doomedraven
commented
8 years ago @hemzaz you already have it implemented, so which is the question exactly?
Closed hemzaz closed 8 years ago
doomedraven
commented
8 years ago @hemzaz you already have it implemented, so which is the question exactly?
spender-sandbox
commented
8 years ago You mean the per-analysis gateway support we've had since last year? (before upstream Cuckoo)
Or are you asking for a different implementation?
-Brad
hemzaz
commented
8 years ago OH, So how does it work without vpn.conf or rooter?
doomedraven
commented
8 years ago nop, i have sent all needed changes to integrate rooter.py into cuckoo-mod as is nice feature for me and all people who i know who use cuckoo-mod, but not get response at the moment, but at the moment you need use open vswitch o backport it by yourself is really easy :)
hemzaz
commented
8 years ago what about the UI implementation - a combo box that allows choosing between the gateways?
doomedraven
commented
8 years ago it easy i have done it in my instance of cuckoo-mod, here you have it
def init_routing():
"""Initialize and check whether the routing information is correct."""
cuckoo = Config()
vpn = Config("vpn")
# Check whether all VPNs exist if configured and make their configuration
# available through the vpns variable. Also enable NAT on each interface.
if vpn.vpn.enabled:
for name in vpn.vpn.vpns.split(","):
name = name.strip()
if not name:
continue
if not hasattr(vpn, name):
raise CuckooStartupError(
"Could not find VPN configuration for %s" % name
)
entry = vpn.get(name)
add = 1
if not rooter("nic_available", entry.interface):
#raise CuckooStartupError(
# "The network interface that has been configured for "
# "VPN %s is not available." % entry.name
#)
add = 0
if not rooter("rt_available", entry.rt_table):
raise CuckooStartupError(
"The routing table that has been configured for "
"VPN %s is not available." % entry.name
)
if add:
vpns[entry.name] = entry
# Disable & enable NAT on this network interface. Disable it just
# in case we still had the same rule from a previous run.
rooter("disable_nat", entry.interface)
rooter("enable_nat", entry.interface)
# Populate routing table with entries from main routing table.
if cuckoo.routing.auto_rt:
rooter("flush_rttable", entry.rt_table)
rooter("init_rttable", entry.rt_table, entry.interface)
# Check whether the default VPN exists if specified.
if cuckoo.routing.route not in ("none", "internet"):
if not vpn.vpn.enabled:
raise CuckooStartupError(
"A VPN has been configured as default routing interface for "
"VMs, but VPNs have not been enabled in vpn.conf"
)
if cuckoo.routing.route not in vpns:
raise CuckooStartupError(
"The VPN defined as default routing target has not been "
"configured in vpn.conf."
)
# Check whether the dirty line exists if it has been defined.
if cuckoo.routing.internet != "none":
if not rooter("nic_available", cuckoo.routing.internet):
raise CuckooStartupError(
"The network interface that has been configured as dirty "
"line is not available."
)
if not rooter("rt_available", cuckoo.routing.rt_table):
raise CuckooStartupError(
"The routing table that has been configured for dirty "
"line interface is not available."
)
# Disable & enable NAT on this network interface. Disable it just
# in case we still had the same rule from a previous run.
rooter("disable_nat", cuckoo.routing.internet)
rooter("enable_nat", cuckoo.routing.internet)
# Populate routing table with entries from main routing table.
if cuckoo.routing.auto_rt:
rooter("flush_rttable", cuckoo.routing.rt_table)
rooter("init_rttable", cuckoo.routing.rt_table,
cuckoo.routing.internet)
def init_rooter():
"""If required, check whether the rooter is running and whether we can
connect to it."""
cuckoo = Config()
# The default configuration doesn't require the rooter to be ran.
if not Config("vpn").vpn.enabled and cuckoo.routing.route == "none":
return
cuckoo = Config()
s = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
try:
s.connect(cuckoo.cuckoo.rooter)
except socket.error as e:
if e.strerror == "No such file or directory":
raise CuckooStartupError(
"The rooter is required but it is either not running or it "
"has been configured to a different Unix socket path. "
"(In order to disable the use of rooter, please set route "
"and internet to none in cuckoo.conf and enabled to no in "
"vpn.conf)."
