installing cuckoo 2.0
Below is the way it used to be before. Nowadays (ver 2.0.6) it's even easier:
sudo pip install -U pip setuptools sudo pip install -U cuckoovirtualenv venv $ . venv/bin/activate (venv)$ pip install -U pip setuptools (venv)$ pip install -U cuckooJob done . . . :-)How I installed the version 2.0.5 on a fresh machine
Using Ubuntu 16.04.3 LTS
Installing the requirements:
sudo apt install python python-pip python-dev libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig mongodb postgresql libpq-dev mitmproxy suricataapt remove apparmor
sudo apt-get install tcpdumpsudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdumpsudo apt-get install libcap2-binsudo apt-get install volatilitysudo apt-get install swigCreating the user:
sudo adduser cuckoo
sudo usermod -a -G libvirtd cuckooInstalling cuckoo in a python environment
virtualenv venv
. venv/bin/activateCheck out the (venv) trailing your prompt from now onpip install -U pip setuptoolspip install -U cuckooThe "working directory of cuckoo will be (by default)/home/cuckoo/.cuckoo/To change it to something else use:sudo mkdir /opt/cuckoo sudo chown cuckoo:cuckoo /opt/cuckoo cuckoo --cwd /opt/cuckoo export CUCKOO=/opt/cuckoo
suricata for cuckoo 2.x
sudo apt-get install suricata
sudo cp /etc/suricata/suricata-debian.yaml /etc/suricata/suricata-cuckoo.yaml
sudo vi /etc/suricata/suricata-cuckoo.yaml
Disable the fast
and unified2
log types; we don't need those.
Locate file-store:
(use ctrl+w to search). Set enabled
to yes
. Set force-md5
and force-filestore
to yes
. Enable file-log
, which should be located right below it.
Locate reassembly:
use ctrl+w to search (You'll need to do this twice; the first reference is just comment documentation about it, you want is the actual, non-commented reassembly:
)
Set depth
, to 0
(without a unit of measurement)
Set request-body-limit
and response-body-limit
to 0
(without any measurement unit), under default-config:
Under the vars: address-groups:
section, set EXTERNAL_NET
to any
.
Download etupdate
to update Emerging Threat's Open IDS rules:
$ git clone https://github.com/seanthegeek/etupdate.git
$ sudo cp etupdate/etupdate /usr/sbin
$ sudo /usr/sbin/etupdate -V
Edit the crontab
:
$ sudo crontab -e
Add the line:
42 * * * * /usr/sbin/etupdate
This will run etupdate
every 42 minutes after each hour. You should probably change 42
to some other minute, so everyone following this tutorial doesn't query Emerging Threats for updates at the exact same time.