Open michaelweiser opened 5 years ago
I looked into this a while ago and already did some testing. It's totally possible to cover some of our rules (easier, with more precision and flexibility).
Had the link at hand, there is good documentation here: https://cuckoo.sh/docs/customization/signatures.html
We should look into the possibility to simplify the cuckoo rules using a custom signature inside Cuckoo.
Currently we maintain a list of strings which are matched against the signatures reported by Cuckoo.
It might be possible and more efficient to handle this inside Cuckoo using a kind of meta-signature which detects the matching/firing of all the other signatures we consider "bad", accumulates them into a binary decision "good"/"bad" or even some kind of score and reports just that single value back to Peekaboo.
Suggested by @Jack28.