Cuckoo sandbox integration for file/malware analysis

  • Hi everyone,
    I open this thread since I think this argument is a very important thing to have in a nowadays production network and I like to ask any help and opinion about that.

    I’d like to implement the following thing:

    <Triggering Action>
    a. someone on an internal LAN tries to download a file with a file protocol (i.e. http(s), (T)FTP, torrent, RCP, SMB/SAMBA, CIFS, …) , or
    b. someone from inside/outside is trying to upload a file with a file protocol on a file server in a DMZ

    <Firewall Actions>

    • cache someway the file (internally or remotely)
    • engage the Cuckoo appliance for a malware analysis by passing the file to it
    • contemporary, if http-like is used, send a page to the client browser to warn a malware inspection is being done and give the user the link to a page stating the advancement of the analysis and eventually the result (i.e OK=click this link to download the file,    NOT_OK=message stating the result)
      -* if HTTP is NOT used, when the result from Cuckoo is OK, then the firewall should send the file to the destination someway (maybe keeping original sessions), or maybe it is Cuckoo having this task
      (notice: this could be the standard behavior also for HTTP if a page to the browser would involve some other too much complicated aspects)
    • We should keep the connections active so that they won’t be timeout (with a reasoned threshold).

    Regarding HTTP used for download files (or HTTPS with a previous HTTPS inspection) I found something about the use of REGEXes on SQUID and its Mimetypes on ACLs, but I cannot come along with what to use for the other mentioned file protocols, so it seems something should be done on firewall rules to keep trace of this behaviors.

    I appreciate any discussion about this argument.

    Thanks to everyone,
    best regards,


Log in to reply