Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating Cuckoo Analyzer/Report Templates #418

Merged
merged 3 commits into from
Feb 20, 2019
Merged

Updating Cuckoo Analyzer/Report Templates #418

merged 3 commits into from
Feb 20, 2019

Conversation

nicpenning
Copy link
Contributor

Request Type

Analyzer

Work Environment

N/A

Question Answer
OS version (server) Ubuntu
Cortex Analyzer Name CuckooSandbox Analyzer
Cortex Analyzer Version 1.0
Cortex Version 2.1.3-1

Description

The current Cuckoo Sandbox reports do not fully function with 2.0.6 Cuckoo Reports. Instead of using just hosts for the report data, we need to use domains to retrieve ip/domain combination.

Possible Solutions

The solution is to update the analyzer and report templates to properly show the report data.

Complementary information

I have a fix for the solution however it would also then be nice to extract the observables from the newly added ip/domain combinations.

Here is what a report currently looks with Cuckoo 2.0.6:
image

And this is after the analyzer and report fix:
image

Nic added 3 commits February 5, 2019 08:47
Updated this analyzer to use domains instead of hosts
f10c10a 
The issue with using hosts with the latest Cuckoo is that the hosts data only contains IP addresses and no domains or countries like it did in the past. Instead we can use the domains data parameter to pull in IP and Domain which is much more beneficial then the reports today. We will need to update the report template as well.
Update the template to use the domains
4ea69ae 
This template update will allow the report to use the newly modified domains category for IP/Domain instead of hosts which only provided an IP address.
Update the template to use domains
b241bc4 
This will update the report template to use the newly modified domains data instead of hosts which only includes IP addresses.
@nicpenning
Copy link
Contributor Author

This will break old cuckoo reports. I know this is compatible with the latest Cuckoo 2.0.6 build.

@nicpenning
Copy link
Contributor Author

This still might not cover everything. I am re-evaluating this report/analyzer. Instead of using Domains and having a single IP it will be better to get the DNS responses since one hostname could have many IP Addresses.

image

@saadkadhi saadkadhi added category:enhancement Issue is related to an existing feature to improve scope:analyzer Issue is analyzer related status:pr-submitted status:needs-review labels Feb 14, 2019
@saadkadhi saadkadhi added this to the 1.15.3 milestone Feb 14, 2019
@jeromeleonard jeromeleonard changed the base branch from master to hotfix/1.15.3 February 20, 2019 04:29
@jeromeleonard jeromeleonard merged commit c41779c into TheHive-Project:hotfix/1.15.3 Feb 20, 2019
jeromeleonard added a commit that referenced this pull request Feb 20, 2019
@jeromeleonard
#418 bump analyzer version
a60a5a2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeromeleonard jeromeleonard Awaiting requested review from jeromeleonard

Assignees

@jeromeleonard jeromeleonard

Labels
category:enhancement Issue is related to an existing feature to improve scope:analyzer Issue is analyzer related status:needs-review status:pr-submitted
Projects
None yet
Milestone
1.15.3
Development

Successfully merging this pull request may close these issues.
3 participants
@nicpenning @saadkadhi @jeromeleonard