)
if e.strerror == "Connection refused":
raise CuckooStartupError(
"The rooter is required but we can't connect to it as the "
"rooter is not actually running. "
"(In order to disable the use of rooter, please set route "
"and internet to none in cuckoo.conf and enabled to no in "
"vpn.conf)."
)
if e.strerror == "Permission denied":
raise CuckooStartupError(
"The rooter is required but we can't connect to it due to "
"incorrect permissions. Did you assign it the correct group? "
"(In order to disable the use of rooter, please set route "
"and internet to none in cuckoo.conf and enabled to no in "
"vpn.conf)."
)
raise CuckooStartupError("Unknown rooter error: %s" % e)
# Do not forward any packets unless we have explicitly stated so.
rooter("forward_drop")
[vpn]
# By default we disable VPN support as it requires running utils/rooter.py as
# root next to cuckoo.py (which should run as regular user).
enabled = yes
# Comma-separated list of the available VPNs.
vpns = vpn_1
[vpn_1]
name = vpm_name # max 16 chars
description = some_description # you will see this in webgui selection
interface = tunX # the same as in ovpn for this vpn node
rt_table = X # the same as in ovpn for this node, before vpn port, example, vpn.domain.com 1194, vpn.domain.com is rt_table valuefrom lib.cuckoo.core.startup import init_rooter, init_routing before bson importinit_rooter() to all init* near to line 63init_routing() to all init* near to line 63# this part must be inside of [cuckoo]
# Path to the unix socket for running root commands.
rooter = /tmp/cuckoo-rooter
[routing]
# Default network routing mode; "none", "internet", or "vpn_name".
# In none mode we don't do any special routing - the VM doesn't have any
# network access (this has been the default actually for quite a while).
# In internet mode by default all the VMs will be routed through the network
# interface configured below (the "dirty line").
# And in VPN mode by default the VMs will be routed through the VPN identified
# by the given name of the VPN (as per vpn.conf).
# Note that just like enabling VPN configuration setting this option to
# anything other than "none" requires one to run utils/rooter.py as root next
# to the Cuckoo instance (as it's required for setting up the routing).
route = none
# Network interface that allows a VM to connect to the entire internet, the
# "dirty line" so to say. Note that, just like with the VPNs, this will allow
# malicious traffic through your network. So think twice before enabling it.
# (For example, to route all VMs through eth0 by default: "internet = eth0").
internet = none
# Routing table name/id for "dirty line" interface. If "dirty line" is
# also default gateway in the system you can leave "main" value. Otherwise add
# new routing table by adding "<id> <name>" line to /etc/iproute2/rt_tables
# (e.g., "200 eth0"). ID and name must be unique across the system (refer to
# /etc/iproute2/rt_tables for existing names and IDs).
rt_table = main
# To route traffic through multiple network interfaces Cuckoo uses
# Policy Routing with separate routing table for each output interface
# (VPN or "dirty line"). If this option is enabled Cuckoo on start will try
# to automatically initialise routing tables by copying routing entries from
# main routing table to the new routing tables. Depending on your network/vpn
# configuration this might not be sufficient. In such case you would need to
# initialise routing tables manually. Note that enabling this option won't
# affect main routing table.
auto_rt = yes
def route_network(self):
"""Enable network routing if desired."""
