What is Cuckoo Sandbox?
In three words, Cuckoo Sandbox is a malware analysis system.
What does that mean?
It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
CuckooAutoInstall was created to avoid wasting time installing Cuckoo Sandbox in Debian Stable.
Usage
- Execute the script: sh cuckooautoinstall.sh
- Add a password for the user 'cuckoo' created by the script. Use: passwd cuckoo command.
- Create the virtual machines http://docs.cuckoosandbox.org/en/latest/installation/guest/ or import virtual machines using VBoxManage import virtual_machine.ova
- Add to the virtual machines with HostOnly option using vboxnet0: vboxmanage modifyvm “virtual_machine" --hostonlyadapter1 vboxnet0 (use this command to list the VMs: VBoxManage list vms)
- Configure cuckoo: cuckoo/conf/cuckoo.conf, cuckoo/conf/auxiliary.conf & cuckoo/conf/virtualbox.conf
- Execute cuckoo (check the image output): cd cuckoo && python cuckoo.py
- Execute also webpy (default port 8080): cd cuckoo/utils && python web.py
- Execute also django using port 6969: cd cuckoo/web && python manage.py runserver 0.0.0.0:6969
Script features
It installs by default Cuckoo sandbox with the ALL optional stuff: yara, ssdeep, django ...
It installs the last versions of: ssdeep, yara, pydeep-master & jansson.
It tries to solve common problems during the installation: ldconfigs, autoreconfs...
It installs by default virtualbox and creates the hostonlyif.
It creates the iptables rules and the ip forward to enable internet in the cuckoo virtual machines:
sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
It enables run tcpdump from nonroot user:
sudo apt-get -y install libcap2-bin
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
It creates the 'cuckoo' user in the system and it is also added this user to vboxusers group.
It enables mongodb in conf/reporting.conf
It fix the "TEMPLATE_DIRS setting must be a tuple" error when running python manage.py from the DJANGO version >= 1.6. Replacing in web/web/settings.py:
TEMPLATE_DIRS = (
"templates"
)
For:
TEMPLATE_DIRS = (
("templates"),
)