Including domains in MISP Reporting

[jump3rz]

I believe that the domains found within the network section of the report are important indicators to be stored into MISP. I attempted to add the following code following the http indicator iteration. Why doesn't this work?

for domain in results["network"].get("domains", []):
                if domain["domain"] not in whitelist and domain["domain"] not in filtered_iocs:
                    iocs.append({"domain": domain["domain"]})
                    filtered_iocs.append(domain["domain"])
                if domain["ip"] not in whitelist and domain["ip"] not in filtered_iocs:
                    iocs.append({"ip": domain["ip"]})
                    filtered_iocs.append(domain["ip"])

[doomedraven]

it already there, https://github.com/spender-sandbox/cuckoo-modified/blob/master/modules/reporting/misp.py#L81

but you should add it to conf https://github.com/spender-sandbox/cuckoo-modified/blob/master/conf/reporting.conf#L137

[jump3rz]

I have network set to 'yes' however the indicators aren't showing up in MISP. The code you pointed out is referencing 'hostname' while it looks like the block has a different naming convention in the report:

        "domains": [
            {
                "ip": "192.168.1.1",
                "domain": "badstuff.com"
            }

The block you pointed out is referencing another structure called 'hosts' which appears to be always empty in my executions.

        "hosts": [],

[doomedraven]

examaple

  "hosts": [
    {
      "country_name": "United States",
      "ip": "X",
      "inaddrarpa": "",
      "hostname": "time.windows.com"
    },

which cuckoo do you use? i have it in cuckoo-mod this

[jump3rz]

I'm using the latest version of this project.

[doomedraven]

check report.json for network.hosts keys you can do it in this way for example cat report.json | jq .network.hosts

[jump3rz]

$ cat report.json | jq .network.hosts
[]

[doomedraven]

but in webgui or under network.domains you can see the traffic just for confirmation, i suppose yes? that would be very weird %)

[jump3rz]

I see what happened... I followed the default directions on the following page:

http://docs.cuckoosandbox.org/en/latest/installation/guest/network/

The following iptables rule was wrong for my configuration:

iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT

As the interface was not eth0, it was something else. After fixing this, I now see 'hosts' being populated! Silly little error on my end. Thank you for your help with this matter.