How to integrate the RSA Malware Analysis with the Cuckoo Sandbox
I updated the post attaching the PPT used during my presentation at the RSA TechFest 2016. Everything that you need to know about the integration process that I developed is avaiable in the file attached.
This is a simple post to show how to integrate the RSA Malware Analysis with the Cuckoo Sandbox solution.
You will need:
- RSA Security Analytics for Packet with Malware Analysis
- Cuckoo Sandbox (local)
Firstly, you need to enable the File Sharing Protocol on the Service - > Malware Analysis -> Config and then apply the change.
After that, connect through the SSH to your RSA Malware Analysis and change the share name from File Store to repository. Only to remove the space on share name.
Apply the change and restart the smb service.
Now, connect through SSH to your Cuckoo Sandbox (local). Run the steps below:
- Install the mount.cifs package
- Make a directory /mnt/rsamalware
- Make a script file rsamalware.sh (image below) on Cuckoo’s utils directory and set as an executable file. Note: Change your_rsa_malware by the correct IP address
Finally, add a cron job to run the script every 5 minutes (in this case). However, you can parameterize the option that better to attendant your specific demand.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Hi @Menwith_hill! Thanks for your question!
Yes, for sure! This is only the Part I.
I'm trying to make a two-way connection to show the results into Malware Anslysis as score. But is very difficult without any documentation to support.
I think that license only allows for items to be manually selected for scanning, I don't think you can send everything that way (at least that is what it is supposed to do).
Is there an ability to integrate cuckoo windows host log data into the log portion of the SIEM? Specifically analyzing windows logs, and consuming them into via a log collection method? Interested to see if we could identify some potential alerting through log consumption mechanisms.