Need Advice on Cron Job

[RazorBurn]

Ive successfully deployed MRF on WSL in Windows 10 64 bit Fall Creators update..



Problem is with my huge collection around 1TB of malware. and with only public API key for Virustotal, Im limited to 4 queries per minute.. A lot of sample have no VT scan results and had to manualy click the VT scan button with missing VT scan results..

Is their a command to invoke VT scan query for missing results for some samples, or if possible, give me the steps for Cron job, the Docs about cron in the Documentation is not sufficient..

[RazorBurn]

Sry, found a way to invoke cron using

Code: [Select]

http://localhost/mrf/cron.php?token=edfe238e15c964e8a8218cf218e43dc1
Problem is its only doing the Cuckoo Analysis



Would it be possible to skip the Cuckoo analysis as I dont have Cuckoo running yet..

[Tigzy]

Hello,
Can you show me the config file sections for VirusTotal and Cuckoo (please redact your API key !)

Thanks,

[RazorBurn]

Code: [Select]

"cuckoo" => array(
"enabled" => True,
"class" => "Cuckoo",
"priority" => 10,
"api_base_url" => 'http://localhost:8090/',
"web_base_url" => 'http://localhost:8000/',
"scan" => array(
//"package" => "",    // uncomment to use
//"timeout" => "",    // uncomment to use
//"priority" => 3,    // 1 to 3, uncomment to use
//"options" => "",    // uncomment to use
//"machine" => "",    // uncomment to use
//"platform" => "",   // uncomment to use
//"tags" => "mrf",       // uncomment to use
//"custom" => "",     // uncomment to use
//"owner" => "",      // uncomment to use
//"memory" => False   // uncomment to use
),
"scan_optional" => array(
//"options" => [ "option1", "option2" ],    // uncomment to use
)
),
"virustotal" => array(
"enabled" => True,
"class" => "VirusTotal",
"priority" => 10,
"key" => 'My Secret Key',
"automatic_upload" => True,
"comment_uploaded" => array(
"enabled" => False, // If true, files uploaded (new analysis) will be commented upon completion
"comment" => "Some comment you want to put in VirusTotal"
),
"vendors_priority" => array( // List of vendors as seen in the VT API, the first one detecting will give its threat name to the sample
"Kaspersky",
"Microsoft",
"BitDefender",
"DrWeb ",
                "Symantec",
                "Ikarus",
"ESET-NOD32"
)
)
A small suggestion, Can the binary storage be Segmented by the First 2 to 3 Chars of SHA1 of MD5 like Viper do? Having 200k to 300k files in one folder is bad for slow HDD.. Also, can you put the Vendor name used for the Threat Name?



Also can someone who studies malware as a hobby can have lower subcription? $50 a month is too much for me.. When all is well and MRF, Cuckoo, and Viper working well together, I'll be deploying this to a Linux 2U rack and Subscibe if the price is reasonable for me..

[Tigzy]

Ok, if you want to disable Cuckoo:
"enabled" => False,

With that switched off, can you tell me if cron catches any VirusTotal update?

A small suggestion, Can the binary storage be Segmented by the First 2 to 3 Chars of SHA1 of MD5 like Viper do? Having 200k to 300k files in one folder is bad for slow HDD..

Good idea.

Also, can you put the Vendor name used for the Threat Name?

The AV product name? It's quite hard because the threat name can be edited, and thus we'll loose that information

Also can someone who studies malware as a hobby can have lower subcription? $50 a month is too much for me.. When all is well and MRF, Cuckoo, and Viper working well together, I'll be deploying this to a Linux 2U rack and Subscibe if the price is reasonable for me..

A new major version will be released first quarter 2018, we planned to change that pricing a little bit to take in account such issues, thanks for asking.

[RazorBurn]

Disabling Cuckoo in config.php gives blank results..

[Tigzy]

Hey,
Do you have apache errors when doing so?

