Bare Metal Configuration (optional)
Locate your MySQL credentials. You can get them with the following command.
sudo cat /etc/mysql/debian.cnf
Docker Configuration (optional)
Nothing specific has to be done, except what has been done in Installation steps already.
Just prepare your MYSQL user/password and storage location for the next steps.
Common Configuration
Edit your configuration file (under /your_root/src/config.php), as explained below.
From the Installation steps, fill in the following information:
- The database name in sections “db/storage” and “db/usercake”
- The database credentials (see above) in sections “db/storage” and “db/usercake”.
- The database host in section “db/storage”. NOTE: For docker it must be the name of the mysql container (“db” in our template).
- The storage path in section “urls/storagePath”
- The public url in section “urls/baseUrl”. Example: “http://localhost” (locally), “https://my.mrf.example.com/”
Then, change the config file according to your needs (see below)
Modules
Most modules are not documented, it’s not advised to change their configuration. Only a few can be tweaked:
Cuckoo
- Enable the module with section “cuckoo/enabled” = True
- Put your cuckoo API url in section “cuckoo/api_base_url” (see documentation for Cuckoo)
- Put your cuckoo WEB base url in section “cuckoo/web_base_url”
- Change never upload = True/False in section “cuckoo/never_upload”. When enabled, no sample can be uploaded to the 3rd party website, even if unknown.
- Don’t forget to re-run the installation script if needed after changing this
VirusTotal
- Enable the module with section “virustotal/enabled” = True
- Put your VirusTotal API key in section “virustotal/key”
- Change never upload = True/False in section “virustotal/never_upload”. When enabled, no sample can be uploaded to the 3rd party website, even if unknown.
- Change automatic comment = True/False in section “virustotal/comment_uploaded/enabled”. When enabled, all (prior unknown) samples uploaded will be commented on VirusTotal with the text you define.
- Change automatic comment content in section “virustotal/comment_uploaded/comment” (optional).
- Don’t forget to re-run the installation script if needed after changing this
YaraEditor (YED)
- Enable the module with section “yed/enabled” = True
- Put your YaraEditor API url in section “yed/url” (see documentation for YaraEditor)
- Put your YaraEditor API key in section “yed/key”
- Change never upload = True/False in section “yed/never_upload”. When enabled, no sample can be uploaded to the 3rd party website, even if unknown.
- Don’t forget to re-run the installation script if needed after changing this
Hybrid Analysis
- Enable the module with section “hybridanalysis/enabled” = True
- Put your YaraEditor API url in section “hybridanalysis/url” (see documentation for Hybrid Analysis)
- Put your YaraEditor API key in section “hybridanalysis/key”
- Change never upload = True/False in section “hybridanalysis/never_upload”. When enabled, no sample can be uploaded to the 3rd party website, even if unknown.
- Don’t forget to re-run the installation script if needed after changing this
Any.RUN (New V7.0!)
- Enable the module with section “anyrun/enabled” = True
- Put your Any.Run API key in section “anyrun/key” (see documentation for Any.RUN Analysis)
- Change never upload = True/False in section “anyrun/never_upload”. When enabled, no sample can be uploaded to the 3rd party website, even if unknown.
- Don’t forget to re-run the installation script if needed after changing this
Please find below a configuration file template with pre-configured options.
Don’t hesitate to use it as a starting point.
<?php
/*
The important thing to realize is that the config file should be included in every
page of your project, or at least any page you want access to these settings.
This allows you to confidently use these settings throughout a project because
if something changes such as your database credentials, or a path to a specific resource,
you'll only need to update it here.
*/
$config = array(
"version" => "7.0",
"db" => array(
"storage" => array(
"dbname" => "mrf", // {{CHANGE THIS}} database name for samples storage
"username" => "your_mysql_user", // {{CHANGE THIS}} database user for samples storage
"password" => "your_mysql_password", // {{CHANGE THIS}} database user password for samples storage
"host" => "localhost" // {{CHANGE THIS}} database host for samples storage
),
"usercake" => array(
"dbname" => "mrf", // {{CHANGE THIS}} database name for users storage
"username" => "your_mysql_user", // {{CHANGE THIS}} database user for users storage
"password" => "your_mysql_password", // {{CHANGE THIS}} database user password for users storage
"host" => "localhost" // {{CHANGE THIS}} database host for users storage
)
),
"leftnav" => array(
array(
"name" => "Dashboard",
"link" => "/index.php",
"icon" => "fa fa-dashboard",
),
array(
"name" => "Upload",
"link" => "/upload.php",
"icon" => "fa fa-upload",
),
array(
"name" => "Search",
"link" => "/search.php",
"icon" => "fa fa-search",
),
array(
"name" => "Discussions",
"icon" => "fa fa-comments",
"link" => array(
array(
"name" => "Create",
"link" => "/add_discussion.php",
"icon" => "fa fa-plus",
),
array(
"name" => "Browse",
"link" => "/discussions.php",
"icon" => "fa fa-search",
),
)
),
array(
"name" => "Feeds",
"icon" => "fa fa-rss",
"link" => array(
array(
"name" => "Urls Tracker",
"link" => "/urltracker.php",
"icon" => "fa fa-android",
),
)
),
array(
"name" => "Cuckoo",
"link" => "/cuckoo.php",
"icon" => "fa fa-fire",
"access" => "admin",
),
),
"user_settings" => array(
"email_notifications" => array(
"display" => "Email Notifications",
"settings" => array(
"new_comment_on_discussion" => array(
"name" => "email_notification_on_discussion",
"display" => "Email notification on discussion activity",
"default" => False
),
"new_comment_on_sample" => array(
"name" => "email_notification_on_sample",
"display" => "Email notification on sample comment",
"default" => False
)
)
),
"third_party" => array(
"display" => "VirusTotal per user Settings",
"settings" => array(
"user_virustotal_key" => array(
"name" => "user_virustotal_key",
"display" => "My VirusTotal API key (if empty, global is used)",
"default" => ""
)
)
)
),
"urls" => array(
"baseUrl" => "https://domain.tld/", // {{CHANGE THIS}} Base url of your website, TRAILING SLASH NEEDED
"storagePath" => "/data/mrf/storage/", // {{CHANGE THIS}} Samples storage full path (on disk), TRAILING SLASH NEEDED
"storageUrl" => "https://domain.tld/storage/" // {{CHANGE THIS}} (Optional, only for direct samples access) Samples public url, TRAILING SLASH NEEDED
),
"ui" => array(
"template" => "ampleadmin",
"colors" => "blue-dark",
"is_dark" => True,
"files_per_page" => 40,
"hex_max_length" => 65536,
),
"modules" => array(
"localstorage" => array(
"enabled" => True,
"class" => "LocalStorage",
"priority" => 10,
"cron" => True,
),
"mime" => array(
"enabled" => True,
"class" => "Mime",
"priority" => 9,
"cron" => True,
),
"pedata" => array(
"enabled" => True,
"class" => "PEData",
"priority" => 10,
"cron" => True,
),
"officedata" => array(
"enabled" => True,
"class" => "OfficeData",
"priority" => 10,
"cron" => True,
),
"pdfdata" => array(
"enabled" => True,
"class" => "PDFData",
"priority" => 10,
"cron" => True,
),
"ssdeep" => array(
"enabled" => True,
"class" => "SSDEEP",
"priority" => 10,
"cron" => True,
),
"trid" => array(
"enabled" => True,
"class" => "TrID",
"priority" => 10,
"cron" => True,
),
"bin2img" => array(
"enabled" => True,
"class" => "Bin2Img",
"priority" => 10,
"cron" => True,
),
"cuckoo" => array(
"enabled" => False, // {{CHANGE THIS}} Optional, if you enable Cuckoo module, set True
"class" => "Cuckoo",
"priority" => 10,
"api_base_url" => 'http://cuckoo.me:8080/', // {{CHANGE THIS}} Cuckoo API url, TRAILING SLASH NEEDED: Used to communicate with the Cuckoo machine
"web_base_url" => 'http://cuckoo.me:80/', // {{CHANGE THIS}} Cuckoo web url, TRAILING SLASH NEEDED: Used to open reports
"scan" => array( // Cuckoo parameters, not supported yet
//"package" => "", // uncomment to use
//"timeout" => "", // uncomment to use
//"priority" => 3, // 1 to 3, uncomment to use
//"options" => "", // uncomment to use
//"machine" => "", // uncomment to use
//"platform" => "", // uncomment to use
//"tags" => "mrf", // uncomment to use
//"custom" => "", // uncomment to use
//"owner" => "", // uncomment to use
//"memory" => False // uncomment to use
),
"scan_optional" => array(
//"options" => [ "option1", "option2" ], // uncomment to use, define options that can be sent to Cuckoo (a checkbox is shown on submission)
),
"cron" => True,
"score" => False,
),
"virustotal" => array(
"enabled" => False, // {{CHANGE THIS}} Optional, if you enable VirusTotal module, set True
"class" => "VirusTotal",
"priority" => 10,
"key" => 'your_api_key', // {{CHANGE THIS}} Replace with your VirusTotal API key
"automatic_upload" => True, // {{CHANGE THIS}} True/False, whether you want to automatically upload unknown samples on submission.
// {{CHANGE THIS}} If False, only a check is done, and manual upload is possible later.
"comment_uploaded" => array(
"enabled" => True, // If true, files uploaded (new analysis) will be commented upon completion
"comment" => "Sample received on MRF honeypot system, adlice.com"
),
"vendors_priority" => array(
"Microsoft",
"Kaspersky",
"BitDefender",
"Malwarebytes"
),
"cron" => True,
),
"yed" => array(
"enabled" => False, // {{CHANGE THIS}} Optional, if you enable YaraEditor module, set True
"class" => "Yed",
"priority" => 10,
"url" => 'https://yed.server.com/', // {{CHANGE THIS}} Replace with your YaraEditorWeb server API url
'key' => 'your_api_key', // {{CHANGE THIS}} Replace with your YaraEditorWeb server API key
"automatic_upload" => False, // {{CHANGE THIS}} True/False, whether you want to automatically scan samples on submission.
"cron" => True,
),
"hybridanalysis" => array(
"enabled" => False, // {{CHANGE THIS}} Optional, if you enable Hybrid Analysis module, set True
"class" => "Hybrid",
"priority" => 10,
"url" => 'https://www.hybrid-analysis.com/', // {{CHANGE THIS}} Optional, Replace with your Hybrid Analysis server API url (if different)
'key' => 'your_api_key', // {{CHANGE THIS}} Replace with your Hybrid Analysis API key
"automatic_upload" => True, // {{CHANGE THIS}} True/False, whether you want to automatically upload samples on submission.
"cron" => True,
),
"urltracker" => array(
"enabled" => True,
"class" => "UrlTracker",
"priority" => 10,
"cron" => True,
),
),
// Warning: Cron isn't enabled by this framework.
// Setting enabled to true means YOU have registered /src/cron.php in the cron table
// and that VirusTotal/Cuckoo refreshes will be performed by it.
// This tells the uploader NOT to perform VirusTotal/Cuckoo refreshes when getting the samples to display.
// This drastically improves performance when you have many scans pending on the current page.
"cron" => array(
"enabled" => True,
"remove_old_samples" => array(
"enabled" => True,
"older_than_days_count" => 30
)
),
// Paths can be different on several machines, and have either redirections or restrictions.
// Default values are usually good, but can be tweaked for specific cases.
"path" => array (
"tmp" => "/tmp" // Temporary folder location, this must be in your authorized write locations
),
"options" => array(
// When public mode is enabled, APIs needed for sample page
// Are NOT checked for valid API Key.
// Instead, only a REFERER/ORIGIN basic check is performed.
