Open jjo-sec opened 8 years ago
Yeah, you're right. Now we have the utils/rooter.py
functionality though, we are capable of improving the mitmproxy
to become transparent. As in, port the following iptables
rules to be compatible with our Cuckoo setup, and being able to do it on an per-analysis basis.
http://docs.mitmproxy.org/en/stable/transparent/linux.html
And also improving the IRC detection mechanism.. :-) It would probably make sense to start extracting IRC/SMTP/POP3/FTP traffic through the httpreplay
library which in turn would allow much more detailed output as well as seamless SSL/TLS support for those protocols.
We're currently working on this feature so hopefully will be able to close this issue off soon :-)
Found a few issues when submitting URLs to Cuckoo with mitmproxy enabled
The proxy CONNECT commands are getting listed as IRC connections on the network page (suspect the same would happen for any malware sample that used an HTTP proxy after a quick glance at the responsible code)
URLs associated with HTTP requests also appear to be somewhat malformed with the requested hostname + mitmproxy port being prepended to the URL being tested