Simplify Cuckoo rules using custom signature in Cuckoo #37

michaelweiser · 2018-09-07T11:31:07Z

We should look into the possibility to simplify the cuckoo rules using a custom signature inside Cuckoo.

Currently we maintain a list of strings which are matched against the signatures reported by Cuckoo.

It might be possible and more efficient to handle this inside Cuckoo using a kind of meta-signature which detects the matching/firing of all the other signatures we consider "bad", accumulates them into a binary decision "good"/"bad" or even some kind of score and reports just that single value back to Peekaboo.

Suggested by @Jack28.

Jack28 · 2018-09-17T12:22:02Z

I looked into this a while ago and already did some testing. It's totally possible to cover some of our rules (easier, with more precision and flexibility).

Had the link at hand, there is good documentation here:
https://cuckoo.sh/docs/customization/signatures.html

michaelweiser added enhancement needs investigation labels Sep 7, 2018

michaelweiser added this to the 2.0 milestone Sep 7, 2018

michaelweiser self-assigned this Sep 7, 2018

Jack28 mentioned this issue May 5, 2019

Introduce Scoring and fuzzy decision making to the ruleset #45

Closed

Jack28 modified the milestones: 2.0, 2.1 Aug 27, 2019

michaelweiser removed this from the 2.1 milestone Mar 16, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Simplify Cuckoo rules using custom signature in Cuckoo #37

Simplify Cuckoo rules using custom signature in Cuckoo #37

michaelweiser commented Sep 7, 2018 •

edited

Loading

Jack28 commented Sep 17, 2018

Simplify Cuckoo rules using custom signature in Cuckoo #37

Simplify Cuckoo rules using custom signature in Cuckoo #37

Comments

michaelweiser commented Sep 7, 2018 • edited Loading

Jack28 commented Sep 17, 2018

michaelweiser commented Sep 7, 2018 •

edited

Loading