// This allows the sample page to be browsed without any account
"public_mode" => False
),
);
$GLOBALS["config"] = $config;
function IsModuleEnabled($module) {
return isset($GLOBALS["config"]["modules"][$module]) && $GLOBALS["config"]["modules"][$module]["enabled"];
}
/*
I will usually place the following in a bootstrap file or some type of environment
setup file (code that is run at the start of every page request), but they work
just as well in your config file if it's in php (some alternatives to php are xml or ini files).
*/
/*
Creating constants for heavily used paths makes things a lot easier.
ex. require_once(LIBRARY_PATH . "Paginator.php")
*/
//defined("LIBRARY_PATH")
// or define("LIBRARY_PATH", realpath(dirname(__FILE__) . '/library'));
//defined("TEMPLATES_PATH")
// or define("TEMPLATES_PATH", realpath(dirname(__FILE__) . '/templates'));
/*
Error reporting.
*/
ini_set("error_reporting", "true");
error_reporting(E_ALL|E_STRCT);
?><?php
/*
The important thing to realize is that the config file should be included in every
page of your project, or at least any page you want access to these settings.
This allows you to confidently use these settings throughout a project because
if something changes such as your database credentials, or a path to a specific resource,
you'll only need to update it here.
*/
$config = array(
"version" => "7.0",
"db" => array(
"storage" => array(
"dbname" => "mrf", // database name for samples storage
"username" => "root", // database user for samples storage
"password" => "", // database user password for samples storage
"host" => "localhost" // database host for samples storage
),
"usercake" => array(
"dbname" => "mrf", // database name for users storage
"username" => "root", // database user for users storage
"password" => "", // database user password for users storage
"host" => "localhost" // database host for users storage
)
),
"leftnav" => array(
array(
"name" => "Dashboard",
"link" => "/index.php",
"icon" => "fa fa-dashboard",
),
array(
"name" => "Upload",
"link" => "/upload.php", // If you don't work at root level, please modify
"icon" => "fa fa-upload",
),
array(
"name" => "Search",
"link" => "/search.php", // If you don't work at root level, please modify
"icon" => "fa fa-search",
),
array(
"name" => "Discussions",
"icon" => "fa fa-comments",
"link" => array(
array(
"name" => "Create",
"link" => "/add_discussion.php", // If you don't work at root level, please modify
"icon" => "fa fa-plus",
),
array(
"name" => "Browse",
"link" => "/discussions.php", // If you don't work at root level, please modify
"icon" => "fa fa-search",
),
)
),
array(
"name" => "Feeds",
"icon" => "fa fa-rss",
"link" => array(
array(
"name" => "Urls Tracker",
"link" => "/urltracker.php", // If you don't work at root level, please modify
"icon" => "fa fa-android",
),
)
),
array(
"name" => "Cuckoo",
"link" => "/cuckoo.php", // If you don't work at root level, please modify
"icon" => "fa fa-fire",
"access" => "admin",
),
),
"user_settings" => array(
"email_notifications" => array(
"display" => "Email Notifications",
"settings" => array(
"new_comment_on_discussion" => array(
"name" => "email_notification_on_discussion",
"display" => "Email notification on discussion activity",
"default" => False
),
"new_comment_on_sample" => array(
"name" => "email_notification_on_sample",
"display" => "Email notification on sample comment",
"default" => False
)
)
),
"third_party" => array(
"display" => "3rd party user settings",
"settings" => array(
"user_virustotal_key" => array(
"name" => "user_virustotal_key",
"display" => "My VirusTotal API key (if empty, global is used)",
"default" => ""
),
"user_hybrid_analysis_key" => array(
"name" => "user_hybrid_analysis_key",
"display" => "My Hybrid Analysis API key (if empty, global is used)",
"default" => ""
),
"user_anyrun_key" => array(
"name" => "user_anyrun_key",
"display" => "My Any.RUN API key (if empty, global is used)",
"default" => ""
)
)
)
),
"urls" => array(
"baseUrl" => "https://domain.tld/", // Base url of your website, TRAILING SLASH NEEDED
