Permalink
Fetching contributors…
Cannot retrieve contributors at this time
208 lines (148 sloc) 6.88 KB

Utilities

Cuckoo comes with a set of pre-built utilities to automate several common tasks. Before these utilities could be found in the utils/ directory but since then we have moved to Cuckoo Apps.

Cuckoo Apps

A Cuckoo App is essentially just a Cuckoo sub-command. There exist a couple of Cuckoo Apps, each with their own functionality. It is important to note that each Cuckoo App can be invoked in the same way. Following are some examples:

$ cuckoo submit --help
$ cuckoo api --help
$ cuckoo clean --help

In these examples we provided the --help parameter which shows the functionality and all available parameters for the particular Cuckoo App.

Submission Utility

Submits samples to analysis. This tool is described in :doc:`submit`.

Web Utility

Cuckoo's web interface. This tool is described in :doc:`web`.

Processing Utility

.. versionchanged:: 2.0.0
   We used to have longstanding issues with ``./utils/process.py`` randomly
   freezing up and ``./utils/process2.py`` only being able to handle
   PostgreSQL-based databases. These two commands have now been merged into
   one Cuckoo App and no longer show signs of said issues or limitations.

For bigger Cuckoo setups it is recommended to separate the results processing from the Cuckoo analyses due to performance issues (with multiple threads & the Python GIL). Using cuckoo process it is also possible to re-generate Cuckoo reports, this is mostly used while developing and debugging Cuckoo Processing modules, Cuckoo Signatures, and Cuckoo Reporting modules.

In order to do results processing in one or more separate process(es) one has to disable the process_results configuration item in $CWD/conf/cuckoo.conf by setting the value to off. Then a Cuckoo Processing instance has to be started, this can be done as follows:

$ cuckoo process instance1

If one Cuckoo Processing instance is not enough to handle all the incoming analyses, simply create a second, third, and possibly more instances:

$ cuckoo process instance2

In order to re-generate a Cuckoo report of an analysis task, use the -r switch:

$ cuckoo process -r 1

It is also possible to re-generate multiple or a range of Cuckoo reports at once. The following will reprocess tasks 1, 2, 5, 6, 7, 8, 9, 10:

$ cuckoo process -r 1,2,5-10

For more information see also the help on this Cuckoo App:

$ cuckoo process --help
Usage: cuckoo process [OPTIONS] [INSTANCE]

  Process raw task data into reports.

Options:
  -r, --report TEXT       Re-generate one or more reports
  -m, --maxcount INTEGER  Maximum number of analyses to process
  --help                  Show this message and exit.

In automated mode an instance name is required (e.g., instance1) as seen in the examples earlier above!

Community Download Utility

This Cuckoo App downloads Cuckoo Signatures, the latest monitoring binaries, and other goodies from the Cuckoo Community Repository and installs them in your CWD.

To get all the latest and greatest from the Cuckoo Community simply execute as follows and wait until it finishes - it currently doesn't have any progress indication:

$ cuckoo community

For more usage see as follows:

$ cuckoo community --help
Usage: cuckoo community [OPTIONS]

  Utility to fetch supplies from the Cuckoo Community.

Options:
  -f, --force              Overwrite existing files
  -b, --branch TEXT        Specify a different community branch rather than
                           master
  --file, --filepath PATH  Specify a local copy of a community .tar.gz file
  --help                   Show this message and exit.

Database migration utility

.. versionchanged:: 2.0.0
   This used to be a special process, but has since been integrated properly
   as a Cuckoo App.

This utility helps migrating your data between Cuckoo releases. It's developed on top of the Alembic framework and it should provide data migration for both SQL database and Mongo database. This tool is already described in :doc:`../installation/upgrade`.

Stats utility

.. deprecated:: 2.0-rc2
    This utility will not be ported to a Cuckoo App as this information can
    also be retrieved through both the Cuckoo API as well as the Cuckoo Web
    Interface.

Machine utility

.. versionchanged:: 2.0.0
   This used to be a standalone and hacky script directly modifying the Cuckoo
   configuration. It's now much better integrated and will be able to somewhat
   properly interact with Cuckoo.

The machine Cuckoo App is designed to help you automatize the configuration of virtual machines in Cuckoo. It takes a list of machine details as arguments and write them in the specified configuration file of the machinery module enabled in cuckoo.conf. Following are the available options:

$ cuckoo machine --help
Usage: cuckoo machine [OPTIONS] VMNAME [IP]

Options:
  --debug              Enable verbose logging
  --add                Add a Virtual Machine
  --delete             Delete a Virtual Machine
  --platform TEXT      Guest Operating System
  --options TEXT       Machine options
  --tags TEXT          Tags for this Virtual Machine
  --interface TEXT     Sniffer interface for this Virtual Machine
  --snapshot TEXT      Specific Virtual Machine Snapshot to use
  --resultserver TEXT  IP:Port of the Result Server
  --help               Show this message and exit.

As an example, a machine may be added to Cuckoo's configuration as follows:

$ cuckoo machine --add cuckoo1 192.168.56.101 --platform windows --snapshot vmcloak

Distributed scripts

This tool is described in :doc:`dist`.

Mac OS X Bootstrap scripts

.. deprecated:: 2.0.0
    These files will be moved elsewhere in an upcoming update and so should
    any documentation that references these scripts.

A couple of bootstrap scripts used for Mac OS X analysis are located in utils/darwin folder, they are used to bootstrap the guest and host system for Mac OS X malware analysis. Some settings are defined as constants inside them, so it is suggested to have a look at them and configure them for your needs.

SMTP Sinkhole

.. deprecated:: 2.0.0
    This script has been removed since this functionality should be
    implemented properly using a Postfix setup.

Setup script

.. deprecated:: 2.0.0
    This script has been replaced by a similar but much more powerful
    SaltStack state.