misp-modules icon indicating copy to clipboard operation
misp-modules copied to clipboard
verified publisher icon MISP

Looking for help (Cuckoo MISP integration)

Open fjimca opened this issue 7 years ago • 6 comments

Hi

I have tried to integrate Cuckoo within MISP. My Cuckoo is deployed in an isolate network, so we need to import IOCs into MISP from a Cukoo's generated JSON file.

I activated the Cuckooimport module to populate attributes form Cuckoo in a previous created MISP event.

I analized a malware file with Cuckoo and exported the report analysis to a file.

I have tried to import all generated .json files (report.json and also file.json and task.json) to MISP but all of files I tried to import failed.

I would like to know what is wrong. (We have looked for documentation...).

Would you provide us a feasible cuckoo .json file in order to compare your .json file with ours .json files?

Thank you in advance.

fjimca avatar Jan 24 '18 11:01 fjimca

Hi,

Have you tried to directly used the MISP report module in Cuckoo?

https://github.com/cuckoosandbox/cuckoo/blob/master/cuckoo/reporting/misp.py

I suppose the JSON file is maybe more recent, we didn't try the module recently.

Let us know if the default cuckoo reporting module works for you.

adulau avatar Jan 24 '18 12:01 adulau

Yes, I have.

But the problem is that when I config the cuckoo module, I must config the parameter "reporting.conf:url" and the parameter "reporting.conf-apikey" to access a MISP instance. Due to MISP and Cuckoo are in separated networks, the reporting module fails with an error.

I think that this configuration could be used for connecting directly MISP and Cuckoo not for generating a .json file. https://blog.rootshell.be/2017/01/25/quick-integration-misp-cuckoo/

2018-01-23 16:48:27,593 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "MISP": Traceback (most recent call last): File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process current.run(self.results) File "/opt/cuckoo/modules/reporting/misp.py", line 109, in run self.misp = pymisp.PyMISP(url, apikey, False, "json") File "/usr/local/lib/python2.7/dist-packages/pymisp/api.py", line 113, in init raise PyMISPError('Unable to connect to MISP ({}). Please make sure the API key and the URL are correct (http/https is required): {}'.format(self.root_url, e)) PyMISPError: Unable to connect to MISP (http://xxxxxxxxxxxxxx). Please make sure the API key and the URL are correct (http/https is required): ('Connection aborted.', gaierror(-3, 'Temporary failure in name resolution')) 2018-01-23 16:48:34,732 [lib.cuckoo.core.scheduler] INFO: Task #33: reports generation completed (path=/opt/cuckoo/storage/analyses/33) 2018-01-23 16:48:34,762 [lib.cuckoo.core.scheduler] INFO: Task #33: analysis procedure completed

fjimca avatar Jan 24 '18 12:01 fjimca

Use the patched files for the reporting and processing conf files for cuckoo to import directly into MISP, works for me:

https://github.com/xme/cuckoo

Overview: https://blog.rootshell.be/2017/01/25/quick-integration-misp-cuckoo/

Recommend to create a separate user account for cuckoo in MISP to track the imports (assign a new email address for it)

If you can't connect Cuckoo to MISP, put another MISP instance in the same part of the Cuckoo network and then sync the 2 MISP servers.

trismegistusX avatar Aug 06 '18 20:08 trismegistusX

Is there any update on this issue?

nkd071819 avatar Aug 13 '19 09:08 nkd071819

Cuckoo did many updates in the report module in the past weeks. Did you try with a recent version of Cuckoo?

adulau avatar Aug 13 '19 09:08 adulau

And we recently merged an updated version of the Cuckoo import module https://github.com/MISP/misp-modules/pull/322

adulau avatar Aug 13 '19 13:08 adulau