"storagePath" => "/data/malwaredb/storage/", // Samples storage full path (on disk), TRAILING SLASH NEEDED
"storageUrl" => "https://domain.tld/storage/" // (Optional, only for direct samples access) Samples public url, TRAILING SLASH NEEDED
),
"ui" => array(
"template" => "ampleadmin",
"colors" => "blue-dark",
"is_dark" => True,
"files_per_page" => 40,
"hex_max_length" => 65536, //64 kb *KEEP THAT VALUE LOW, OTHERWISE UI BECOMES UNRESPONSIVE*
),
"modules" => array(
"localstorage" => array(
"enabled" => True, // True/False, if should enable MIME type module
"class" => "LocalStorage", // Don't touch this, this is the name of the Module's class
"priority" => 10, // Don't touch this, already optimized
"cron" => True, // True/False if you want the module Cron routine to be triggered
),
"mime" => array(
"enabled" => True,
"class" => "Mime",
"priority" => 9, // MIME is used by other modules
"cron" => True,
),
"pedata" => array(
"enabled" => True,
"class" => "PEData",
"priority" => 10,
"cron" => True,
),
"officedata" => array(
"enabled" => True,
"class" => "OfficeData",
"priority" => 10,
"cron" => True,
),
"pdfdata" => array(
"enabled" => True,
"class" => "PDFData",
"priority" => 10,
"cron" => True,
),
"ssdeep" => array(
"enabled" => True,
"class" => "SSDEEP",
"priority" => 10,
"cron" => True,
),
"trid" => array(
"enabled" => True,
"class" => "TrID",
"priority" => 10,
"cron" => True,
),
"bin2img" => array(
"enabled" => True,
"class" => "Bin2Img",
"priority" => 10,
"cron" => True,
),
"cuckoo" => array(
"enabled" => True,
"class" => "Cuckoo",
"priority" => 10,
"api_base_url" => 'http://cuckoo.me:8080/', // Cuckoo API url, TRAILING SLASH NEEDED: Used to communicate with the Cuckoo machine
"web_base_url" => 'http://cuckoo.me:80/', // Cuckoo web url, TRAILING SLASH NEEDED: Used to open reports
"scan" => array( // Cuckoo parameters, not supported yet
//"package" => "", // uncomment to use
//"timeout" => "", // uncomment to use
//"priority" => 3, // 1 to 3, uncomment to use
//"options" => "", // uncomment to use
//"machine" => "", // uncomment to use
//"platform" => "", // uncomment to use
//"tags" => "mrf", // uncomment to use
//"custom" => "", // uncomment to use
//"owner" => "", // uncomment to use
//"memory" => False // uncomment to use
),
"scan_optional" => array(
//"options" => [ "option1", "option2" ], // uncomment to use, define options that can be sent to Cuckoo (a checkbox is shown on submission)
),
"never_upload" => False,
"cron" => True,
"score" => False, // The score is quite time consuming to obtain because we need to download the JSON report.
),
"virustotal" => array(
"enabled" => True,
"class" => "VirusTotal",
"priority" => 10,
"key" => 'your_api_key', // Replace with your VirusTotal API key
"never_upload" => False, // True/False, whether you want to block upload to 3rd party.
// If False, only a check is done, and manual upload is possible later.
"comment_uploaded" => array(
"enabled" => True, // If true, files uploaded (new analysis) will be commented upon completion
"comment" => "Sample received on MRF honeypot system, adlice.com"
),
"vendors_priority" => array( // List of vendors as seen in the VT API, the first one detecting will give its threat name to the sample
"Microsoft",
"Kaspersky",
"BitDefender",
"Malwarebytes"
),
"cron" => True,
),
"yed" => array(
"enabled" => False,
"class" => "Yed",
"priority" => 10,
"url" => 'https://yed.server.com/',
'key' => 'your_api_key',
"never_upload" => False,
"cron" => True,
),
"hybridanalysis" => array(
"enabled" => True,
"class" => "Hybrid",
"priority" => 10,
"url" => 'https://www.hybrid-analysis.com/',
'key' => 'your_api_key',
"never_upload" => False,
"cron" => True,
),
"anyrun" => array(
"enabled" => True,
"class" => "AnyRUN",
"priority" => 10,
"url" => 'https://api.any.run/',
"view_url" => 'https://app.any.run/',
'key' => 'your_api_key',
"never_upload" => False,
"cron" => True,
),
"urltracker" => array(
"enabled" => True,
"class" => "UrlTracker",
"priority" => 10,
"cron" => True,
),
),
// Warning: Cron isn't enabled by this framework.
