Cuckoo SandBox V2.0.6恶意文件行为分析沙箱的安装

主机安装Ubuntu 16.04 LTS,手动分区,不然可能找不到2t的硬盘,如果还是提示找不到,先进入系统试用修复启动引导,再重装
客户机安装windows7 Professional,下载镜像在virtualbox里安装即可
一、安装主机ubuntu

#安装完成后,安装其他所需软件
sudo apt-get install git mangodb libffi-dev build-essential python-django python python-dev python-pip python-pil python-sqlalchemy python-bson python-dpkt python-jinja2 python-magic python -pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet tcpdump -y

#安装tcpdump并确认安装无误:
$sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
$getcap /usr/sbin/tcpdump
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

#安装Pydeep:
$wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.13/ssdeep-2.13.tar.gz/download
$mv dowonload download.tar.gz
$tar -zxf download.tar.gz
$cd ssdeep-2.13
$./configure
$make
$sudo make install
#确认安装无误
$ssdeep -V(大写) 
2.13

$sudo pip install pydeep
$pip show pydeep
---
Metadata-Version: 1.0 
Name: pydeep
Version: 0.2 
Summary: Python bindings for ssdeep
Home-page: http://www.github.com/kbandla/pydeep
Author: Kiran Bandla
Author-email: [email protected]
License: BSD 
Location: /usr/local/lib/python2.7/dist-packages
Requires: 
Classifiers:

#安装Volatility
$sudo pip install openpyxl
$sudo pip install ujson
sudo pip install pycrypto
$sudo pip install distorm3
$sudo pip install pytz

#然后安装volatility
$git clone https://github.com/volatilityfoundation/volatility.git
$cd volatility
$python setup.py build
$python setup.py install
#确认安装无误
$python vol.py -h

#安装cuckoo:
$pip install cuckoo

#安装VirtualBox
$sudo apt-get install virtualbox
#运行virtualbox
$virtualbox
crtl+g进入virtualbox全局设定,配置一个host-only的网卡virboxnet0
高级里面选择allow all

二、安装客户机
用virtualbox安装一个win7客户机,或者拷贝一个 .vdi,并手动设置客户机的ip、网关、子网掩码、dns

IP:192.168.56.101
subnet mask:255.255.255.0
default gateway 192.168.56.1
dns:8.8.8.8 114.114.114.114

运行cuckoo

$cuckoo

第一次运行是失败的,会在/home/xxx/下生成一个.cuckoo目录,会生成部分配置文件,修改此目录下的配置文件有缺失的再拷贝或者直接把/home/xxx/.local/lib/python2.7/site-packages/cuckoo/private/cwd/conf下的配置文件拷贝到此目录再修改需要的配置文件;同时也会生成一个agent.py。搭建smbshare或者设置主机与客户机共享目录,把agent.py拷贝到客户机的C:\Users[USER]\AppData\Roaming\MicroSoft\Windows\StartMenu\Programs\Startup\下;把agent.py改成agent.pyw,这样程序启动就不会有GUI窗口了。
设置客户机能够开机自动登录,这样方便cuckoo控制客户机,在开始->附件中使用管理员权限打开cmd窗口,依次执行:

reg add "hklm\software\Miscrosoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName /d  /t REG_SZ /f
reg add "hklm\software\Miscrosoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword /d  /t REG_SZ /f
reg add "hklm\software\Miscrosoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 1 /t REG_SZ /f
reg add "hklm\system\CurrentControlSet\Control\TerminalServer" /v AllowRemoteRPC /d 0x01 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /d 0x01 /t REG_DWORD /f

记得修改前两条命令里的和为客户机的账户和密码,同时,客户机要关掉自动更新和防火墙功能
现在主机和客户机之间应该是可以互相ping通的,但是客户机还是不可以上网的,所以要在Host中设置IP转发,利用虚拟网卡做代理转发。
#开启IP转发

$ sudo -i
$ sysctl -w net.ipv4.ip_forward=1
$ echo 1 > /proc/sys/net/ipv4/ip_forward

#为使重启之后仍然有效

$ gedit /etc/sysctl.conf

#去掉net.ipv4.ip_forward=1 前的注释,然后再执行下面的

sysctl -p /etc/sysctl.conf

然后配置Iptables的规则:
#建议在配置Iptables规则之前要先Iptables -L看下有没有现有的防火墙规则,比如我就莫名其妙多出一堆关于192.168.122.0/24的规则,这样就全部sudo iptables -D … 删除掉就好了

iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
#接着为保证重启之后依然有效
sudo gedit /etc/network/interfaces
#在最后添加两行
pre-up iptables-restore < /etc/iptables.rules 
post-down iptables-save > /etc/iptables.rules

这样一来,Ubuntu Host 主机每次关机前都会把已有的 iptables 规则备份到/etc/iptables.rules文件中、每次开机是都会从 /etc/iptables.rules读取规则并启用。
配置好之后,Guest 虚拟机就可以通过 vboxnet0 来访问互联网了。
此处经过一次开关机后发现不起作用,原因可能是权限问题
先su root,执行:

#iptables-restore 

此时客户机所有的准备工作,包括软件及网络的配置都好了,给虚拟机建立一个快照,记录快照名称,配置里要写,用于每次跑完样本之后,Cuckoo会把它还原到这个状态。

各个配置文件配置完成后,启动cuckoo,查看错误和警告,会出现tcpdump权限的错误和cuckoo签名和需要libssl,swig一些库和第三方软件支持,依次安装。
tcpdump权限执行以下操作

$sudo apt-get install apparmor-utils
$sudo aa-disable /usr/sbin/tcpdump

警告的signature需要执行下面指令,下载特征库

$cuckoo community

三、配置
vim /home/xxx/.cuckoo/conf/cuckoo.conf

[cuckoo]
# Enable or disable startup version check. When enabled, Cuckoo will connect
# to a remote location to verify whether the running version is the latest
# one available.
version_check = yes

# If turned on, Cuckoo will delete the original file after its analysis
# has been completed.
delete_original = no

# If turned on, Cuckoo will delete the copy of the original file in the
# local binaries repository after the analysis has finished. (On *nix this
# will also invalidate the file called "binary" in each analysis directory,
# as this is a symlink.)
delete_bin_copy = no

# Specify the name of the machinery module to use, this module will
# define the interaction between Cuckoo and your virtualization software
# of choice.
machinery = virtualbox

# Enable creation of memory dump of the analysis machine before shutting
# down. Even if turned off, this functionality can also be enabled at
# submission. Currently available for: VirtualBox and libvirt modules (KVM).
memory_dump = no

# When the timeout of an analysis is hit, the VM is just killed by default.
# For some long-running setups it might be interesting to terminate the
# monitored processes before killing the VM so that connections are closed.
terminate_processes = no

# Enable automatically re-schedule of "broken" tasks each startup.
# Each task found in status "processing" is re-queued for analysis.
reschedule = no

# Enable processing of results within the main cuckoo process.
# This is the default behavior but can be switched off for setups that
# require high stability and process the results in a separate task.
process_results = yes

# Limit the amount of analysis jobs a Cuckoo process goes through.
# This can be used together with a watchdog to mitigate risk of memory leaks.
max_analysis_count = 0

# Limit the number of concurrently executing analysis machines.
# This may be useful on systems with limited resources.                                                                                                                                          
# Set to 0 to disable any limits.
max_machines_count = 0

# Limit the amount of VMs that are allowed to start in parallel. Generally
# speaking starting the VMs is one of the more CPU intensive parts of the
# actual analysis. This option tries to avoid maxing out the CPU completely.
max_vmstartup_count = 10

# Minimum amount of free space (in MB) available before starting a new task.
# This tries to avoid failing an analysis because the reports can't be written
# due out-of-diskspace errors. Setting this value to 0 disables the check.
# (Note: this feature is currently not supported under Windows.)
freespace = 1024

# Temporary directory containing the files uploaded through Cuckoo interfaces
# (api.py and Django web interface). Defaults to the default temporary
# directory of the operating system (e.g., /tmp on Linux). Overwrite the value
# if you'd like to specify an alternative path.
tmppath =

