CAPEv2 icon indicating copy to clipboard operation
CAPEv2 copied to clipboard

Published 20 hours ago verified publisher icon kevoreilly

Feature to ability monitor traffic between cape result server and sandbox.

Open piolug93 opened this issue 1 year ago • 5 comments

piolug93 avatar May 10 '24 13:05 piolug93

fix conflicts plz, and do not modify conf/routing.conf those config shouldnt be touched, only .default

doomedraven avatar May 10 '24 13:05 doomedraven

and what is adventage of using nat instead of hostonly?

doomedraven avatar May 10 '24 13:05 doomedraven

Okay will resolve conflicts. Hostonly is still used, while MASQUERADE is not used in iptables. Another feature is the use of vrf so that traffic to resultserver passes by default gateway instead of through the interface lo.

piolug93 avatar May 10 '24 14:05 piolug93

Great idea @piolug93. There's a lot of interesting stuff going on behind the scenes - alongside the result server traffic, agent communication and layer 2 traffic would be helpful to expose in analyses.

Did you consider adding an auxiliary module alongside the existing sniffer?

The existing sniffer heavily filters traffic (also #L139, auxiliary.conf) - having the ability to monitor result server, agent, and layer 2 traffic with auxiliary module and write out an analysis-debug.pcap to capture it all would be fantastic!

nbargnesi avatar May 14 '24 12:05 nbargnesi

Good to know about it, I had no idea about it. I haven't plans for write auxiliary module because i no need see that traffic in CAPE.

piolug93 avatar May 14 '24 18:05 piolug93