// Setting enabled to true means YOU have registered /src/cron.php in the cron table
// and that VirusTotal/Cuckoo refreshes will be performed by it.
// This tells the uploader NOT to perform VirusTotal/Cuckoo refreshes when getting the samples to display.
// This drastically improves performance when you have many scans pending on the current page.
"cron" => array(
"enabled" => True,
"remove_old_samples" => array(
"enabled" => True,
"older_than_days_count" => 30
)
),
// Paths can be different on several machines, and have either redirections or restrictions.
// Default values are usually good, but can be tweaked for specific cases.
"path" => array (
"tmp" => "/tmp" // Temporary folder location, this must be in your authorized write locations
),
"options" => array(
// When public mode is enabled, APIs needed for sample page
// Are NOT checked for valid API Key.
// Instead, only a REFERER/ORIGIN basic check is performed.
// This allows the sample page to be browsed without any account
"public_mode" => False
),
"python" => array(
"PATH_ENV" => "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin ",
"exec" => "python3"
),
);
$GLOBALS["config"] = $config;
function IsModuleEnabled($module) {
return isset($GLOBALS["config"]["modules"][$module]) && $GLOBALS["config"]["modules"][$module]["enabled"];
}
/*
I will usually place the following in a bootstrap file or some type of environment
setup file (code that is run at the start of every page request), but they work
just as well in your config file if it's in php (some alternatives to php are xml or ini files).
*/
/*
Creating constants for heavily used paths makes things a lot easier.
ex. require_once(LIBRARY_PATH . "Paginator.php")
*/
//defined("LIBRARY_PATH")
// or define("LIBRARY_PATH", realpath(dirname(__FILE__) . '/library'));
//defined("TEMPLATES_PATH")
// or define("TEMPLATES_PATH", realpath(dirname(__FILE__) . '/templates'));
/*
Error reporting.
*/
ini_set("error_reporting", "true");
error_reporting(E_ALL|E_STRCT);
?>
<?php
/*
The important thing to realize is that the config file should be included in every
page of your project, or at least any page you want access to these settings.
This allows you to confidently use these settings throughout a project because
if something changes such as your database credentials, or a path to a specific resource,
you'll only need to update it here.
*/
$config = array(
"version" => "7.0",
"db" => array(
"storage" => array(
"dbname" => "mrf", // {{CHANGE THIS}} database name for samples storage
"username" => "your_mysql_user", // {{CHANGE THIS}} database user for samples storage
"password" => "your_mysql_password", // {{CHANGE THIS}} database user password for samples storage
"host" => "localhost" // {{CHANGE THIS}} database host for samples storage
),
"usercake" => array(
"dbname" => "mrf", // {{CHANGE THIS}} database name for users storage
"username" => "your_mysql_user", // {{CHANGE THIS}} database user for users storage
"password" => "your_mysql_password", // {{CHANGE THIS}} database user password for users storage
"host" => "localhost" // {{CHANGE THIS}} database host for users storage
)
),
"leftnav" => array(
array(
"name" => "Dashboard",
"link" => "/index.php",
"icon" => "fa fa-dashboard",
),
array(
"name" => "Upload",
"link" => "/upload.php",
"icon" => "fa fa-upload",
),
array(
"name" => "Search",
"link" => "/search.php",
"icon" => "fa fa-search",
),
array(
"name" => "Discussions",
"icon" => "fa fa-comments",
"link" => array(
array(
"name" => "Create",
"link" => "/add_discussion.php",
"icon" => "fa fa-plus",
),
array(
"name" => "Browse",
"link" => "/discussions.php",
"icon" => "fa fa-search",
),
)
),
array(
"name" => "Feeds",