# Path to the unix socket for running root commands.
rooter = /tmp/cuckoo-rooter

[feedback]
# Cuckoo is capable of sending "developer feedback" to the developers so that
# they can more easily improve the project. This functionality also allows the
# user to quickly request new features, report bugs, and get in touch with
# support in general, etc.
enabled = no
name =
company =
email =

[resultserver]
# The Result Server is used to receive in real time the behavioral logs
# produced by the analyzer.
# Specify the IP address of the host. The analysis machines should be able
# to contact the host through such address, so make sure it's valid.
# NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option
# `resultserver_ip` for all your virtual machines in machinery configuration.
ip = 192.168.56.1

# Specify a port number to bind the result server on.
port = 2042

# Force the port chosen above, don't try another one (we can select another
# port dynamically if we can not bind this one, but that is not an option
# in some setups)
force_port = no

# Maximum size of uploaded files from VM (screenshots, dropped files, log).
# The value is expressed in bytes, by default 128 MB.                                                                                                                                            
upload_max_size = 134217728

[processing]
# Set the maximum size of analyses generated files to process. This is used
# to avoid the processing of big files which may take a lot of processing
# time. The value is expressed in bytes, by default 128 MB.
analysis_size_limit = 134217728

# Enable or disable DNS lookups.
resolve_dns = yes

# Enable PCAP sorting, needed for the connection content view in the web
# interface.
sort_pcap = yes

[database]
# Specify the database connection string.
# NOTE: If you are using a custom database (different from sqlite), you have
# to
# use utf-8 encoding when issuing the SQL database creation statement.
# Examples, see documentation for more:
# sqlite:///foo.db
# postgresql://foo:bar@localhost:5432/mydatabase
# mysql://foo:bar@localhost/mydatabase
# If empty, defaults to a SQLite3 database at $CWD/cuckoo.db.
connection =

# Database connection timeout in seconds.
# If empty, default is set to 60 seconds.
timeout = 60

[timeouts]
# Set the default analysis timeout expressed in seconds. This value will be
# used to define after how many seconds the analysis will terminate unless
# otherwise specified at submission.
default = 120

# Set the critical timeout expressed in (relative!) seconds. It will be added
# to the default timeout above and after this timeout is hit
# Cuckoo will consider the analysis failed and it will shutdown the machine
# no matter what. When this happens the analysis results will most likely
# be lost.
critical = 60

# Maximum time to wait for virtual machine status change. For example when
# shutting down a vm. Default is 60 seconds.
vm_state = 60

[remotecontrol]
# Enable for remote control of analysis machines inside the web interface.
enabled = no

# Set host of the running guacd service.
guacd_host = localhost

# Set port of the running guacd service.
guacd_port = 4822

vim /home/xxx/.cuckoo/conf/virtualbox.conf

[virtualbox]
# Specify which VirtualBox mode you want to run your machines on.
# Can be "gui" or "headless". Please refer to VirtualBox's official
# documentation to understand the differences.
mode = headless

# Path to the local installation of the VBoxManage utility.
path = /usr/bin/VBoxManage
# If you are running Cuckoo on Mac OS X you have to change the path as
# follows:
# path = /Applications/VirtualBox.app/Contents/MacOS/VBoxManage

# Default network interface.
interface = vboxnet0

# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = cuckoo2

# If remote control is enabled in cuckoo.conf, specify a port range to use.
# Virtualbox will bind the VRDP interface to the first available port.
controlports = 5000-5050

[cuckoo1]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = cuckoo1

# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows

# Specify the IP address of the current virtual machine. Make sure that the
# IP address is valid and that the host machine is able to reach it. If not,
# the analysis will fail.
ip = 192.168.56.101

# (Optional) Specify the snapshot name to use. If you do not specify a
# snapshot
# name, the VirtualBox MachineManager will use the current snapshot.
# Example (Snapshot1 is the snapshot name):
snapshot = cap_2

# (Optional) Specify the name of the network interface that should be used
# when dumping network traffic from this machine with tcpdump. If specified,
# overrides the default interface specified in auxiliary.conf
# Example (vboxnet0 is the interface name):
interface = 

