Open jjo-sec opened 8 years ago
jbremer
commented
8 years ago Yeah, you're right. Now we have the utils/rooter.py functionality though, we are capable of improving the mitmproxy to become transparent. As in, port the following iptables rules to be compatible with our Cuckoo setup, and being able to do it on an per-analysis basis.
http://docs.mitmproxy.org/en/stable/transparent/linux.html
jbremer
commented
8 years ago And also improving the IRC detection mechanism.. :-) It would probably make sense to start extracting IRC/SMTP/POP3/FTP traffic through the httpreplay library which in turn would allow much more detailed output as well as seamless SSL/TLS support for those protocols.
jbremer
commented
7 years ago We're currently working on this feature so hopefully will be able to close this issue off soon :-)
Found a few issues when submitting URLs to Cuckoo with mitmproxy enabled
The proxy CONNECT commands are getting listed as IRC connections on the network page (suspect the same would happen for any malware sample that used an HTTP proxy after a quick glance at the responsible code)
URLs associated with HTTP requests also appear to be somewhat malformed with the requested hostname + mitmproxy port being prepended to the URL being tested