This repository has been archived by the owner on Feb 13, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathprocessing.conf
140 lines (122 loc) · 4.18 KB
/
processing.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# Enable or disable the available processing modules [on/off].
# If you add a custom processing module to your Cuckoo setup, you have to add
# a dedicated entry in this file, or it won't be executed.
# You can also add additional options under the section of your module and
# they will be available in your Python class.
[analysisinfo]
enabled = yes
[decompression]
enabled = yes
[behavior]
enabled = yes
[debug]
enabled = yes
[dropped]
enabled = yes
# Amount of text to carve from plaintext files (bytes)
buffer = 8192
[memory]
enabled = no
[usage]
enabled = no
[network]
enabled = yes
# DNS whitelisting to ignore domains/IPs configured in network.py
# This should be disabled when utilizing InetSim/Remnux as we end up resolving
# the IP from fakedns which would then remove all domains associated with that
# resolved IP
dnswhitelist = no
[procmemory]
enabled = yes
strings = yes
[static]
enabled = yes
# Enable a WHOIS lookup for the target domain of a URL analyses
whois = yes
# If you want to use the Procyon Java decompiler, set the following to the path of its .jar
# and make sure Java 7 is installed
# Procyon is developed by Mike Strobel and is available at https://bitbucket.org/mstrobel/procyon/
# In testing, it generally seems to produce the best Java decompilation
procyon_path = /etc/cuckoo-modified/procyon-decompiler-0.5.30.jar
[strings]
enabled = yes
nullterminated_only = yes
minchars = 5
[targetinfo]
enabled = yes
[virustotal]
enabled = yes
timeout = 60
# Add your VirusTotal API key here. The default API key, kindly provided
# by the VirusTotal team, should enable you with a sufficient throughput
# and while being shared with all our users, it shouldn't affect your use.
key = a0283a2c3d55728300d064874239b5346fb991317e8449fe43c902879d758088
do_file_lookup = yes
do_url_lookup = yes
urlscrub = (^http:\/\/serw\.clicksor\.com\/redir\.php\?url=|&InjectedParam=.+$)
[suricata]
# Notes on getting this to work:
# Install Suricata 2.1 beta
# $ sudo add-apt-repository ppa:oisf/suricata-beta
# $ sudo apt-get update
# $ sudo apt-get install libhtp1 suricata
# Create /etc/suricata/rules/cuckoo.rules:
# echo "alert http any any -> any any (msg:\"FILE store all\"; filestore; noalert; sid:15; rev:1;)" | sudo tee /etc/suricata/rules/cuckoo.rules
# Edit /etc/suricata/suricata.yaml
# Ensure the eve log is enabled
# You can disable the fast and unified2-alert logs to save space
# Enable file-store, set force-md5 to yes
# Enable file-log
# Add " - cuckoo.rules" to the list under "rules-files:"
# Under "reassembly:", which is under "stream:", set depth to 0 (without any measurement unit)
# Set request-body-limit and response-body-limit to 0 (without any measurement unit), under "default-config:"
# You may also need the following line under "stream:", but test it without it first
# async-oneside: yes
# Set EXTERNAL_NET to "any"
# You can use the etupdate script to install and update the Emerging Threats ruleset
# https://github.com/seanthegeek/etupdate
##GlobalSettings
enabled = yes
#Runmode "cli" or "socket"
runmode = cli
#Outputfiles
# if evelog is specified, it will be used instead of the per-protocol log files
evelog = eve.json
# per-protocol log files
#
#alertlog = alert.json
#httplog = http.json
#tlslog = tls.json
#sshlog = ssh.json
#dnslog = dns.json
fileslog = files-json.log
filesdir = files
# Amount of text to carve from plaintext files (bytes)
buffer = 8192
#Used for creating an archive of extracted files
7zbin = /usr/bin/7z
zippass = infected
##Runmode "cli" options
bin = /usr/bin/suricata
conf = /etc/suricata/suricata-cuckoo.yaml
##Runmode "socket" Options
pylib_dir = /usr/lib/python2.7/dist-packages/suricatasc/
socket_file = /var/run/suricata/suricata-command.socket
[cif]
enabled = no
# url of CIF server
url = https://your-cif-server.com/api
# CIF API key
key = your-api-key-here
# time to wait for server to respond, in seconds
timeout = 60
# minimum confidence level of returned results:
# 25=not confident, 50=automated, 75=somewhat confident, 85=very confident, 95=certain
# defaults to 85
confidence = 85
# don't log queries by default, set to 'no' to log queries
nolog = yes
# max number of results per query
per_lookup_limit = 20
# max number of queries per analysis
per_analysis_limit = 200