Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating Cuckoo Analyzer/Report Templates #418

Merged
merged 3 commits into from Feb 20, 2019

Conversation

Projects
None yet
3 participants
@nicpenning
Copy link
Contributor

nicpenning commented Feb 5, 2019

Request Type

Analyzer

Work Environment

N/A

Question Answer
OS version (server) Ubuntu
Cortex Analyzer Name CuckooSandbox Analyzer
Cortex Analyzer Version 1.0
Cortex Version 2.1.3-1

Description

The current Cuckoo Sandbox reports do not fully function with 2.0.6 Cuckoo Reports. Instead of using just hosts for the report data, we need to use domains to retrieve ip/domain combination.

Possible Solutions

The solution is to update the analyzer and report templates to properly show the report data.

Complementary information

I have a fix for the solution however it would also then be nice to extract the observables from the newly added ip/domain combinations.

Here is what a report currently looks with Cuckoo 2.0.6:
image

And this is after the analyzer and report fix:
image

nicpenning added some commits Feb 5, 2019

Updated this analyzer to use domains instead of hosts
The issue with using hosts with the latest Cuckoo is that the hosts data only contains IP addresses and no domains or countries like it did in the past. Instead we can use the domains data parameter to pull in IP and Domain which is much more beneficial then the reports today. We will need to update the report template as well.
Update the template to use the domains
This template update will allow the report to use the newly modified domains category for IP/Domain instead of hosts which only provided an IP address.
Update the template to use domains
This will update the report template to use the newly modified domains data instead of hosts which only includes IP addresses.
@nicpenning

This comment has been minimized.

Copy link
Contributor Author

nicpenning commented Feb 6, 2019

This will break old cuckoo reports. I know this is compatible with the latest Cuckoo 2.0.6 build.

@nicpenning

This comment has been minimized.

Copy link
Contributor Author

nicpenning commented Feb 14, 2019

This still might not cover everything. I am re-evaluating this report/analyzer. Instead of using Domains and having a single IP it will be better to get the DNS responses since one hostname could have many IP Addresses.

image

@saadkadhi saadkadhi requested a review from jeromeleonard Feb 14, 2019

@saadkadhi saadkadhi added this to the 1.15.3 milestone Feb 14, 2019

@jeromeleonard jeromeleonard changed the base branch from master to hotfix/1.15.3 Feb 20, 2019

@jeromeleonard jeromeleonard merged commit c41779c into TheHive-Project:hotfix/1.15.3 Feb 20, 2019

jeromeleonard added a commit that referenced this pull request Feb 20, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.