# (Optional) Specify the IP of the Result Server, as your virtual machine sees
# it.
# The Result Server will always bind to the address and port specified in
# cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can
# specify here
# the IP address for the Result Server as your machine sees it. If you don't
# specify an
# address here, the machine will use the default value from cuckoo.conf.
# NOTE: if you set this option you have to set result server IP to 0.0.0.0 in
# cuckoo.conf.
# Example:
resultserver_ip =

# (Optional) Specify the port for the Result Server, as your virtual machine
# sees it.
# The Result Server will always bind to the address and port specified in
# cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can
# specify here
# the port for the Result Server as your machine sees it. If you don't specify
# a port
# here, the machine will use the default value from cuckoo.conf.
# Example:
resultserver_port =

# (Optional) Set your own tags. These are comma separated and help to identify
# specific VMs. You can run samples on VMs with tag you require.
tags =

# Mostly unused for now. Please don't fill it out.
options =

# (Optional) Specify the OS profile to be used by volatility for this
# virtual machine. This will override the guest_profile variable in
# memory.conf which solves the problem of having multiple types of VMs
# and properly determining which profile to use.
osprofile =


[cuckoo2]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = cuckoo1,cuckoo2

# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows

# Specify the IP address of the current virtual machine. Make sure that the
# IP address is valid and that the host machine is able to reach it. If not,
# the analysis will fail.
ip = 192.168.56.102

# (Optional) Specify the snapshot name to use. If you do not specify a
# snapshot
# name, the VirtualBox MachineManager will use the current snapshot.
# Example (Snapshot1 is the snapshot name):
snapshot = cap_2

# (Optional) Specify the name of the network interface that should be used
# when dumping network traffic from this machine with tcpdump. If specified,
# overrides the default interface specified in auxiliary.conf
# Example (vboxnet0 is the interface name):
interface =

# (Optional) Specify the IP of the Result Server, as your virtual machine sees
# it.
# The Result Server will always bind to the address and port specified in
# cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can
# specify here
# the IP address for the Result Server as your machine sees it. If you don't
# specify an
# address here, the machine will use the default value from cuckoo.conf.
# NOTE: if you set this option you have to set result server IP to 0.0.0.0 in
# cuckoo.conf.
# Example:
resultserver_ip =

# (Optional) Specify the port for the Result Server, as your virtual machine
# sees it.
# The Result Server will always bind to the address and port specified in
# cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can
# specify here
# the port for the Result Server as your machine sees it. If you don't specify
# a port
# here, the machine will use the default value from cuckoo.conf.                                                                                                                                 
# Example:
resultserver_port =

# (Optional) Set your own tags. These are comma separated and help to identify
# specific VMs. You can run samples on VMs with tag you require.
tags =

# Mostly unused for now. Please don't fill it out.
options =

# (Optional) Specify the OS profile to be used by volatility for this
# virtual machine. This will override the guest_profile variable in
# memory.conf which solves the problem of having multiple types of VMs
# and properly determining which profile to use.
osprofile =

[honeyd]
# For more information on this VM please refer to the "services" section of
# the conf/auxiliary.conf configuration file. This machine is a bit special
# in the way that its used as an additional VM for an analysis.
# *NOTE* that if this functionality is used, the VM should be registered in
# the "machines" list in the beginning of this file.
label = honeyd
platform = linux
ip = 192.168.56.102
# The tags should at least contain "service" and the name of this service.
# This way the services auxiliary module knows how to find this particular VM.
tags = service, honeyd
# Not all services actually have a Cuckoo Agent running in the VM, for those
# services one can specify the "noagent" option so Cuckoo will just wait until
# the end of the analysis instead of trying to connect to the non-existing
# Cuckoo Agent. We can't really intercept any inter-VM communication from the
# host / gateway so in order to dump traffic between VMs we have to use a
# different network dumping approach. For this machine we use the "nictrace"
# functionality from VirtualBox (which is basically their internal tcpdump)
# and thus properly dumps inter-VM traffic.
options = nictrace noagent

vim /home/xxx/.cuckoo/conf/reporting.conf

# Enable or disable the available reporting modules [on/off].
# If you add a custom reporting module to your Cuckoo setup, you have to add
# a dedicated entry in this file, or it won't be executed.
# You can also add additional options under the section of your module and
# they will be available in your Python class.