[RazorBurn]

from

Code: [Select]

/var/log/apache2/error.log
Cuckoo Enabled in config.php

Code: [Select]

[Sun Jan 14 00:50:41.748166 2018] [mpm_prefork:notice] [pid 67] AH00163: Apache/2.4.18 (Ubuntu) configured -- resuming normal operations
[Sun Jan 14 00:50:41.748370 2018] [core:notice] [pid 67] AH00094: Command line: '/usr/sbin/apache2'
[Sun Jan 14 00:54:10.804327 2018] [:error] [pid 72] [client 127.0.0.1:62320] PHP Notice:  Only variables should be passed by reference in /var/www/html/mrf/src/modules/cuckoo.php on line 25
[Sun Jan 14 00:54:22.994554 2018] [:error] [pid 544] [client 127.0.0.1:62330] PHP Notice:  Only variables should be passed by reference in /var/www/html/mrf/src/modules/cuckoo.php on line 25, referer: http://localhost/mrf/index.php
[Sun Jan 14 00:54:25.060991 2018] [:error] [pid 544] [client 127.0.0.1:62330] PHP Notice:  Only variables should be passed by reference in /var/www/html/mrf/src/modules/cuckoo.php on line 25, referer: http://localhost/mrf/index.php

Cuckoo disabled in config.php

Code: [Select]

[Sun Jan 14 00:58:33.989768 2018] [mpm_prefork:notice] [pid 612] AH00163: Apache/2.4.18 (Ubuntu) configured -- resuming normal operations
[Sun Jan 14 00:58:33.990017 2018] [core:notice] [pid 612] AH00094: Command line: '/usr/sbin/apache2'
[Sun Jan 14 00:58:37.802995 2018] [:error] [pid 619] [client 127.0.0.1:62375] PHP Deprecated:  Methods with the same name as their class will not be constructors in a future version of PHP; floIcon has a deprecated constructor in /var/www/html/mrf/src/lib/ico/floIcon.php on line 222
[Sun Jan 14 00:58:37.803371 2018] [:error] [pid 619] [client 127.0.0.1:62375] PHP Deprecated:  Methods with the same name as their class will not be constructors in a future version of PHP; floIconImage has a deprecated constructor in /var/www/html/mrf/src/lib/ico/floIcon.php on line 356

Thanks for looking into it.. Then again this is running on Windows Subsystem for Linux on Windows 10 build 1709 x64bit.. Can't find any fault aside from this one, even Cuckoo running on a separate system is working fine.. Disabled the Cuckoo cause I have some few problems with it connecting the VM to the Host, but thats a problem I have to resolve within Cuckoo, but Cuckoo part in MRF is working fine..

[Tigzy]

Hey, are you running PHP7?
Just checking because it's not supported yet.

[RazorBurn]

 

Hey, are you running PHP7?
Just checking because it's not supported yet.

Might be that.. but php7 is the default php in WSL Ubuntu 16.04.03.. Well try to downgrade to PHP5 and test..

[Tigzy]

Yes but it wasn't tested yet. We know some people got error with it, so it's not surprising.
It's scheduled though, will be in next version. We'll also consider publishing a Docker image

[RazorBurn]

Yes but it wasn't tested yet. We know some people got error with it, so it's not surprising.
It's scheduled though, will be in next version. We'll also consider publishing a Docker image

Thanks, Docker Image is huge + for me. Save me time setting up MRF. Focusing instead in Cuckoo, Viper, & other tools.

[RazorBurn]

Any Idea how to use the virustotalscan API in MRF. A sample script maybe like the upload script examle  in MRF documentation.

Code: [Select]

POST
http://localhost/api.php?token=my_token&action=virustotalscan
parameters:
hash=the_md5
return data: HTTP code 200 if success
Limiting to only 4 request per minute for VT Public API..

[Tigzy]

Hey, I guess something like this should work (untested)

Code: [Select]

import json
import os
import requests
 
# Parameters, don't forget to modify
apikey      = "your_token"
host        = "mrf.yourserver.com"
urlserver   = "http://mrf.yourserver.com/api.php?action=virustotalscan"
md5         = "the_md5_of_the_file_already_uploaded"
 
def post_multipart(host, selector, fields):
    headers = {'user-agent': 'Dionaea honeypot'}
    r = requests.post(selector, headers=headers, data=fields)
   
def ScanFile():                 
    parameters = {"hash": md5}
    post_multipart(host, urlserver, parameters)