[Netwitness-MA] SMB sharing with Checkpoint TE Sandbox

Document created by Hongtae Jin Employee on Oct 18, 2016
Version 1Show Document
  • View in full screen mode

Recently, I started new SA4P project with Checkpoint TE(Sandbox) and need to provide MA analysis result files to TE Sandbox.

I used Samba server which is built-in MA and rsync tools which is syncronized with directories and files because TE Sandbox is able to hook files throuth CIFS among the devices(In my case, CIFS mounted between SA device and MA device).

Here is the configuration steps.

 

1. Configure Samba in MA device

1.1) Edit /etc/samba/smb.conf

================================= smb.conf =================================
[File Store]
comment = RSA Malware Prevention File Store Content
path = /var/lib/rsamalware/spectrum/repository/files
browseable = yes
writable = yes
valid users = root
#read only = yes
#guest only = yes
==============================================================================

1.2) reload samba configuration
# smbpasswd -a root
# service smb restart
# service smb reload

 

2. Puppet receipt configuration to allow CIFS communication port.

Edit /etc/puppet/modules/malware-analysis/manifests/init.pp

==============================================================================

firewall {'3 SMB 139 IN':
chain => 'INPUT',
iniface => $management_interface,
proto => 'tcp',
source => $sa_server,
dport => 139,
state => ['NEW','ESTABLISHED'],
action => 'accept'
}

firewall {'4 SMB 139 OUT':
chain => 'OUTPUT',
outiface => $management_interface,
proto => 'tcp',
sport => 139,
state => 'ESTABLISHED',
action => 'accept'
}

firewall {'5 SMB 445 IN':
chain => 'INPUT',
iniface => $management_interface,
proto => 'tcp',
source => $sa_server,
dport => 445,
state => ['NEW','ESTABLISHED'],
action => 'accept'
}

firewall {'6 SMB 445 OUT':
chain => 'OUTPUT',
outiface => $management_interface,
proto => 'tcp',
sport => 445,
state => 'ESTABLISHED',
action => 'accept'
}

==============================================================================

 

3. Mount CIFS file system from MA in SA device

# yum install cifs-utils.x86_64 --> SA need to install cifs-utils for CIFS mount

# mount -t cifs -o guest //10.35.95.99/File\ Store /var/MAFiles

 

 

4. Syncronize SA folder with MA repository folder(/var/lib/rsamalware/spectrum/repository/files) using rsync when it is updated by MA.

# rpm -qa |grep rsync(check rsync rpm)
# mkdir /var/MASync
# rsync -avzh /var/MAFiles /var/MASync

 

5. Register following shell scripts in cron tab to syncronize MA-SA foler every 5 minutes.

# cat rsync.sh

==============================================================================

#/bin/sh

MA_DIR=/var/netwitness/ipdbextractor/MAFiles
SA_DIR=/root/rsync

IS_MOUNT=$(/bin/df |/bin/grep "\/var\/netwitness\/ipdbextractor\/MAFiles"|/usr/bin/wc -l)

if [ $IS_MOUNT -eq 1 ]; then
/bin/date >> $SA_DIR/rsync_$(/bin/date '+%Y-%m-%d').log
/usr/bin/rsync -avzh $MA_DIR $SA_DIR >> $SA_DIR/rsync_$(date '+%Y-%m-%d').log

else
/bin/mount -t cifs -o user='root',password='netwitness' //10.158.201.33/File\ Store $MA_DIR

fi

==============================================================================

 

Hope this helps!

Attachments

    Outcomes