proxy support for VT lookup module?

spender-sandbox / cuckoo-modified

Modified edition of cuckoo

394 stars 178 forks source link

proxy support for VT lookup module? #56

Open mallorybobalice opened 8 years ago

mallorybobalice commented 8 years ago

hi,

not sure if it'll cater for all flavours (or is you also need to add a hosts entry if DNS is delegated to the proxy instead of being resolved by the client (i.e. if internal DNS will not resolve external names and that's delegated to the proxy)) . At the moment you'll get strange timeouts and processing delays for certain environments

in any case:

https://github.com/spender-sandbox/cuckoo-modified/blob/master/modules/processing/virustotal.py

fairly sure it's just replacing r = requests.get(url, params=data, verify=True, timeout=int(timeout))

with proxies = {"http": "http://proxyname:8080", "https": "http://proxyname:8080"} r = requests.get(url, params=data, verify=True, timeout=int(timeout), proxies=proxies)

of course that's not taken from the processing config, but if any interest - I suspect that's not difficult to add?

thanks, mb

seanthegeek commented 8 years ago

You can use a proxy by setting the http_proxy environment variable when starting Cuckoo. Any Python script should honor this.

http_proxy=http://proxyname:8080 https_proxy=http://proxyname:8080 python cuckoo.py &

mallorybobalice commented 8 years ago

hmmm, thanks for the suggestion .

odd, not quite sure why, but

a) we already have env set env | grep -i proxy ftp_proxy=http://proxyname:8080/ FTP_PROXY=http://proxyname:8080/ https_proxy=http://proxyname:8080/ HTTPS_PROXY=http://proxyname:8080/ ^ps not sure why we put trailing slashes there

b) curl works, c) vanilla python works python import requests r = requests.get('http://google.com', auth=('user', 'pass')) r.status_code r.text

^ seems to work ok

_d) but the VT module doesn't seem to take it - always timing out. unless we put the proxy specific request in as modified above _

not sure what's happening.

mallorybobalice commented 8 years ago

is wrapping cuckoo processing to start via an init script 'service' the issue (env not loaded when it's spawned there?)

cat  /etc/init/crps.conf
description CuckooResultProcessingService

start on runlevel [234]
stop on runlevel [0156]

setuid xxxuser
setgid xxxuser

chdir /home/kittens
exec ./utils/process.py -p 5 auto
respawn

if I do su - xxxuser then listing env it seems ok . but at a guess su - probably gets it from /etc/environment but init sourced processing above maybe doesn't ? hence the differing results vs expected results