[feedback]
# Automatically report errors that occurred during an analysis. Requires the
# Cuckoo Feedback settings in cuckoo.conf to have been filled out properly.
enabled = no

[jsondump]
enabled = yes
indent = 4
calls = yes

[singlefile]
# Enable creation of report.html and/or report.pdf?
enabled = no
# Enable creation of report.html?
html = yes
# Enable creation of report.pdf?
pdf = yes

[misp]
enabled = no
url =
apikey =

# The various modes describe which information should be submitted to MISP,
# separated by whitespace. Available modes: maldoc ipaddr hashes url.
mode =

[mongodb]
enabled = yes
host = 127.0.0.1
port = 27017
db = cuckoo
store_memdump = yes
paginate = 100
# MongoDB authentication (optional).
username =
password =

[elasticsearch]
enabled = no
# Comma-separated list of ElasticSearch hosts. Format is IP:PORT, if port is
# missing the default port is used.
# Example: hosts = 127.0.0.1:9200, 192.168.1.1:80
hosts = 127.0.0.1
# Increase default timeout from 10 seconds, required when indexing larger
# analysis documents.
timeout = 300
# Set to yes if we want to be able to search every API call instead of just
# through the behavioral summary.
calls = no
# Index of this Cuckoo instance. If multiple Cuckoo instances connect to the
# same ElasticSearch host then this index (in Moloch called "instance") should
# be unique for each Cuckoo instance.
index = cuckoo

# Logging time pattern.  This sets how elasticsearch creates indexes
# by default it is yearly in most instances this will be sufficient
# valid options: yearly, monthly, daily
index_time_pattern = yearly

# Cuckoo node name in Elasticsearch to identify reporting host. Can be useful
# for automation and while referring back to correct Cuckoo host.
cuckoo_node =

[moloch]
enabled = no
# If the Moloch web interface is hosted on a different IP address than the
# Cuckoo Web Interface then you'll want to override the IP address here.
host =
# If you wish to run Moloch in http (insecure) versus https (secure) mode,
# set insecure to yes.
insecure = no

# Following are various configurable settings. When in use of a recent version
# of Moloch there is no need to change any of the following settings as they
# represent the defaults.
moloch_capture = /data/moloch/bin/moloch-capture
conf = /data/moloch/etc/config.ini
instance = cuckoo

[notification]
# Notification module to inform external systems that analysis is finished.
# You should consider keeping this as very last reporting module.
enabled = no

# External service URL where info will be POSTed.
# example : https://my.example.host/some/destination/url
url =  

# Cuckoo host identifier - can be hostname.
# for example : my.cuckoo.host
identifier =

[mattermost]
enabled = no

# Mattermost webhook URL.
# example : https://my.mattermost.host/hooks/yourveryrandomkey
url =

# Cuckoo host URL to make analysis ID clickable.
# example : https://my.cuckoo.host/
myurl =

# Username to show when posting message
username = cuckoo

# What kind of data to show apart from default.
# Show virustotal hits.
show_virustotal = no

# Show matched cuckoo signatures.
show_signatures = no

# Show collected URL-s by signature "network_http".
show_urls = no

# Hide filename and create hash of it
hash_filename = no
# Hide URL and create hash of it
hash_url = no

vim /home/xxx/.cuckoo/conf/auxiliary.conf

[sniffer]
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
enabled = yes

# Specify the path to your local installation of tcpdump. Make sure this
# path is correct.
tcpdump = /usr/sbin/tcpdump

# We used to define the network interface to capture on in auxiliary.conf, but
# this has been moved to the "interface" field of each Virtual Machinery
# configuration.

# Specify a Berkeley packet filter to pass to tcpdump.
# Note: packer filtering is not possible when using "nictrace" functionality
# from VirtualBox (for example dumping inter-VM traffic).
bpf = 

[mitm]
# Enable man in the middle proxying (mitmdump) [yes/no].
enabled = no

# Specify the path to your local installation of mitmdump. Make sure this
# path is correct.
mitmdump = /usr/local/bin/mitmdump

# Listen port base. Each virtual machine will use its own port to be
# able to make a good distinction between the various running analyses.
# Generally port 50000 should be fine, in this case port 50001, 50002, etc
# will also be used - again, one port per analyses.
port_base = 50000

# Script file to interact with the network traffic. Please refer to the
# documentation of mitmproxy/mitmdump to get an understand of their internal
# workings. (https://mitmproxy.org/doc/scripting/inlinescripts.html)
script = stuff/mitm.py

# Path to the certificate to be used by mitmdump. This file will be
# automatically generated for you if you run mitmdump once. It's just that
# you have to copy it from ~/.mitmproxy/mitmproxy-ca-cert.p12 to somewhere
# in the analyzer/windows/ directory. Recommended is to write the certificate
# to analyzer/windows/bin/cert.p12, in that case the following option should
# be set to bin/cert.p12.
certificate = bin/cert.p12

[services]
# Provide extra services accessible through the network of the analysis VM
# provided in separate, standalone, Virtual Machines [yes/no].
enabled = no

# Comma-separated list with each Virtual Machine containing said service(s).
services = honeyd

# Time in seconds required to boot these virtual machines. E.g., some services
# will only get online after a minute because initialization takes a while.
timeout = 0

[reboot]
# This auxiliary module should be enabled for reboot analysis support.
enabled = yes

vim /home/xxx/.cuckoo/conf/routing.conf

[routing]
# Default network routing mode if none is specified by the user.
# In none mode we don't do any special routing - the VM doesn't have any
# network access (this has been the default actually for quite a while) aside
# from the subnet it exists in.
# In internet mode by default all the VMs will be routed through the network
# interface configured below (the "dirty line").
# And in VPN mode by default the VMs will be routed through the VPN identified
# by the given name of the VPN (as per the VPNs listed in the  section).
# Note that just like enabling VPN configuration setting this option to
# anything other than "none" requires one to run utils/rooter.py as root next
# to the Cuckoo instance (as it's required for setting up the routing).
route = none

# Network interface that allows a VM to connect to the entire internet, the
# "dirty line" so to say. Note that, just like with the VPNs, this will allow
# malicious traffic through your network. So think twice before enabling it.
# (For example, to use eth0 as dirty line: "internet = eth0").
internet = none

# Routing table name/id for "dirty line" interface. If "dirty line" is
# also default gateway in the system you can leave "main" value. Otherwise add
# new routing table by adding " " line to /etc/iproute2/rt_tables
# (e.g., "200 eth0"). ID and name must be unique across the system (refer to
# /etc/iproute2/rt_tables for existing names and IDs).
rt_table = main

# To route traffic through multiple network interfaces Cuckoo uses
# Policy Routing with separate routing table for each output interface
# (VPN or "dirty line"). If this option is enabled Cuckoo on start will try
# to automatically initialise routing tables by copying routing entries from
# main routing table to the new routing tables. Depending on your network/
# configuration this might not be sufficient. In such case you would need to
# initialise routing tables manually. Note that enabling this option won't
# affect main routing table.
auto_rt = yes

# The drop route basically drops any outgoing network (except for Cuckoo
# traffic) whereas the regular none route still allows a VM to access its own
# subnet (e.g., 192.168.56.1/24). It is disabled by default as it does require
# the optional rooter to run (unlike the none route, where literally nothing
# happens). One can either explicitly enable the drop route or if the rooter
# is enabled anyway, it is automatically enabled.
drop = no

[inetsim]
# Route a VM to your local InetSim setup (could in theory also be any other
# type of web service / etc).
enabled = no
server = 192.168.56.1


[tor]
# Route a VM through Tor, requires a local setup of Tor (please refer to our
# documentation).
enabled = no
dnsport = 5353
proxyport = 9040