# Determine the desired routing strategy (none, internet, VPN).
route = None
if self.task.options:
for option in self.task.options.split(","):
key, value = option.split("=")
if key == "route":
route = value
break
if route == "none":
self.interface = None
self.rt_table = None
elif route == "internet" and self.cfg.routing.internet != "none":
self.interface = self.cfg.routing.internet
self.rt_table = self.cfg.routing.rt_table
elif route in vpns:
self.interface = vpns[route].interface
self.rt_table = vpns[route].rt_table
else:
log.warning("Unknown network routing destination specified, "
"ignoring routing for this analysis: %r", route)
self.interface = None
self.rt_table = None
# Check if the network interface is still available. If a VPN dies for
# some reason, its tunX interface will no longer be available.
if self.interface and not rooter("nic_available", self.interface):
log.error(
"The network interface '%s' configured for this analysis is "
"not available at the moment, switching to route=none mode.",
self.interface
)
route = "none"
self.task.options["route"] = "none"
self.interface = None
self.rt_table = None
if self.interface:
rooter("forward_enable", self.machine.interface,
self.interface, self.machine.ip)
if self.rt_table:
rooter("srcroute_enable", self.rt_table, self.machine.ip)
def unroute_network(self):
if self.interface:
rooter("forward_disable", self.machine.interface,
self.interface, self.machine.ip)
if self.rt_table:
rooter("srcroute_disable", self.rt_table, self.machine.ip)machinery.start(self.machine.label)# Enable network routing.
self.route_network()ResultServer().del_task(self.task, self.machine) # Drop the network routing rules if any.
self.unroute_network()Initialize add # Drop forwarding rule to each VPN.
for vpn in vpns.values():
rooter("forward_disable", machine.interface,vpn.interface, machine.ip)
# Drop forwarding rule to the internet / dirty line.
if self.cfg.routing.internet != "none":
rooter("forward_disable", machine.interface,self.cfg.routing.internet, machine.ip)# In case we have VPNs enabled we need to initialize through the following
# two methods as they verify the interaction with VPNs as well as gather
# which VPNs are available (for representation upon File/URL submission).
from lib.cuckoo.core.startup import init_rooter, init_routing
init_rooter()
init_routing()from lib.cuckoo.core.rooter import vpns "vpns": vpns.values(),
"route": cfg.routing.route,
"internet": cfg.routing.internet, if request.POST.get("route", None):
if options:
options += ","
options += "route={0}".format(request.POST.get("route", None))
<div class="form-group">
<strong>Network routing through <i>dirty line</i> or VPN</strong>
</div>
<div class="form-group">
<select class="form-control" id="form_route" name="route">
<option value="none">None (no internet access)</option>
{% if internet != "none" %}
<option value="internet"{% if route == "internet" %} selected{% endif %}>Internet (dirty line, {{ internet }})</option>
{% endif %}
{% for vpn in vpns %}
<option value="{{ vpn.name }}"{% if route == vpn.name %} selected{% endif %}>{{ vpn.description }} (VPN, {{ vpn.interface }})</option>
{% endfor %}
</select>
</div> if machine_opts.get("interface"):
machine.interface = machine_opts["interface"]
else:
machine.interface = mmanager_opts.get("interface")# Specify the name of the default network interface that will be used
# when dumping network traffic with tcpdump.
# Example (virbr0 is the interface name):
interface = virbr0MY GOD, You are gr8! going to try it on my dev box!
doomedraven
commented
8 years ago @hemzaz you are welcome, i working on integration of inetsim into rooter.py. as default implementation doesn't work for me here, few lines but is weekend so next week it will be inside :)
jbremer
commented
8 years ago Looking forward to that, InetSIM integration, @doomedraven ;-)
0day1day
commented
8 years ago F_ck_ng! awesome @doomedraven ! thanks and very useful feature!
jpalanco
commented
8 years ago Nice feature @doomedraven
Thank you so much!!!
pekeinfo
commented
8 years ago Nice jobs @doomedraven. Thx!!
doomedraven
commented
8 years ago last msg no more spam here i promise :), with inetsim and tor inside of rooter.py
def init_rooter():
"""If required, check whether the rooter is running and whether we can
connect to it."""
cuckoo = Config()
# The default configuration doesn't require the rooter to be ran.
if not Config("vpn").vpn.enabled and cuckoo.routing.route == "none":
return
cuckoo = Config()
s = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
try:
s.connect(cuckoo.cuckoo.rooter)
except socket.error as e:
if e.strerror == "No such file or directory":
raise CuckooStartupError(
"The rooter is required but it is either not running or it "
"has been configured to a different Unix socket path. "
"(In order to disable the use of rooter, please set route "
"and internet to none in cuckoo.conf and enabled to no in "
"vpn.conf)."