"icon" => "fa fa-rss",
"link" => array(
array(
"name" => "Urls Tracker",
"link" => "/urltracker.php",
"icon" => "fa fa-android",
),
)
),
array(
"name" => "Cuckoo",
"link" => "/cuckoo.php",
"icon" => "fa fa-fire",
"access" => "admin",
),
),
"user_settings" => array(
"email_notifications" => array(
"display" => "Email Notifications",
"settings" => array(
"new_comment_on_discussion" => array(
"name" => "email_notification_on_discussion",
"display" => "Email notification on discussion activity",
"default" => False
),
"new_comment_on_sample" => array(
"name" => "email_notification_on_sample",
"display" => "Email notification on sample comment",
"default" => False
)
)
),
"third_party" => array(
"display" => "VirusTotal per user Settings",
"settings" => array(
"user_virustotal_key" => array(
"name" => "user_virustotal_key",
"display" => "My VirusTotal API key (if empty, global is used)",
"default" => ""
)
)
)
),
"urls" => array(
"baseUrl" => "https://domain.tld/", // {{CHANGE THIS}} Base url of your website, TRAILING SLASH NEEDED
"storagePath" => "/data/mrf/storage/", // {{CHANGE THIS}} Samples storage full path (on disk), TRAILING SLASH NEEDED
"storageUrl" => "https://domain.tld/storage/" // {{CHANGE THIS}} (Optional, only for direct samples access) Samples public url, TRAILING SLASH NEEDED
),
"ui" => array(
"template" => "ampleadmin",
"colors" => "blue-dark",
"is_dark" => True,
"files_per_page" => 40,
"hex_max_length" => 65536,
),
"modules" => array(
"localstorage" => array(
"enabled" => True,
"class" => "LocalStorage",
"priority" => 10,
"cron" => True,
),
"mime" => array(
"enabled" => True,
"class" => "Mime",
"priority" => 9,
"cron" => True,
),
"pedata" => array(
"enabled" => True,
"class" => "PEData",
"priority" => 10,
"cron" => True,
),
"officedata" => array(
"enabled" => True,
"class" => "OfficeData",
"priority" => 10,
"cron" => True,
),
"pdfdata" => array(
"enabled" => True,
"class" => "PDFData",
"priority" => 10,
"cron" => True,
),
"ssdeep" => array(
"enabled" => True,
"class" => "SSDEEP",
"priority" => 10,
"cron" => True,
),
"trid" => array(
"enabled" => True,
"class" => "TrID",
"priority" => 10,
"cron" => True,
),
"bin2img" => array(
"enabled" => True,
"class" => "Bin2Img",
"priority" => 10,
"cron" => True,
),
"cuckoo" => array(
"enabled" => False, // {{CHANGE THIS}} Optional, if you enable Cuckoo module, set True
"class" => "Cuckoo",
"priority" => 10,
"api_base_url" => 'http://cuckoo.me:8080/', // {{CHANGE THIS}} Cuckoo API url, TRAILING SLASH NEEDED: Used to communicate with the Cuckoo machine
"web_base_url" => 'http://cuckoo.me:80/', // {{CHANGE THIS}} Cuckoo web url, TRAILING SLASH NEEDED: Used to open reports
"scan" => array( // Cuckoo parameters, not supported yet
//"package" => "", // uncomment to use
//"timeout" => "", // uncomment to use
//"priority" => 3, // 1 to 3, uncomment to use
//"options" => "", // uncomment to use
//"machine" => "", // uncomment to use
//"platform" => "", // uncomment to use
//"tags" => "mrf", // uncomment to use
//"custom" => "", // uncomment to use
//"owner" => "", // uncomment to use
//"memory" => False // uncomment to use
),
"scan_optional" => array(
//"options" => [ "option1", "option2" ], // uncomment to use, define options that can be sent to Cuckoo (a checkbox is shown on submission)
),
"cron" => True,
"score" => False,
),
"virustotal" => array(
"enabled" => False, // {{CHANGE THIS}} Optional, if you enable VirusTotal module, set True
"class" => "VirusTotal",
"priority" => 10,
"key" => 'your_api_key', // {{CHANGE THIS}} Replace with your VirusTotal API key
"automatic_upload" => True, // {{CHANGE THIS}} True/False, whether you want to automatically upload unknown samples on submission.
