Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cuckoo sandbox integration for file/malware analysis

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 975 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      simone
      last edited by

      Hi everyone,
      I open this thread since I think this argument is a very important thing to have in a nowadays production network and I like to ask any help and opinion about that.

      #Idea:
      I’d like to implement the following thing:

      <Triggering Action>
      a. someone on an internal LAN tries to download a file with a file protocol (i.e. http(s), (T)FTP, torrent, RCP, SMB/SAMBA, CIFS, …) , or
      b. someone from inside/outside is trying to upload a file with a file protocol on a file server in a DMZ

      <Firewall Actions>

      • cache someway the file (internally or remotely)
      • engage the Cuckoo appliance for a malware analysis by passing the file to it
      • contemporary, if http-like is used, send a page to the client browser to warn a malware inspection is being done and give the user the link to a page stating the advancement of the analysis and eventually the result (i.e OK=click this link to download the file,    NOT_OK=message stating the result)
        -* if HTTP is NOT used, when the result from Cuckoo is OK, then the firewall should send the file to the destination someway (maybe keeping original sessions), or maybe it is Cuckoo having this task
        (notice: this could be the standard behavior also for HTTP if a page to the browser would involve some other too much complicated aspects)
      • We should keep the connections active so that they won’t be timeout (with a reasoned threshold).

      #Notes:
      Regarding HTTP used for download files (or HTTPS with a previous HTTPS inspection) I found something about the use of REGEXes on SQUID and its Mimetypes on ACLs, but I cannot come along with what to use for the other mentioned file protocols, so it seems something should be done on firewall rules to keep trace of this behaviors.

      I appreciate any discussion about this argument.

      Thanks to everyone,
      best regards,

      Simone

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.