NAME

mojo_cape_submit - A mojolicious script for handling submissions of files for detonation.

SYNOPSIS

sudo -u cape mojo_cape_submit daemon -m production -l 'http://*:8080'

DESCRIPTION

This script is meant for running locally on a CAPEv2. It allows remote machines to to submit files for detonation.

To work, this script needs to be running as the same user as CAPEv2.

This will write activity to syslog.

A systemd service file is provided at 'systemd/mojo_cape_submit.service' in this modules tarball. It expects the enviromental '/usr/local/etc/mojo_cape_submit.env' file to be setup with the variables 'CAPE_USER' and 'LISTEN_ON'. To lets say you want to listen on http://192.168.14.15:8080 with a user of cape, it would be like below.

CAPE_USER="cape"
LISTEN_ON="http://192.168.14.15:8080"

Alternatively, this script can be invoked as a CGI script if it is ran as the user CAPEv2 is.

CONFIGURATION

If cape_utils has been configured and is working, this just requires two more additional bits configured.

The first is the setting 'incoming'. This setting is a directory in which incoming files are placed for submission. By default this is '/malware/client-incoming'.

The second is 'incoming_json'. This is a directory the data files for submitted files are written to. The name of the file is the task ID with '.json' appended. So task ID '123' would become '123.json'. The default directory for this is '/malware/incoming-json'.

SECURITY

By default this will auth of the remote IP via the setting 'subnets', which by default is '192.168.0.0/16,127.0.0.1/8,::1/128,172.16.0.0/12,10.0.0.0/8'. This value is a comma seperated string of subnets to accept submissions from.

To enable the use of a API key, it requires setting the value of 'apikey' and setting 'auth_by_IP_only' to '0'.

SUBMISSION

Submissions must be made using the post method.

Submission Parameters

Required ones are as below.

- filename :: The file being submitted.

The following are optional and more or less "free form", but helps to set them to something sane and relevant.

- type :: The type of submission. Generally going
          to be 'manual' or 'suricata_extract'.

PINGING

If you submit a file with a file with the size of 10 and matching /01234567890/ it will return "TEST RECIEVED\n", provided the submitter is authed. At that point it will just stop processing of it.