)
if e.strerror == "Connection refused":
raise CuckooStartupError(
"The rooter is required but we can't connect to it as the "
"rooter is not actually running. "
"(In order to disable the use of rooter, please set route "
"and internet to none in cuckoo.conf and enabled to no in "
"vpn.conf)."
)
if e.strerror == "Permission denied":
raise CuckooStartupError(
"The rooter is required but we can't connect to it due to "
"incorrect permissions. Did you assign it the correct group? "
"(In order to disable the use of rooter, please set route "
"and internet to none in cuckoo.conf and enabled to no in "
"vpn.conf)."
)
raise CuckooStartupError("Unknown rooter error: %s" % e)
# Do not forward any packets unless we have explicitly stated so.
rooter("forward_drop")
def init_routing():
"""Initialize and check whether the routing information is correct."""
cuckoo = Config()
vpn = Config("vpn")
# Check whether all VPNs exist if configured and make their configuration
# available through the vpns variable. Also enable NAT on each interface.
if vpn.vpn.enabled:
for name in vpn.vpn.vpns.split(","):
name = name.strip()
if not name:
continue
if not hasattr(vpn, name):
raise CuckooStartupError(
"Could not find VPN configuration for %s" % name
)
entry = vpn.get(name)
add = 1
if not rooter("nic_available", entry.interface):
#raise CuckooStartupError(
# "The network interface that has been configured for "
# "VPN %s is not available." % entry.name
#)
add = 0
if not rooter("rt_available", entry.rt_table):
raise CuckooStartupError(
"The routing table that has been configured for "
"VPN %s is not available." % entry.name
)
if add:
vpns[entry.name] = entry
# Disable & enable NAT on this network interface. Disable it just
# in case we still had the same rule from a previous run.
rooter("disable_nat", entry.interface)
rooter("enable_nat", entry.interface)
# Populate routing table with entries from main routing table.
if cuckoo.routing.auto_rt:
rooter("flush_rttable", entry.rt_table)
rooter("init_rttable", entry.rt_table, entry.interface)
# Check whether the default VPN exists if specified.
if cuckoo.routing.route not in ("none", "internet"):
if not vpn.vpn.enabled:
raise CuckooStartupError(
"A VPN has been configured as default routing interface for "
"VMs, but VPNs have not been enabled in vpn.conf"
)
if cuckoo.routing.route not in vpns:
raise CuckooStartupError(
"The VPN defined as default routing target has not been "
"configured in vpn.conf."
)
# Check whether the dirty line exists if it has been defined.
if cuckoo.routing.internet != "none":
if not rooter("nic_available", cuckoo.routing.internet):
raise CuckooStartupError(
"The network interface that has been configured as dirty "
"line is not available."
)
if not rooter("rt_available", cuckoo.routing.rt_table):
raise CuckooStartupError(
"The routing table that has been configured for dirty "
"line interface is not available."
)
# Disable & enable NAT on this network interface. Disable it just
# in case we still had the same rule from a previous run.
rooter("disable_nat", cuckoo.routing.internet)
rooter("enable_nat", cuckoo.routing.internet)
# Populate routing table with entries from main routing table.
if cuckoo.routing.auto_rt:
rooter("flush_rttable", cuckoo.routing.rt_table)
rooter("init_rttable", cuckoo.routing.rt_table,
cuckoo.routing.internet)
# Check if tor interface exists, if yes then enable nat
if cuckoo.routing.tor_interface:
if not rooter("nic_available", cuckoo.routing.tor_interface):
raise CuckooStartupError(
"The network interface that has been configured as tor "
"line is not available."
)
# Disable & enable NAT on this network interface. Disable it just
# in case we still had the same rule from a previous run.
rooter("disable_nat", cuckoo.routing.tor_interface)
rooter("enable_nat", cuckoo.routing.tor_interface)
# Populate routing table with entries from main routing table.
if cuckoo.routing.auto_rt:
rooter("flush_rttable", cuckoo.routing.rt_table)
rooter("init_rttable", cuckoo.routing.rt_table,
cuckoo.routing.internet)
# Check if inetsim interface exists, if yes then enable nat, if interface is not the same as tor
if cuckoo.routing.inetsim_interface and cuckoo.routing.inetsim_interface != cuckoo.routing.tor_interface:
if not rooter("nic_available", cuckoo.routing.tor_interface):
raise CuckooStartupError(
"The network interface that has been configured as tor "
"line is not available."
)
# Disable & enable NAT on this network interface. Disable it just
# in case we still had the same rule from a previous run.
rooter("disable_nat", cuckoo.routing.tor_interface)
rooter("enable_nat", cuckoo.routing.tor_interface)
# Populate routing table with entries from main routing table.
if cuckoo.routing.auto_rt:
rooter("flush_rttable", cuckoo.routing.rt_table)
rooter("init_rttable", cuckoo.routing.rt_table,
cuckoo.routing.internet)[vpn]
# By default we disable VPN support as it requires running utils/rooter.py as
# root next to cuckoo.py (which should run as regular user).
enabled = yes
# Comma-separated list of the available VPNs.
vpns = vpn_1
[vpn_1]
name = vpm_name
description = some_description # you will see this in webgui selection
interface = tunX # the same as in ovpn for this vpn node
rt_table = X # the same as in ovpn for this node, before vpn port, example, vpn.domain.com 1194, vpn.domain.com is rt_table valuefrom lib.cuckoo.core.startup import init_rooter, init_routing before bson importinit_rooter() to all init* near to line 63init_routing() to all init* near to line 63# this part must be inside of [cuckoo]
# Path to the unix socket for running root commands.
rooter = /tmp/cuckoo-rooter
[routing]
# Default network routing mode; "none", "internet", or "vpn_name".
# In none mode we don't do any special routing - the VM doesn't have any
# network access (this has been the default actually for quite a while).
# In internet mode by default all the VMs will be routed through the network
# interface configured below (the "dirty line").
# And in VPN mode by default the VMs will be routed through the VPN identified
# by the given name of the VPN (as per vpn.conf).
# Note that just like enabling VPN configuration setting this option to
# anything other than "none" requires one to run utils/rooter.py as root next
# to the Cuckoo instance (as it's required for setting up the routing).
route = none
# Network interface that allows a VM to connect to the entire internet, the
# "dirty line" so to say. Note that, just like with the VPNs, this will allow
# malicious traffic through your network. So think twice before enabling it.
# (For example, to route all VMs through eth0 by default: "internet = eth0").
internet = none
# Routing table name/id for "dirty line" interface. If "dirty line" is
# also default gateway in the system you can leave "main" value. Otherwise add
# new routing table by adding "<id> <name>" line to /etc/iproute2/rt_tables
# (e.g., "200 eth0"). ID and name must be unique across the system (refer to
# /etc/iproute2/rt_tables for existing names and IDs).
rt_table = main
# To route traffic through multiple network interfaces Cuckoo uses
# Policy Routing with separate routing table for each output interface
# (VPN or "dirty line"). If this option is enabled Cuckoo on start will try
# to automatically initialise routing tables by copying routing entries from
# main routing table to the new routing tables. Depending on your network/vpn
# configuration this might not be sufficient. In such case you would need to
# initialise routing tables manually. Note that enabling this option won't
# affect main routing table.
auto_rt = yes
# Inetsim quick deploy, chose your vm manager if is not kvm
# wget https://googledrive.com/host/0B6fULLT_NpxMQ1Rrb1drdW42SkE/remnux-6.0-ova-public.ova
# tar xvf remnux-6.0-ova-public.ova
# qemu-img convert -O qcow2 REMnuxV6-disk1.vmdk remnux.qcow2
inetsim = off
inetsim_server = inetsim_ip
inetsim_interface = virbr0
# Tor
tor = off
tor_dnsport = 5353
tor_proxyport = 9040
tor_interface = virbr0
def route_network(self):
"""Enable network routing if desired."""
