MRF Questions related permissions and file submissions

[camay123]

Good day,

I got questions in regards to MRF.

1- I installed MRF on a internet facing VPS and it seems to be wide open from the get go. Anybody could register/create account. It confuse me, as I tought this would be a private repo, is it intended to be wide open ?

2- Regarding this article : http://www.adlice.com/catch-malware-with-your-own-honeypot-v2/#

It is mentionned: "The payload has also been sent automatically to our malware repository"

Any guidance can be provided on HOW to do this ?

[Tigzy]

Hey
This is the documentation, as reference: http://www.adlice.com/documentation/mrf/documentation/

1 - The usage really depends on you. Most of the time, index.php is private (in pages settings, for admin) to prevent unregistered users to access the repo. If you want to lock down registration, just put "register.php" as private too. People will be redirected to login page when they try to access it.

2 - To submit samples to your repo, you'll need to use the API "uploadfiles": http://www.adlice.com/documentation/mrf/documentation/#api

Hope that helps

[camay123]

Yes, that helps a bit.

Would it be possible to post sample config file for dionaea as example ?

Where are the logs so i can troubleshoot problems with submissions via api ? apache access log ?

Is it possible to choose which virustotal vendor result get displayed in the mrf repo ?

Is it possible to disable the download of malware from the md5 link in the repo ?

thanks for your time.

[Tigzy]

Hello,
Dionaea just uses an upload script (see store.py modification here: http://www.adlice.com/catch-malware-with-your-own-honeypot-v2/)
that will send the payloads to your MRF server.

This is the script we are using (redacted, use your own creds)

Code: [Select]

#!/usr/bin/python
import hashlib
import json
import os
import logging
import requests

# Parameters, don't forget to modify
apikey      = "your_token"
host        = "mrf.yourserver.com"
urlserver   = "http://mrf.yourserver.com/api.php?action=uploadfiles"

def post_multipart(host, selector, fields, files):
    headers = {'user-agent': 'Dionaea honeypot'}
    r = requests.post(selector, headers=headers, data=fields, files=files)

def file_md5(fname):
    hash_md5 = hashlib.md5()
    with open(fname, "rb") as f:
        for chunk in iter(lambda: f.read(4096), b""):
            hash_md5.update(chunk)
    return hash_md5.hexdigest()
   
def UploadFile(pl):                 
    md5 = file_md5(pl)
    filename = os.path.basename(pl)

    files_data = [{"index":0, "vtsubmit":True, "cksubmit":False, "tags":"honeypot"}]
    parameters = {"hash": md5, "comment": "", "token": apikey, "files_data": json.dumps(files_data)}

    # Send file to server API
    with open(pl, 'rb') as f:
        files = {filename: f}
        post_multipart(host, urlserver, parameters, files)


[Tigzy]

Where are the logs so i can troubleshoot problems with submissions via api ? apache access log ?

Apache logs, yes.

Code: [Select]

/var/log/apache2/error.log
/var/log/apache2/access.log

Is it possible to choose which virustotal vendor result get displayed in the mrf repo ?

Not yet. You can edit VirusTotal.php if you want, we will put that into the next version.

Is it possible to disable the download of malware from the md5 link in the repo ?

Yes, just remove "Downloader" permission from the user

[Tigzy]

Just so you know, we are selling support for MRF :p
https://shop.adlice.com/product/mrf-premium/

[camay123]

Just so you know, we are selling support for MRF :p
https://shop.adlice.com/product/mrf-premium/

Yup, I know, but not ready to pay 12 months in advance for testing the product.

So far, my only concern is to get an uploader working to have a proof of concept working.

thank you for the script also.