I had a heck of a time getting a Cuckoo sandbox running, and below I hope to help you get one up and running relatively quickly by detailing out the steps and gotchas I stumbled across along the way. I mention this in the references at the end of this gist, but what you see here is heavily influenced by this article from Nviso
| /etc/logstash/logstash.conf : | |
| # We handle the syslog part of the Cisco PIX/ASA messages | |
| grok { | |
| tags => "cisco-fw" | |
| patterns_dir => "/etc/logstash/patterns" | |
| pattern => "^<%{POSINT:syslog_pri}>(?:(%{TIMESTAMP_ISO8601:timestamp8601} |%{CISCOTIMESTAMP:timestamp} ))?%{SYSLOGHOST:logsource}?[ :]+%{GREEDYDATA:syslog_message}" | |
| } | |
| syslog_pri { | |
| tags => "cisco-fw" |
| def extract_values(obj, key): | |
| """Recursively pull values of specified key from nested JSON.""" | |
| arr = [] | |
| def extract(obj, arr, key): | |
| """Return all matching values in an object.""" | |
| if isinstance(obj, dict): | |
| for k, v in obj.items(): | |
| if isinstance(v, (dict, list)): | |
| extract(v, arr, key) |
| import os | |
| import binascii | |
| from array import array | |
| from unicorn import * | |
| from unicorn.x86_const import * | |
| import string | |
| import itertools | |
| import pexpect | |
| ''' | |
| This is an example of how to send data to Slack webhooks in Python with the | |
| requests module. | |
| Detailed documentation of Slack Incoming Webhooks: | |
| https://api.slack.com/incoming-webhooks | |
| ''' | |
| import json | |
| import requests |
| import paramiko | |
| import time | |
| import re | |
| bastion_ip='ip' | |
| bastion_pass='pass' | |
| ssh = paramiko.SSHClient() | |
| ssh.set_missing_host_key_policy( paramiko.AutoAddPolicy() ) | |
| ssh.connect(bastion_ip, username='root', password=bastion_pass) |
apt-get install python-nmap
| # Something in lines of http://stackoverflow.com/questions/348630/how-can-i-download-all-emails-with-attachments-from-gmail | |
| # Make sure you have IMAP enabled in your gmail settings. | |
| # Right now it won't download same file name twice even if their contents are different. | |
| import email | |
| import getpass, imaplib | |
| import os | |
| import sys | |
| detach_dir = '.' |
| #!/usr/bin/env python | |
| import socket | |
| from multiprocessing import Process, Queue | |
| import time | |
| import argparse | |
| """ | |
| Tools to scan network from python. | |
| Mostly taken from stack overflow and mixed together. |
| 000000 Officially Xerox | |
| 000001 SuperLAN-2U | |
| 000002 BBN (was internal usage only, no longer used) | |
| 000003 XEROX CORPORATION | |
| 000004 XEROX CORPORATION | |
| 000005 XEROX CORPORATION | |
| 000006 XEROX CORPORATION | |
| 000007 XEROX CORPORATION | |
| 000008 XEROX CORPORATION | |
| 000009 powerpipes? |