Been busy last two weeks completing a research paper. Hopefully the code I made for the paper can be released soon. For now, here's some snippets I used to set up part of the environment for the research. (Intentionally vague, as it's not published yet)
Install dependencies for Cuckoo
sudo apt-get install python sudo apt-get install mongodb sudo apt-get install g++ sudo apt-get install python-dev python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet python-pip sudo apt-get install libxml2-dev libxslt1-dev sudo pip2 install sqlalchemy yara sudo pip2 install cybox==188.8.131.52 sudo pip2 install maec==184.108.40.206 sudo pip2 install python-dateutil sudo apt-get install python-dev libfuzzy-dev sudo pip2 install pydeep sudo apt-get install tcpdump # If not installed # Allow tcpdump to read raw TCP data without root: sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump wget http://downloads.volatilityfoundation.org/releases/2.4/volatility-2.4.zip && unzip volatility-2.4.zip && cd volatility-2.4 sudo python setup.py install # Install the libraries that volatility wants: sudo pip2 install distorm3
Install Cuckoo and Virtual Box
You'll still have to set up the virtual machine, and configure Cuckoo to use that VM. But at least this script will download them for you!
Check out Cuckoo's full documentation here: http://docs.cuckoosandbox.org/en/latest/
git clone git://github.com/cuckoosandbox/cuckoo.git wget http://download.virtualbox.org/virtualbox/5.0.14/virtualbox-5.0_5.0.14-105127~Ubuntu~trusty_i386.deb sudo dpkg -i virtualbox-5.0_5.0.14-105127~Ubuntu~trusty_i386.deb sudo apt-get install -f
Cuckoo has really good flexibility to be expanded for your needs. It's entirely open source, and the code base isn't too bad. However, they make it even easier for you with some decent documentation. I blogged about the structure of Cuckoo and how to add custom features to it before, so check it out.
If you follow the Cuckoo documentation then you'll want to set up a host-only network adapter between your guest virtual machine and your host machine. After you do that through the Virtualbox settings, you have to set up the
iptables rules for the communication to work.
sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT; sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; sudo iptables -A POSTROUTING -t nat -j MASQUERADE; sudo sysctl -w net.ipv4.ip_forward=1;