CUCKOO SandBox多guest测试

最新推荐文章于 2025-03-27 15:00:45 发布

一定迟到逗

最新推荐文章于 2025-03-27 15:00:45 发布

阅读量1.5k

点赞数 2

分类专栏：沙箱

本文链接：https://blog.csdn.net/weixin_42651205/article/details/83900436

版权

沙箱专栏收录该内容

4 篇文章

订阅专栏

一、配置
首先已经有一套搭建好的cuckoo的host-guest环境，cuckoo已经可以顺利运行，配置了smbshare与客户机共享目录，在cuckoo的host服务器ubuntu上打开virtualbox并Clone客户机，选择完全clone，clone所有snapshot。完成后启动新clone的客户机，修改客户机的ip。原客户机ip为192.168.56.101，新clone的改为192.168.56.102，如未完全clone，找不到C:\agent\agent.py时，拷贝smbshare里的agent文件夹到c盘，启动cmd窗口，执行：python c:\agent\agent.py。启动后，删除老的snapshot快照，建立新的snapshot1，以此类推clone十个guest，建立十个snapshot。
修改配置文件：
Vim virtualbox.conf

#客户机，如配了某客户机则下面也必须有相应的配置项，否则cuckoo启动不了
machines = cuckoo0,cuckoo1,cuckoo2,cuckoo3,cuckoo4,cuckoo5,cuckoo6,cuckoo7,cuckoo8
#添加客户机名称对应的配置项

# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = cuckoo1,cuckoo2,cuckoo3,cuckoo4,cuckoo5
[cuckoo1]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = cuckoo1

 # Specify the operating system platform used by current machine
 # [windows/darwin/linux].
platform = windows

 # Specify the IP address of the current virtual machine. Make sure that the
 # IP address is valid and that the host machine is able to reach it. If not,
 # the analysis will fail.
ip = 192.168.56.101

 # (Optional) Specify the snapshot name to use. If you do not specify a snapshot
 # name, the VirtualBox MachineManager will use the current snapshot.
 # Example (Snapshot1 is the snapshot name):
snapshot = Snapshot1

 # (Optional) Specify the name of the network interface that should be used
 # when dumping network traffic from this machine with tcpdump. If specified,
 # overrides the default interface specified in auxiliary.conf
 # Example (vboxnet0 is the interface name):
interface =

 # (Optional) Specify the IP of the Result Server, as your virtual machine sees it.
 # The Result Server will always bind to the address and port specified in cuckoo.conf,
 # however you could set up your virtual network to use NAT/PAT, so you can specify here
 # the IP address for the Result Server as your machine sees it. If you don't specify an
 # address here, the machine will use the default value from cuckoo.conf.
 # NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.
 # Example:
resultserver_ip =

 # (Optional) Specify the port for the Result Server, as your virtual machine sees it.
 # The Result Server will always bind to the address and port specified in cuckoo.conf,
 # however you could set up your virtual network to use NAT/PAT, so you can specify here
 # the port for the Result Server as your machine sees it. If you don't specify a port
 # here, the machine will use the default value from cuckoo.conf.
 # Example:
resultserver_port =

 # (Optional) Set your own tags. These are comma separated and help to identify
 # specific VMs. You can run samples on VMs with tag you require.
tags =

 # Mostly unused for now. Please don't fill it out.
options =

 # (Optional) Specify the OS profile to be used by volatility for this
 # virtual machine. This will override the guest_profile variable in
 # memory.conf which solves the problem of having multiple types of VMs
 # and properly determining which profile to use.
osprofile =

还要修改cuckoo.conf
process_results = no
此处修改为no以后，会发现没有报告生成了，因为报告需要单独起生成模块来生成，当时没找到报告，差点忍受sqlite时不时的异常，要放弃了这个配置项。
启报告生成模块
cuckoo process instance1
cuckoo process instance2
…
根据自己的业务量来衡量启几个
接下来修改数据库
[database]
connection = mysql://root:cyberaudit@localhost/cuckoo
改成使用mysql，不然多客户端用sqlite会发生一些异常，sqlite会发生lock状态，上传或报告生成失败。
配置完成，保存重启cuckoo服务
前台起
#cuckoo
可以通过以下方法查看是否正常启动：
1、可以通过日志看到样本已经被一个一个的分配到多个客户机上了
2、启动cuckoo后，先不上传样本，可以看到被初始化的客户机状态都是从poweroff变成了saved状态，上传样本后，配置的客户机状态都变成了running，随着样本检测完成与否来回的跳动状态，配置不成功则客户机状态不会发生变化，始终为poweroff

二、测试结果
客户机个数（个）样本个数（个）检测时段（hⓂ️s–hⓂ️s）用时（分钟）单个文件平均用时（分钟）
10 100 11:16–12:00 44 4.4
8 100 12:47–13:31 44 3.52
6 100 09:18–10:02 44 2.64
5 100 14:30–15:18 48 2.4
4 100 12:40–13:34 54 2.16
2 100 15:20–16:47 87 1.74
1 100 16:50–19:25 148 1.48

Windows的dll、exe等
客户机个数（个）样本个数（个）检测时段（hⓂ️s–hⓂ️s）用时（分钟）单个文件平均用时（分钟）
6 65 13:51–14:04 13 1.2
4 65 14:09–14:22 13 0.8
3 65 14:26–14:38 12 0.55
2 65 14:42–14:54 12 0.37
1 65 14:55–15:16 21 0.32

客户机个数（个）样本个数（个）检测时段（hⓂ️s–hⓂ️s）用时（分钟）单个文件平均用时（分钟）
10 750 15:21–18:31 190 2.53
6 750 09:37–14:57 320 2.56
4 750 16:47–23:15 388 2.07