How to integrate the RSA Malware Analysis with the Cuckoo Sandbox
I updated the post attaching the PPT used during my presentation at the RSA TechFest 2016. Everything that you need to know about the integration process that I developed is avaiable in the file attached.
This is a simple post to show how to integrate the RSA Malware Analysis with the Cuckoo Sandbox solution.
You will need:
- RSA Security Analytics for Packet with Malware Analysis
- Cuckoo Sandbox (local)
Firstly, you need to enable the File Sharing Protocol on the Service - > Malware Analysis -> Config and then apply the change.
After that, connect through the SSH to your RSA Malware Analysis and change the share name from File Store to repository. Only to remove the space on share name.
Apply the change and restart the smb service.
Now, connect through SSH to your Cuckoo Sandbox (local). Run the steps below:
- Install the mount.cifs package
- Make a directory /mnt/rsamalware
- Make a script file rsamalware.sh (image below) on Cuckoo’s utils directory and set as an executable file. Note: Change your_rsa_malware by the correct IP address
Finally, add a cron job to run the script every 5 minutes (in this case). However, you can parameterize the option that better to attendant your specific demand.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Hi Joseph Gumke!
Isn't easier to get the results from the Cuckoo Server? The Cuckoo Server create a JSON file with every info about the analysis process. You can get the file and process them with your SIEM solution. Sometime I did it using the HP ArcSight. Please, see the images below:
1 - JSON file report
2 - Cuckoo report
3 - HP ArcSight
Well, in this case I normally use the Smart Connector from HPE (that is free) to get the events that aren't supported by RSA. After that, I send to the NetWitness through the syslog in CEF format.