# Determine the desired routing strategy (none, internet, VPN).
self.route = None
if self.task.options:
for option in self.task.options.split(","):
key, value = option.split("=")
if key == "route":
self.route = value
break
if self.route == "none":
self.interface = None
self.rt_table = None
elif self.route == "inetsim":
self.interface = self.cfg.routing.inetsim_interface
elif self.route == "tor":
self.interface = self.cfg.routing.tor_interface
elif self.route == "internet" and self.cfg.routing.internet != "none":
self.interface = self.cfg.routing.internet
self.rt_table = self.cfg.routing.rt_table
elif self.route in vpns:
self.interface = vpns[self.route].interface
self.rt_table = vpns[self.route].rt_table
else:
log.warning("Unknown network routing destination specified, "
"ignoring routing for this analysis: %r", self.route)
self.interface = None
self.rt_table = None
# Check if the network interface is still available. If a VPN dies for
# some reason, its tunX interface will no longer be available.
if self.interface and not rooter("nic_available", self.interface):
log.error(
"The network interface '%s' configured for this analysis is "
"not available at the moment, switching to route=none mode.",
self.interface
)
self.route = "none"
self.task.options["route"] = "none"
self.interface = None
self.rt_table = None
if self.route == "inetsim":
rooter("inetsim_enable", self.machine.ip, self.cfg.routing.inetsim_server,
str(self.cfg.resultserver.port))
if self.route == "tor":
rooter("tor_enable", self.machine.ip, str(self.cfg.resultserver.port),
str(self.cfg.routing.tor_dnsport), str(self.cfg.routing.tor_proxyport))
if self.interface:
rooter("forward_enable", self.machine.interface,
self.interface, self.machine.ip)
if self.rt_table:
rooter("srcroute_enable", self.rt_table, self.machine.ip)
# Propagate the taken route to the database.
#self.db.set_route(self.task.id, self.route)
def unroute_network(self):
if self.interface:
rooter("forward_disable", self.machine.interface,
self.interface, self.machine.ip)
if self.rt_table:
rooter("srcroute_disable", self.rt_table, self.machine.ip)
if self.route == "inetsim":
rooter("inetsim_disable", self.machine.ip, self.cfg.routing.inetsim_server,
str(self.cfg.resultserver.port))
if self.route == "tor":
rooter("tor_disable", self.machine.ip, str(self.cfg.resultserver.port),
str(self.cfg.routing.tor_dnsport), str(self.cfg.routing.tor_proxyport))machinery.start(self.machine.label)# Enable network routing.
self.route_network()ResultServer().del_task(self.task, self.machine) # Drop the network routing rules if any.
self.unroute_network()Initialize add # Drop forwarding rule to each VPN.
#for vpn in vpns.values():
# rooter("forward_disable", machine.interface,vpn.interface, machine.ip)
# Drop forwarding rule to the internet / dirty line.
#if self.cfg.routing.internet != "none":
# rooter("forward_disable", machine.interface,self.cfg.routing.internet, machine.ip)# In case we have VPNs enabled we need to initialize through the following
