Cuckoobox sandbox supports MAEC-1.1

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Cuckoobox sandbox supports MAEC-1.1

jose nazario
at my suggestion, the cuckoobox (free Windows EXE sandbox) author has incorporated MAEC-1.1 as output. here's an example run:


thought folks may find that useful and interesting. 

_____
Jose Nazario, Ph.D.
Manager of Security Research, Arbor Networks
[hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Cuckoobox sandbox supports MAEC-1.1

Kirillov, Ivan A.

That’s great! Thanks for the suggestion, Jose, much appreciated. It would be cool to see MAEC 2.0 output in the near future – I’ll contact the cuckoobox folks to see if I can help out in any way.

 

On a similar topic, we’ll be publically releasing a number of sandbox translator tools in the near future, for converting into MAEC 2.0. Currently we have translators slated for ThreatExpert, Anubis, GFI Sandbox, and FireEye. Let us know if there are others that we should look at. Of course, native output is preferable, and we expect to make some inroads in this regard this year :)

 

Regards,

Ivan

 

Ivan Kirillov

MAEC Working Group
The
MITRE Corporation

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of jose nazario
Sent: Friday, January 27, 2012 10:10 AM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: Cuckoobox sandbox supports MAEC-1.1

 

at my suggestion, the cuckoobox (free Windows EXE sandbox) author has incorporated MAEC-1.1 as output. here's an example run:

 

 

thought folks may find that useful and interesting. 

 

_____
Jose Nazario, Ph.D.
Manager of Security Research, Arbor Networks
[hidden email]

 

Reply | Threaded
Open this post in threaded view
|

Re: Cuckoobox sandbox supports MAEC-1.1

Riley Porter
Wow thanks Jose!  Funny thing is I just started working on support maec myself!  I am so glad I saw this.  

As far as 2.0 goes.  I too would be willing to help with this.  If there is an official effort (or unofficial ) please count me in.  Task away...

Riley

On Fri, Jan 27, 2012 at 10:17 AM, Kirillov, Ivan A. <[hidden email]> wrote:

That’s great! Thanks for the suggestion, Jose, much appreciated. It would be cool to see MAEC 2.0 output in the near future – I’ll contact the cuckoobox folks to see if I can help out in any way.

 

On a similar topic, we’ll be publically releasing a number of sandbox translator tools in the near future, for converting into MAEC 2.0. Currently we have translators slated for ThreatExpert, Anubis, GFI Sandbox, and FireEye. Let us know if there are others that we should look at. Of course, native output is preferable, and we expect to make some inroads in this regard this year :)

 

Regards,

Ivan

 

Ivan Kirillov

MAEC Working Group
The
MITRE Corporation

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of jose nazario
Sent: Friday, January 27, 2012 10:10 AM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: Cuckoobox sandbox supports MAEC-1.1

 

at my suggestion, the cuckoobox (free Windows EXE sandbox) author has incorporated MAEC-1.1 as output. here's an example run:

 

 

thought folks may find that useful and interesting. 

 

_____
Jose Nazario, Ph.D.
Manager of Security Research, Arbor Networks
[hidden email]

 


Reply | Threaded
Open this post in threaded view
|

Re: Cuckoobox sandbox supports MAEC-1.1

Alessandro Tanasi
Good morning,

Some days ago we published[1] the implementation for Metadata Sharing namespace only in Cuckoo's development branch[2]. MAEC reports support is not yet committed and is still under development, as you can see from the example posted by Jose.
That one was a proof of concept, I am still working on a full featured MAEC module and I will probably commit it in few days.

Both the full features MAEC report and the metadata sharing report will be included in next stable release.
Regarding switching to 2.0, we'll probably start working on it just after the full MAEC 1.1 support, on which we worked a lot for months, will be released.

Our MAEC implementation is unofficial but if someone wants to help, with any kind of feedback, suggestion or code it's welcome.

[1] http://blog.cuckoobox.org/2012/01/25/maec-flies-with-cuckoo/
[2] https://github.com/cuckoobox/cuckoo/tree/unstable

Regards,
Alessandro `jekil` Tanasi
[hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Cuckoobox sandbox supports MAEC-1.1

Kirillov, Ivan A.
Thanks Alessandro - I quite look forward to seeing MAEC output in Cuckoo. After a brief glance, it looks like you're using the MAEC v1.1 Python bindings created with generateDS; I'm actually in the process of creating these bindings for MAEC 2.0, so hopefully you'll be able to plug them in and use them without too much hassle. Either way, I'll definitely provide comments/feedback and will try to help out in any way I can.

Regards,
Ivan

Ivan Kirillov
MAEC Working Group
The MITRE Corporation

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Alessandro Tanasi
Sent: Saturday, January 28, 2012 9:09 AM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: Re: Cuckoobox sandbox supports MAEC-1.1

Good morning,

Some days ago we published[1] the implementation for Metadata Sharing namespace only in Cuckoo's development branch[2]. MAEC reports support is not yet committed and is still under development, as you can see from the example posted by Jose.
That one was a proof of concept, I am still working on a full featured MAEC module and I will probably commit it in few days.

Both the full features MAEC report and the metadata sharing report will be included in next stable release.
Regarding switching to 2.0, we'll probably start working on it just after the full MAEC 1.1 support, on which we worked a lot for months, will be released.

Our MAEC implementation is unofficial but if someone wants to help, with any kind of feedback, suggestion or code it's welcome.

[1] http://blog.cuckoobox.org/2012/01/25/maec-flies-with-cuckoo/
[2] https://github.com/cuckoobox/cuckoo/tree/unstable

Regards,
Alessandro `jekil` Tanasi
[hidden email]