5 years ago

I've seen the modified misp.py files which adds customisation and IOC's that you don't want to feed in to MISP but these error when modified with the latest version of Cuckoo.

So how do I filter out DNS requests to 8.8.8.8 (DNS IP VM host is set to) from MISP?

SparkyNZL commented 5 years ago

you can do this at the MISP end

RicoVZ commented 5 years ago

Hey @k41zen

Recently I have updated Cuckoo's domain and IP whitelisting capabilities a bit.

In your $CWD, there is a whitelist directory. In here 2 files domain.txt and ip.txt can be created if they do not exist yet. These files can contain domains or IPs on a new line for each entry. Cuckoo will then use these lists to filter out communication with the specified entries while the network processing component runs. This completely removes them from all reports.

The IP whitelisting is currently only available in the latest development version (master branch).

k41zen commented 5 years ago

Excellent thank you for this. I'll try this right now and let you know.