Sandboxing

Norman Sandbox

To enable the use of the Norman sandbox we will need to have an email address ready to use for the Norman sandbox reports. In this example we will create a gmail account for this purpose. Gmail

Configure your gmail account so that POP mail is enabled.

Enable POP for all mail
When messages are accessed with POP -> archive Gmail's copy

We will create normanids@gmail.com in this example. We will need to configure this email address in /etc/surfnetids/surfnetids-log.conf.

#################
# Sandbox Email
#################
# These are the settings needed to retrieve the Norman reports from the mailbox they were sent to
# login credentials
$c_mail_username = 'email_username';
$c_mail_password = 'email_pass';

# mailhost and port
$c_mail_mailhost = 'mailhost';
$c_mail_port = '995';

# use SSL when connecting to the mailhost
$c_mail_usessl = 'true';

Secondly, we will need to tell Nepenthes to send the binaries to the Norman sandbox. This can be done by activating the submit-norman module from Nepenthes.
/opt/nepenthes/etc/nepenthes/nepenthes.conf

    "submitnorman.so",              "submit-norman.conf",           ""

And configure the email address and urls for submit-norman.
/opt/nepenthes/etc/nepenthes/submit-norman.conf

submit-norman
{
        // this is the adress where norman sandbox reports will be sent
        email   "normanids@gmail.com";
        urls    ("http://onlineanalyzer.norman.com/nepenthes_upload.php",
                 "http://luigi.informatik.uni-mannheim.de/submit.php?action=verify");

};

CWSandbox

We can use the same email address we configured earlier for the CWSandbox reports. CWSandbox requires some additional information as shown below. The default settings will do fine. To turn on the CWSandbox reports for the webinterface change the $c_cws variable to 1.

#################
# CWSandbox
#################
# These are additional settings needed to retrieve and process CWSandbox reports
# need a temp directory that we can write to
$c_cwtemp = "/var/tmp";

# This is where the mime attachements get exploded to
$c_cwmime = "$c_cwtemp/mimetemp";

# Enable or disable the view and download option of CWS Sandbox results in the webinterface
$c_cws = 1;

# The location of the Xalan binary
$c_xalanbin = "/usr/bin/xalan";

Nepenthes patch

Out of the box (SVN), Nepenthes does not work correctly with both Norman sandbox. This patch for submit-norman.hpp will patch Nepenthes so that submission to CWSandbox and Norman both work again.

cat submit-norman.hpp.patch |patch -p1


NOTE: Due to recent changes in the CWSandbox processing system, CWSandbox will not generate an email report if the malware was already known by CWSandbox.

 
kb/googlemap_norman.txt · Last modified: 2012/07/12 11:27 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki