-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flare VM templates and collaboration #90
Comments
Hi, Last year at BlackHat USA Arsenal I ran the Flare VM install on top of Malboxes live to demonstrate that both projects are compatible. I don't know how far you are but I think we have dealt with a lot of the boring stuff (learning the various pieces that fails when setuping trial vs non-trial versions of Windows, windows 7/8, winrm bugs w/ dotnet, etc. just check closed issues to get a sense). As far as the status, I plan to work on Malboxes in the coming months. Ideally, we could have a profile that would run the Flare VM stuff after installation. Pretty much like your goal. If you are interested in doing that here it would be awesome! What do you think? |
Awesome. Because the FLARE scripts installs everything.
I already dealt with setting up WinRM on Windows VMs, to allow the provisioning via Ansible.
I can think we customize and break the FLARE VM monolithic script into a set of Ansible roles, like i said earlier. Furthermore, the user could customize is VM provisioning by adding useful features:
I also have to ping @htnhan, maintainer from the https://github.com/fireeye/flare-vm repo, to see how we could collaborate ;) Thanks ! |
@Wenzel Thank you for your work on integrating Flare VM into Malboxes. I am happy to collaborate, so please let me know what I can do to help. One thing about Flare VM is that we still have to keep it an independent project so anyone can download and install Flare VM without Packer, Ansible, or other orchestration tools. |
For now, i have done absolutely nothing, except opening this issue.
I agree ! |
@Wenzel: I'm interested in any kind of help from people wanting to provide easy to use malware analysis tools to the masses. I think where flare-vm falls short is that you need to already have a Windows VM. I want to avoid that (and you seem to want to avoid it too). We don't rely on ansible right now but I use it for Linux servers and I like it so I'm interested in exploring that area. The way I see malboxes heading is that it should do almost everything out of band so we can avoid being detected like cuckoo or other intrusive sandboxes. If we do all our stuff with WinRM (or ansible) and then we plug that hole by wiping logs, etc. We could provide a reliable sandbox and a malware reversing tool at the same time.
I really like that and I would definitely merge that. It fits our vision of becoming the If you are interested in that direction, I can send you some whiteboard screenshots I took a few months ago of where I think we should be heading. |
The reason i choose Ansible to provision my Windows VMs:
We have the same vision 👍
Absolutely ! |
I have been using ansible for Linux server stuff here and there and I like it a lot. If it stays "out of band" (no agent like you said) and doesn't require SSH installed (uses WinRM) on the Windows guest then I have absolutely no objection on its use 👍 Looking forward to what you do with malboxes! Btw do you think we should setup a gitter.im chatroom for malboxes if that could help your integration in the team? |
I was about to suggest |
Ping @obilodeau I have some topics to discuss with you :) |
It's done: https://gitter.im/malboxes_/Lobby. The underscore is unfortunate but for some reason I could never get |
Hi !
I found your work thanks to reddit, and it turns out that i was working on the same thing as you, but for the FLARE VM: packer-flare, a set of packer templates to provision a VM from scratch and setup the FLARE VM configuration.
So what is the status of malboxes as of today ?
If you had to compare it against what FLARE VM proposes ?
Can we join our efforts ?
I know
Packer
andAnsible
provisioning throughWinRM
Thanks !
The text was updated successfully, but these errors were encountered: