Author Topic: MRF Questions related permissions and file submissions  (Read 12454 times)

0 Members and 1 Guest are viewing this topic.

June 04, 2017, 02:47:40 PM

camay123

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
MRF Questions related permissions and file submissions
« on: June 04, 2017, 02:47:40 PM »
Good day,

I got questions in regards to MRF.

1- I installed MRF on a internet facing VPS and it seems to be wide open from the get go. Anybody could register/create account. It confuse me, as I tought this would be a private repo, is it intended to be wide open ?

2- Regarding this article : http://www.adlice.com/catch-malware-with-your-own-honeypot-v2/#

It is mentionned: "The payload has also been sent automatically to our malware repository"

Any guidance can be provided on HOW to do this ?

Reply #1June 04, 2017, 04:21:37 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: MRF Questions related permissions and file submissions
« Reply #1 on: June 04, 2017, 04:21:37 PM »
Hey :)
This is the documentation, as reference: http://www.adlice.com/documentation/mrf/documentation/

1 - The usage really depends on you. Most of the time, index.php is private (in pages settings, for admin) to prevent unregistered users to access the repo. If you want to lock down registration, just put "register.php" as private too. People will be redirected to login page when they try to access it.

2 - To submit samples to your repo, you'll need to use the API "uploadfiles": http://www.adlice.com/documentation/mrf/documentation/#api

Hope that helps :)

Reply #2June 08, 2017, 03:31:43 AM

camay123

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: MRF Questions related permissions and file submissions
« Reply #2 on: June 08, 2017, 03:31:43 AM »
Yes, that helps a bit.

Would it be possible to post sample config file for dionaea as example ?

Where are the logs so i can troubleshoot problems with submissions via api ? apache access log ?

Is it possible to choose which virustotal vendor result get displayed in the mrf repo ?

Is it possible to disable the download of malware from the md5 link in the repo ?

thanks for your time.

« Last Edit: June 08, 2017, 04:12:56 AM by camay123 »

Reply #3June 10, 2017, 02:34:51 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: MRF Questions related permissions and file submissions
« Reply #3 on: June 10, 2017, 02:34:51 PM »
Hello,
Dionaea just uses an upload script (see store.py modification here: http://www.adlice.com/catch-malware-with-your-own-honeypot-v2/)
that will send the payloads to your MRF server.

This is the script we are using (redacted, use your own creds)

Code: [Select]
#!/usr/bin/python
import hashlib
import json
import os
import logging
import requests

# Parameters, don't forget to modify
apikey      = "your_token"
host        = "mrf.yourserver.com"
urlserver   = "http://mrf.yourserver.com/api.php?action=uploadfiles"

def post_multipart(host, selector, fields, files):
    headers = {'user-agent': 'Dionaea honeypot'}
    r = requests.post(selector, headers=headers, data=fields, files=files)

def file_md5(fname):
    hash_md5 = hashlib.md5()
    with open(fname, "rb") as f:
        for chunk in iter(lambda: f.read(4096), b""):
            hash_md5.update(chunk)
    return hash_md5.hexdigest()
   
def UploadFile(pl):                 
    md5 = file_md5(pl)
    filename = os.path.basename(pl)

    files_data = [{"index":0, "vtsubmit":True, "cksubmit":False, "tags":"honeypot"}]
    parameters = {"hash": md5, "comment": "", "token": apikey, "files_data": json.dumps(files_data)}

    # Send file to server API
    with open(pl, 'rb') as f:
        files = {filename: f}
        post_multipart(host, urlserver, parameters, files)

Reply #4June 10, 2017, 02:37:28 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: MRF Questions related permissions and file submissions
« Reply #4 on: June 10, 2017, 02:37:28 PM »
Quote
Where are the logs so i can troubleshoot problems with submissions via api ? apache access log ?
Apache logs, yes.
Code: [Select]
/var/log/apache2/error.log
/var/log/apache2/access.log

Quote
Is it possible to choose which virustotal vendor result get displayed in the mrf repo ?
Not yet. You can edit VirusTotal.php if you want, we will put that into the next version.

Quote
Is it possible to disable the download of malware from the md5 link in the repo ?
Yes, just remove "Downloader" permission from the user

Reply #5June 10, 2017, 02:38:19 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: MRF Questions related permissions and file submissions
« Reply #5 on: June 10, 2017, 02:38:19 PM »
Just so you know, we are selling support for MRF :p
https://shop.adlice.com/product/mrf-premium/

Reply #6June 10, 2017, 05:26:10 PM

camay123

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: MRF Questions related permissions and file submissions
« Reply #6 on: June 10, 2017, 05:26:10 PM »
Just so you know, we are selling support for MRF :p
https://shop.adlice.com/product/mrf-premium/

Yup, I know, but not ready to pay 12 months in advance for testing the product.

So far, my only concern is to get an uploader working to have a proof of concept working.

thank you for the script also. ;)
« Last Edit: June 10, 2017, 06:06:37 PM by camay123 »