The Perl Toolchain Summit needs more sponsors. If your company depends on Perl, please support this very important event.

NAME

mojo_cape_submit - A mojolicious script for handling submissions of files for detonation.

SYNOPSIS

sudo -u cape mojo_cape_submit daemon -m production -l 'http://*:8080'

DESCRIPTION

This script is meant for running locally on a CAPEv2. It allows remote machines to to submit files for detonation.

To work, this script needs to be running as the same user as CAPEv2.

This will write activity to syslog.

A systemd service file is provided at 'systemd/mojo_cape_submit.service' in this modules tarball. It expects the enviromental '/usr/local/etc/mojo_cape_submit.env' file to be setup with the variables 'CAPE_USER' and 'LISTEN_ON'. To lets say you want to listen on http://192.168.14.15:8080 with a user of cape, it would be like below.

    CAPE_USER="cape"
    LISTEN_ON="http://192.168.14.15:8080"

Alternatively, this script can be invoked as a CGI script if it is ran as the user CAPEv2 is.

CONFIGURATION

If cape_utils has been configured and is working, this just requires two more additional bits configured.

The first is the setting 'incoming'. This setting is a directory in which incoming files are placed for submission. By default this is '/malware/client-incoming'.

The second is 'incoming_json'. This is a directory the data files for submitted files are written to. The name of the file is the task ID with '.json' appended. So task ID '123' would become '123.json'. The default directory for this is '/malware/incoming-json'.

SECURITY

By default this will auth of the remote IP via the setting 'subnets', which by default is '192.168.0.0/16,127.0.0.1/8,::1/128,172.16.0.0/12,10.0.0.0/8'. This value is a comma seperated string of subnets to accept submissions from.

To enable the use of a API key, it requires setting the value of 'apikey' and setting 'auth_by_IP_only' to '0'.

SUBMISSION

Submissions must be made using the post method.

Submission Parameters

Required ones are as below.

    - filename :: The file being submitted.

The following are optional and more or less "free form", but helps to set them to something sane and relevant.

    - type :: The type of submission. Generally going
              to be 'manual' or 'suricata_extract'.

    - src_host :: The hostname of the sending system.

    - src_ip :: The source IP for what Suricata picked up.

    - src_port :: The source port for what Suricata picked up.

    - dest_ip :: The destination IP for what Suricata picked up.

    - dest_port :: The destination port for what Suricata picked up.

    - proto :: Protocol, such as TCP or UDP.

    - app_proto :: Application protocol, such as HTTP.

    - flow_id  :: The flow ID Suricata picked it up from.

    - http_host :: If HTTP, the host in the URL.

    - http_url :: If HTTP, the path section of the URL.

    - http_method :: If HTTP, the method, such as GET.

    - http_proto :: If HTTP, the protocol version.

    - http_status :: If HTTP, the status code of the session.

    - http_ctype :: If HTTP, the content type.

    - http_ua :: If HTTP, the useragent.