legal contact

installing cuckoo 2.0


Below is the way it used to be before. Nowadays (ver 2.0.6)  it's even easier:

sudo pip install -U pip setuptools
sudo pip install -U cuckoo
virtualenv venv
$ . venv/bin/activate
(venv)$ pip install -U pip setuptools
(venv)$ pip install -U cuckoo
Job done . . .   :-)

How I installed the version 2.0.5 on a fresh machine

Using Ubuntu 16.04.3 LTS

Installing the requirements:
sudo apt install python python-pip python-dev libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig mongodb postgresql libpq-dev mitmproxy suricata

apt remove apparmor

sudo apt-get install tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
sudo apt-get install libcap2-bin
sudo apt-get install volatility
sudo apt-get install swig
Creating the user:
sudo adduser cuckoo
sudo usermod -a -G libvirtd cuckoo
Installing cuckoo in a python environment
virtualenv venv
. venv/bin/activate
Check out the (venv) trailing your prompt from now on
pip install -U pip setuptools
pip install -U cuckoo
The "working directory of cuckoo will be (by default) 
To change it to something else use:
sudo mkdir /opt/cuckoo
sudo chown cuckoo:cuckoo /opt/cuckoo
cuckoo --cwd /opt/cuckoo
export CUCKOO=/opt/cuckoo

suricata for cuckoo 2.x


sudo apt-get install suricata

sudo cp /etc/suricata/suricata-debian.yaml /etc/suricata/suricata-cuckoo.yaml

sudo vi /etc/suricata/suricata-cuckoo.yaml

Disable the fast and unified2 log types; we don't need those.

Locate file-store: (use ctrl+w to search). Set enabled to yes. Set force-md5 and force-filestore to yes. Enable file-log, which should be located right below it.

Locate reassembly: use ctrl+w to search (You'll need to do this twice; the first reference is just comment documentation about it, you want is the actual, non-commented reassembly:)

Set depth, to 0 (without a unit of measurement)

Set request-body-limit and response-body-limit to 0 (without any measurement unit), under default-config:

Under the vars: address-groups: section, set EXTERNAL_NET to any.

Download etupdate to update Emerging Threat's Open IDS rules:

$ git clone
$ sudo cp etupdate/etupdate /usr/sbin
$ sudo /usr/sbin/etupdate -V

Edit the crontab:

$ sudo crontab -e

Add the line:

42 * * * * /usr/sbin/etupdate

This will run etupdate every 42 minutes after each hour. You should probably change 42 to some other minute, so everyone following this tutorial doesn't query Emerging Threats for updates at the exact same time.