• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Cuckoo sandbox integration for file/malware analysis

Scheduled Pinned Locked Moved Firewalling
1 Posts 1 Posters 971 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    simone
    last edited by Feb 7, 2018, 9:49 AM Feb 4, 2018, 7:08 PM

    Hi everyone,
    I open this thread since I think this argument is a very important thing to have in a nowadays production network and I like to ask any help and opinion about that.

    #Idea:
    I’d like to implement the following thing:

    <Triggering Action>
    a. someone on an internal LAN tries to download a file with a file protocol (i.e. http(s), (T)FTP, torrent, RCP, SMB/SAMBA, CIFS, …) , or
    b. someone from inside/outside is trying to upload a file with a file protocol on a file server in a DMZ

    <Firewall Actions>

    • cache someway the file (internally or remotely)
    • engage the Cuckoo appliance for a malware analysis by passing the file to it
    • contemporary, if http-like is used, send a page to the client browser to warn a malware inspection is being done and give the user the link to a page stating the advancement of the analysis and eventually the result (i.e OK=click this link to download the file,    NOT_OK=message stating the result)
      -* if HTTP is NOT used, when the result from Cuckoo is OK, then the firewall should send the file to the destination someway (maybe keeping original sessions), or maybe it is Cuckoo having this task
      (notice: this could be the standard behavior also for HTTP if a page to the browser would involve some other too much complicated aspects)
    • We should keep the connections active so that they won’t be timeout (with a reasoned threshold).

    #Notes:
    Regarding HTTP used for download files (or HTTPS with a previous HTTPS inspection) I found something about the use of REGEXes on SQUID and its Mimetypes on ACLs, but I cannot come along with what to use for the other mentioned file protocols, so it seems something should be done on firewall rules to keep trace of this behaviors.

    I appreciate any discussion about this argument.

    Thanks to everyone,
    best regards,

    Simone

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received