# two methods as they verify the interaction with VPNs as well as gather
# which VPNs are available (for representation upon File/URL submission).
from lib.cuckoo.core.startup import init_rooter, init_routing
init_rooter()
init_routing()from lib.cuckoo.core.rooter import vpns "vpns": vpns.values(),
"route": cfg.routing.route,
"internet": cfg.routing.internet,
"inetsim": cfg.routing.inetsim,
"tor": cfg.routing.tor, if request.POST.get("route", None):
if options:
options += ","
options += "route={0}".format(request.POST.get("route", None))
<div class="form-group">
<strong>Network routing through <i>dirty line</i> or VPN</strong>
</div>
<div class="form-group">
<select class="form-control" id="form_route" name="route">
<option value="none">None (no internet access)</option>
{% if internet != "none" %}
<option value="internet"{% if route == "internet" %} selected{% endif %}>Internet (dirty line, {{ internet }})</option>
{% endif %}
{% if inetsim %}
<option value="inetsim" >inetsim</option>
{% endif %}
{% if tor %}
<option value="tor" >tor</option>
{% endif %}
{% for vpn in vpns %}
<option value="{{ vpn.name }}"{% if route == vpn.name %} selected{% endif %}>{{ vpn.description }} (VPN, {{ vpn.interface }})</option>
{% endfor %}
</select>
</div> if machine_opts.get("interface"):
machine.interface = machine_opts["interface"]
else:
machine.interface = mmanager_opts.get("interface")# Specify the name of the default network interface that will be used
# when dumping network traffic with tcpdump.
# Example (virbr0 is the interface name):
interface = virbr0
mallorybobalice
commented
8 years ago hey. thank you doomraven
=) re rooter commits - personally i didn't need selectable gateways per analysis / use iptable routes for isim at the moment - dns only (isim on a separate vswitch) but I could see a few other people liking the feature .
I found the static routes in the rooter.py related merge proposal were a useful example (from memory it was keeping the reporting port going to csb interface, the rest going to the new gateway IP / to the inetsim interface.
I'm trying to configure the 'just inetsim' dns (already done) + route all the TCP traffic (udp too?) to get initial malware callout mode via iptables.
any chance I can talk you into a worked example of configuring just inetsim support for DNS + traffic redirect via static routes on IPtables? (more or less what's above in the inetsim option but just with iptables - don't need
BTW aside from the routing iptables rules, any changes to be done to inetsim VM? Do we also set the interface to TCPDMP to be the outgoing (bottom bit above for interface machinery, correct? set to vpn facing interface on csb server - correct?)
doomedraven
commented
8 years ago depends of your needs it can be useful or not :) i never used openswich so no idea how to use it and having script which doing all for me make life easier and less deps :)
no changes for vm, is the best part, as rooter has vm ip and iface, it can route dynamically everything on the fly per vm at the moment it sends all over tcp, udp only port 53, so the rest udp traffic will be blocked, but it can be easily extended.
cuckoo using the "bridge" interface for your vms you configure it in config, so that is the sniffed all traffic,so you don't need care if it inetsim/tor/vpn, it will pass by that interface adn will be captured
im on cuckoo irc, doomedraven so you can ping me there, and i will provide all needed help, as it works perfectly for me in few servers :)
enzok
commented
7 years ago Hi @doomedraven
The following step:
Add to return render_to_response:
"vpns": vpns.values(), "route": cfg.routing.route, "internet": cfg.routing.internet, "inetsim": cfg.routing.inetsim, "tor": cfg.routing.tor,
This sub doesn't appear to exist anymore.
Are these edits still valid for the latest cuckoo-modified?
doomedraven
commented
7 years ago not tested here, as im not on last commit, but probably it should be here https://github.com/spender-sandbox/cuckoo-modified/blob/master/web/submission/views.py#L380, try ut
doomedraven
commented
7 years ago yes, it should be there
enzok
commented
7 years ago I tried adding it there, but am getting server 500 errors on submission. I'm going to revert and try the steps again in case I messed something up.
doomedraven
commented
7 years ago you should see what is wrong in command line
enzok
commented
7 years ago One more question, does rooter work along side the routetor scripts or should those scripts be disabled in auxiliary.conf?
doomedraven
commented
7 years ago you should disable tor in aux, and yes it must be started as root and before you start cuckoo.py
enzok
commented
7 years ago Thanks. I've got it working now.
doomedraven
commented
7 years ago :)
Implement analysis using different VPN gateways And enabling choosing gateway per analysis. This is already implemented in cuckoo 2.0RC1..