Skip to content

Home

Jump to bottom
P4T12ICK edited this page Apr 30, 2018 · 5 revisions

Welcome to the ypsilon wiki!

Cuckoo in combination with VirtualBox is used to analyze the malware and test the use cases. The Cuckoo environment consists of analysis virtual machine, which will be infected by malware, and a SIEM virtual machine, which collects the logs and triggers the use cases. In the moment, only Splunk is supported as SIEM solution but supporting further SIEMs such as ELK is planned. Sigma is used as the generic description language for SIEM solutions. Ansible is the heart of the Ypsilon project. Ansible controls the use case testing process consisting of the following steps:

  • Generating a Splunk or ELK (planned) Use Case from the generic Sigma description language by using a Sigma converter.
  • Preparing VirtualBox and Cuckoo
  • Submitting a malware to Cuckoo
  • Trigger the Use Case
  • Revert the virtual machines to a snapshot
  • Generate a report (in development)

In order to use the Ypsilon project, the following tools needs to be configured: Ansible Cuckoo VirtualBox Sigma Splunk

Ubuntu was used as operating system for the host machine. The tools Ansible, Cuckoo, VirtualBox and Sigma are installed on the host machine. The virtual environment controlled by VirtualBox consists of an analysis virtual machine and a SIEM virtual machine. The analysis VM is a windows machine and CentOS is used for the SIEM virtual machine. I suggest to use the same operating systems to ensure the best possible compatibility. Of course other operating systems could be used with adaption of the configuration and/or the Ansible playbook.

As already explained, the heart of the project is Ansible. Therefore a lot of configurations needs to be done in group_vars/all.yml:

  • ansible_user: User, which runs Ansible.
  • ypsilon_path: Path to the ypsilon project.
  • path_to_report_folder: Report folder in which the reports are stored.
  • sigma_rule_name: Name of the sigma rule.
  • sigma_rule_path: Path to the sigma rule.
  • sigma_converter_path: Path to the sigma converter.
  • SIEM_target: SIEM target with possible values: splunk or elk
  • target_ip_address: IP address of the SIEM VM.
  • vm_name: Name of the SIEM VM.
  • snapshot: Snapshot of the SIEM VM to revert before test.
  • malware_path: Path to the malware. All tested malware needs to be in the same folder.
  • malware_array: Array of malware names.
  • malware_extension: Malware extension, e.g. .zip
  • log_level: log level with possible values: debug or normal
Clone this wiki locally