[]
# Are VPNs enabled?
enabled = no

# Comma-separated list of the available VPNs.
s = 0

[0]
# Name of this VPN. The name is represented by the filepath to the
# configuration file, e.g., cuckoo would represent /etc/open/cuckoo.conf
# Note that you can't assign the names "none" and "internet" as those would
# conflict with the routing section in cuckoo.conf.
name = 0

# The description of this VPN which will be displayed in the web interface.
# Can be used to for example describe the country where this VPN ends up.
description = Spain, Europe

# The tun device hardcoded for this VPN. Each VPN *must* be configured to use
# a hardcoded/persistent tun device by explicitly adding the line "dev tunX"
# to its configuration (e.g., /etc/open/1.conf) where X in tunX is a
# unique number between 0 and your lucky number of choice.
interface = tun0

# Routing table name/id for this VPN. If table name is used it *must* be
# added to /etc/iproute2/rt_tables as " " line (e.g., "201 tun0").
# ID and name must be unique across the system (refer /etc/iproute2/rt_tables
# for existing names and IDs).
rt_table = tun0

四、cuckoo sandbox配置多客户机
打开virtualbox并Clone客户机,选择完全clone,clone所有snapshot。完成后启动新clone的客户机,修改客户机的ip。原客户机ip为192.168.56.101,新clone的改为192.168.56.102,如未完全clone,找不到C:\agent\agent.py时,拷贝smbshare里的agent文件夹到c盘,启动cmd窗口,执行:python c:\agent\agent.py。启动后,删除老的snapshot快照,建立新的snapshot1。
修改配置文件:
Vim virtualbox.conf

#客户机,如配了某客户机则下面也必须有相应的配置项,否则cuckoo启动不了
machines = cuckoo0,cuckoo1,cuckoo2,cuckoo3,cuckoo4,cuckoo5,cuckoo6,cuckoo7,cuckoo8
#添加客户机名称对应的配置项
[cuckoo1]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = cuckoo1

# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows

# Specify the IP address of the current virtual machine. Make sure that the
# IP address is valid and that the host machine is able to reach it. If not,
# the analysis will fail.
ip = 192.168.56.101

# (Optional) Specify the snapshot name to use. If you do not specify a snapshot
# name, the VirtualBox MachineManager will use the current snapshot.
# Example (Snapshot1 is the snapshot name):
snapshot = Snapshot1

# (Optional) Specify the name of the network interface that should be used
# when dumping network traffic from this machine with tcpdump. If specified,
# overrides the default interface specified in auxiliary.conf
# Example (vboxnet0 is the interface name):
interface =

# (Optional) Specify the IP of the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the IP address for the Result Server as your machine sees it. If you don't specify an
# address here, the machine will use the default value from cuckoo.conf.
# NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.
# Example:
resultserver_ip =

# (Optional) Specify the port for the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the port for the Result Server as your machine sees it. If you don't specify a port
# here, the machine will use the default value from cuckoo.conf.
# Example:
resultserver_port =

# (Optional) Set your own tags. These are comma separated and help to identify
# specific VMs. You can run samples on VMs with tag you require.
tags =

# Mostly unused for now. Please don't fill it out.
options =

# (Optional) Specify the OS profile to be used by volatility for this
# virtual machine. This will override the guest_profile variable in
# memory.conf which solves the problem of having multiple types of VMs
# and properly determining which profile to use.
osprofile =

五、测试结果
客户机个数(个) 样本个数(个) 检测时段(hⓂ️s–hⓂ️s) 用时(分钟) 单个文件平均用时(分钟)
10 100 11:16–12:00 44 4.4
8 100 12:47–13:31 44 3.52
6 100 09:18–10:02 44 2.64
5 100 14:30–15:18 48 2.4
4 100 12:40–13:34 54 2.16
2 100 15:20–16:47 87 1.74
1 100 16:50–19:25 148 1.48

客户机个数(个) 样本个数(个) 检测时段(hⓂ️s–hⓂ️s) 用时(分钟) 单个文件平均用时(分钟)
10 750 15:21–18:31 190 2.53
6 750 09:37–14:57 320 2.56
4 750 16:47–23:15 388 2.07

你可能感兴趣的:(ids,沙箱)