search

viper-framework / viper

Binary analysis and management framework
Other
1.54k stars 353 forks source link

[WIP] add module for fireeye sandbox #729

Closed frennkie closed 4 years ago

frennkie commented 5 years ago

A colleague of mime implemented a module for the integration of Viper with the Fireeye Sandbox and we want to share this.

I'm not yet entirely sure about the MISP part.. maybe @Rafiot could provide some guidance? :-D

Code also still needs a bit of polishing - therefore tagged as Work-In-Progress.

frennkie commented 5 years ago

@Rafiot Travis appears to have some issue.. the current default testing VM still seems to be Ubuntu 14.04 .. as support for Trusty is ending really soon I changed the dist to Xenial (16.04). This also required a change in the socksipy package name.

For the last run Travis succeeded 2 of 4 and the two failures were not related to our code.. :-/

Rafiot commented 5 years ago

I restarted the runs on travis, it happens once in a while.

I'm a bit confused by the prints related to MISP: shouldn't it be using PyMISP directly instead?

codecov-io commented 5 years ago

Codecov Report

Merging #729 into master will decrease coverage by 1.24%. The diff coverage is 17.05%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #729      +/-   ##
==========================================
- Coverage   40.46%   39.21%   -1.25%     
==========================================
  Files         129      136       +7     
  Lines       12737    13459     +722     
==========================================
+ Hits         5154     5278     +124     
- Misses       7583     8181     +598
Impacted Files Coverage Δ
viper/modules/office.py 54.72% <0%> (ø) :arrow_up:
viper/web/viperweb/views.py 19.45% <0%> (ø) :arrow_up:
viper/modules/fireeye_methods/__init__.py 100% <100%> (ø)
viper/core/session.py 75.29% <100%> (+0.29%) :arrow_up:
viper/modules/fireeye_methods/fe_wrapper.py 15.11% <15.11%> (ø)
viper/modules/fireeye_methods/fe_auth.py 17.64% <17.64%> (ø)
viper/modules/fireeye_methods/fe_alerts.py 23.4% <23.4%> (ø)
viper/modules/fireeye.py 42.85% <42.85%> (ø)
...iper/modules/fireeye_methods/fe_malware_objects.py 8.72% <8.72%> (ø)
viper/modules/fireeye_methods/fe_artifacts.py 9.35% <9.35%> (ø)
... and 7 more

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 045e095...c32fcff. Read the comment docs.

frennkie commented 5 years ago

I wasn't sure how to best handle this... Currently this extracts relevant data from the result of the sandbox analysis... The Analyst should then use this to create (and maybe further enrich) the actual MISP event...

botherder commented 5 years ago

@frennkie Can you provide a rundown of the functionality this introduces? And what is the general purpose of this?

frennkie commented 5 years ago

@nex sure, will do... Is there a dedicated place to document individual modules (except for - - help)?

botherder commented 5 years ago

Not really, but I think if you summarize that here for us it would be good already.

Rafiot commented 5 years ago

@frennkie right, makes sense. I don't have a fireeye account, so I cannot look at the output in details, but it probably make sense to create full blown events, or at least objects from the output. I did something like that a while ago in the VT module: https://github.com/viper-framework/viper/blob/master/viper/modules/virustotal.py#L97

botherder commented 4 years ago

Closing this PR as modules are moved to https://github.com/viper-framework/viper-modules.