DFI blacklisting system

This piece of documentation will teach you:

• How to setup the blacklisting system
• How to use the blacklisting system
• How to blackling system works (including what all classes do)
• How to add new rule logic

A short description:

The blacklisting system read binaries from a folder, submits these to a Cuckoo Sandbox instance for analysis, downloads the results, reads these reports and applies its own logic to filter out hashes of malicious binaries.

The md5 hashes of the malicious binaries are stored and retrievable through a web API. You could use these hashes for the creation of IDS alerts.

test

Contents:

• Setting up the system
  • Setting up Cuckoo Sandbox
    • Installation
    • Configuration
      • Cuckoo
      • Enable NAT
      • Suricata
      • Deploying on ESXi
      • Registering new virtual machine
  • Setting up Elasticsearch
    • Installation
    • Configuration
      • Change cluster name
      • Change node name
      • Enable Node master
      • Enable Node data
      • Enable memory lock
      • Increase max query size
      • Change bound IP
      • Allow cross-origin resource sharing
  • Setting up the blacklisting system
    • Downloading the system
    • Installing all dependencies
    • Configuring the system
    • Creating the required Elasticsearch indices
    • Configuring the binaries directory
    • The blacklisting score
    • The API and logging
    • Populating the third part blacklist indice
    • Add subnets to the whitelist
    • Creating rules for the system
• Using the blacklisting system
  • Writing rules for a rules file
  • Grouping rules together
  • Supported rules
  • Regular expressions and wildcards
  • Utilities
  • The API
    • /hash/get
    • /count
    • /stats/hashes
    • /blacklist/exist
    • /blacklist/create
    • /blacklist/delete
    • /cuckoo/get/hour
    • /whitelist/subnet/add
    • /whitelist/subnet/delete
    • /health_check
• How it works
  • The existing Elasticsearch indices
  • Binary submitting
  • Report downloading and filtering
  • Blacklisting values by applying rules
  • The API
  • Description for each class used
    • dfi.api
    • dfi.blacklist
    • dfi.blacklist.rules
    • dfi.blacklist.types
    • dfi.cuckoo
    • dfi.database
    • dfi.rule
    • dfi.task
    • dfi
• Adding new rules and types
  • Adding new rules
  • Adding a new type