// {{CHANGE THIS}} If False, only a check is done, and manual upload is possible later.
"comment_uploaded" => array(
"enabled" => True, // If true, files uploaded (new analysis) will be commented upon completion
"comment" => "Sample received on MRF honeypot system, adlice.com"
),
"vendors_priority" => array(
"Microsoft",
"Kaspersky",
"BitDefender",
"Malwarebytes"
),
"cron" => True,
),
"yed" => array(
"enabled" => False, // {{CHANGE THIS}} Optional, if you enable YaraEditor module, set True
"class" => "Yed",
"priority" => 10,
"url" => 'https://yed.server.com/', // {{CHANGE THIS}} Replace with your YaraEditorWeb server API url
'key' => 'your_api_key', // {{CHANGE THIS}} Replace with your YaraEditorWeb server API key
"automatic_upload" => False, // {{CHANGE THIS}} True/False, whether you want to automatically scan samples on submission.
"cron" => True,
),
"hybridanalysis" => array(
"enabled" => False, // {{CHANGE THIS}} Optional, if you enable Hybrid Analysis module, set True
"class" => "Hybrid",
"priority" => 10,
"url" => 'https://www.hybrid-analysis.com/', // {{CHANGE THIS}} Optional, Replace with your Hybrid Analysis server API url (if different)
'key' => 'your_api_key', // {{CHANGE THIS}} Replace with your Hybrid Analysis API key
"automatic_upload" => True, // {{CHANGE THIS}} True/False, whether you want to automatically upload samples on submission.
"cron" => True,
),
"urltracker" => array(
"enabled" => True,
"class" => "UrlTracker",
"priority" => 10,
"cron" => True,
),
),
// Warning: Cron isn't enabled by this framework.
// Setting enabled to true means YOU have registered /src/cron.php in the cron table
// and that VirusTotal/Cuckoo refreshes will be performed by it.
// This tells the uploader NOT to perform VirusTotal/Cuckoo refreshes when getting the samples to display.
// This drastically improves performance when you have many scans pending on the current page.
"cron" => array(
"enabled" => True,
"remove_old_samples" => array(
"enabled" => True,
"older_than_days_count" => 30
)
),
// Paths can be different on several machines, and have either redirections or restrictions.
// Default values are usually good, but can be tweaked for specific cases.
"path" => array (
"tmp" => "/tmp" // Temporary folder location, this must be in your authorized write locations
),
"options" => array(
// When public mode is enabled, APIs needed for sample page
// Are NOT checked for valid API Key.
// Instead, only a REFERER/ORIGIN basic check is performed.
// This allows the sample page to be browsed without any account
"public_mode" => False
),
);
$GLOBALS["config"] = $config;
function IsModuleEnabled($module) {
return isset($GLOBALS["config"]["modules"][$module]) && $GLOBALS["config"]["modules"][$module]["enabled"];
}
/*
I will usually place the following in a bootstrap file or some type of environment
setup file (code that is run at the start of every page request), but they work
just as well in your config file if it's in php (some alternatives to php are xml or ini files).
*/
/*
Creating constants for heavily used paths makes things a lot easier.
ex. require_once(LIBRARY_PATH . "Paginator.php")
*/
//defined("LIBRARY_PATH")
// or define("LIBRARY_PATH", realpath(dirname(__FILE__) . '/library'));
//defined("TEMPLATES_PATH")
// or define("TEMPLATES_PATH", realpath(dirname(__FILE__) . '/templates'));
/*
Error reporting.
*/
ini_set("error_reporting", "true");
error_reporting(E_ALL|E_STRCT);
?>