Help to make mrf useable

[ashkan]

Hello,

Recently i deploy mrf on ubuntu 16.04 on php 7.01 and facing lot's of problem till i install some additional php package and some of it slove. now i have some problem and question.

Question & Error
1- does crone check virustotal api for find if file is malicious or not? now virustotal api answer 4 file every min and new apiv2. please update it.
2-i have 2 tb malware is there any python script that i can run in malware folder and all malware send to mrf?
3- my page is redirect to ip/index.php not to ip/mrf/index.php which line of config file should i change?
4- when i want to upload big file i face error for php.ini i use ; for maxfilesize but it's not correct. any idea.?
5-when i upload file i face this error "upload results in empty"
6- could you make a time period for download malware sample for example download file from 2017/01/01 to 2017/02/01 and add this functionality to api too.
7- please add socks or http proxy for query from virustotal api.
and there is some question i think may be you should test mrf on ubuntu 16.04 with php 7 and update documentation.

Thanks for attention.

[Tigzy]

Hey ashkan

Our live environments are under ubuntu 16.04 + php5. If you can downgrade php until we cover php7 that is fine (it's in our roadmap for next version).
Let me answer question by question below:

1/ Cron indeed looks for missed hashes on VirusTotal. If your API becomes limited at some point it will skip files once you reach the limit (until next cron iteration).
I'm not sure to understand your question regarding VT API v2, we are already using v2.
2/ Yes please look at API documentation, there's a python upload script example. Feel free to reuse and modify: https://www.adlice.com/documentation/mrf/documentation/#api
3/ You need to prepend /mrf to every page in the "leftnav" section and also in "urls/baseurl": https://www.adlice.com/documentation/mrf/documentation/#config
4/ do you have specific error in your apache logs? php.ini would be indeed the place to modify (upload_max_filesize and post_max_size)
5/ same question, do you have any error? Can you show me the config file, especially the "urls/storagePath" ? Make sure this folder exists and is in php available basedir
6/ you can use the search (date field) then bulk select (checkbox in the toolbar) and use "Download ZIP" button (under "Download" multibutton)
7/ can you tell me the purpose of using socks instead of http queries?

Regards,

[ashkan]

Hello again thanks to replay me. some thins is not clear that i'll mention.

1- i upload error log's that may be usefull for finding error.
2- if you make proxy for virustotal we can query to virustotal with different with some account and then we can have more result. bypass limit for qury 4 file per min
3- please change virustotal query. to check hash not send file to vt. it's very important for me to not send every thing to virustotal.
4- i cant upload file more than 10mb i change php.ini and upload_max_filesize and post_max_size and jquery file size upload nothing correct.
5- i config python upload script example and put it at my honeypot folder that malware saved on it. but when i start the python script nothing happen. and there isn't return me any error. so could you help me to sure that's python script work.

thanks

[Tigzy]

Hey ashkan,

1/ As for the errors, if you are still on Apache 7 this is normal. We haven't tried to run it under this version yet, and it probably needs a few fixes.
Also, I see python errors, you are missing some prerequisites: https://www.adlice.com/documentation/mrf/documentation/#install
2/ I don't think they would like it, honestly. If you need a higher API please ask them. They are kind and often give you what you need (if reasonable). Also, unless you have a shared key changing the IP won't give you much queries.
3/ This can be done in the config file: https://www.adlice.com/documentation/mrf/documentation/#config. Check under modules:virustotal:automatic_upload, and turn it off with "false".

Code: [Select]

// True/False, whether you want to automatically upload unknown samples on submission.
// If False, only a check is done, and manual upload is possible later.4/ I'd say this is because of this:

Code: [Select]

[Wed Nov 08 10:59:32.986505 2017] [:error] [pid 7928] [client 5.55.11.38:60619] PHP Warning:  POST Content-Length of 18807099 bytes exceeds the limit of 8388608 bytes in Unknown on line 0, referer: http://[redacted]/mrf/index.phpThey say because of post_max_size: https://stackoverflow.com/questions/11719495/php-warning-post-content-length-of-8978294-bytes-exceeds-the-limit-of-8388608-b
5/ Have you tried to call it directly see if there's an error? It should return something.

[ashkan]

Hello again,
thanks to replay
1- you said "Have you tried to call it directly see if there's an error? It should return something." i set the configuration on "Upload script example" and try to run file like "python upload.py" in bash. how can i run it as standalone python program without call it?

2- you said in configure "To use the cron, enable it in the config file. Then register this file in the cron list (don’t forget to provide a token with enough rights):
http://localhost/cron.php?token=edfe238e15c964e8a8218cf218e43dc1"

what does mean "don’t forget to provide a token with enough rights". could you explain more. should i take this corn php file. in cron.hourly on linux? or call this link "http://localhost/cron.php?token=edfe238e15c964e8a8218cf218e43dc1"

[Tigzy]

1/ Not sure to understand. You can run a python script by just calling "python myscript.py"
If you have a crash or something wrong it will be displayed.

2/ https://www.adlice.com/documentation/mrf/documentation/#deploy
When it says to give users permissions, when you go into Users, and pick one, you can give permissions (Upload, VT checks, etc...)
The cron needs to be having an API key of an user that has all the permissions (admin if you want to keep it simple)