Wednesday, February 29, 2012

Online Malware Analysis Sandbox Comparison

At the end of January, I decided that I wanted to see if malwr.com, which runs the Cuckoo Sandbox, was as good as other online sandboxes.  This would be important information because the Cuckoo Sandbox can be run locally on your own machines as your own personal sandnet.  If it was proven to be as good as the other online sandboxes, then it would be worth setting up our own Cuckoo farm.

First off, this was an unscientific study done by my analysts with some submissions from other participants on the Emerging Threats mailing list.  With less than one hundred samples analyzed, it's hardly a significant sample size, but it was enough to give us a good representation of what we should expect for our use case.  The files we submitted were collected from drive-by-download exploit kits in the wild.  See the raw data for Trojan family names, MD5's, and other specific information.  Our scoring was as follows:

-1: Technical failure (web site down, no results of any kind returned, etc.)
0: Error when running
1: Results returned, but no network info
2: Results with network info (DNS, HTTP requests)


What we found was that Malwr.com was essentially just as good as Anubis, which means that it's worth running our own local Cuckoo Sandbox for automated analysis which could be fed by Suricata's new file-extract feature, Bro's file-extract feature, or StreamDB object extractions.

Saturday, February 25, 2012

New ELSA Log Parsers

ELSA is growing!

By popular demand, I've added a number of new parsers to the ELSA repertoire to support parsing fields from the following devices:
 - Fortinet (URL, traffic)
 - Checkpoint
 - Palo Alto (URL, traffic)
 - Barracuda (scan, receive, send)
 - OSSEC Windows logs (automatically appears as class Windows)

Parsed logs will have fields available for ad-hoc reporting and transforms.  For instance, now that srcip and dstip are available, the whois or cif transform can be used with these logs.

In order to use these classes, you will need to uncomment the class definitions in the node/conf/schema.sql file and manually do an INSERT of those classes.  This is to prevent those of us who do not have these devices from having a cluttered menu.  In the future, I'm hoping to have a much nicer way of administrating which classes are visible.

I've also added an updated syslog-ng.conf file which should handle Cisco device logs much better with the varied types of timestamps they send.

Lastly, I've updated the ELSA online documentation to show how to create your own parsers.

As always, if you have any questions or problems with ELSA, please let us know on the ELSA mailing list.