Locate your MySQL credentials. You can get them with the following command.
sudo cat /etc/mysql/debian.cnf
Edit your configuration file (under /your_root/src/config.php), as explained below.
From the Installation steps, fill in the following information:
- The database name in sections “db/storage” and “db/usercacke”
- The database credentials (see above) in sections “db/storage” and “db/usercake”.
- The storage path in section “urls/storagePath”
- The public url in section “urls/baseUrl”. Example: “http://localhost” (locally), “https://my.mrf.example.com/”
Then, change the config file according to your needs (see below)
Modules
Most modules are not documented, it’s not advised to change their configuration. Only a few can be tweaked:
Cuckoo
- Enable the module with section “cuckoo/enabled” = True
- Put your cuckoo API url in section “cuckoo/api_base_url” (see documentation for Cuckoo)
- Put your cuckoo WEB base url in section “cuckoo/web_base_url”
- Don’t forget to re-run the installation script if needed after changing this
VirusTotal
- Enable the module with section “virustotal/enabled” = True
- Put your VirusTotal API key in section “virustotal/key”
- Change automatic upload = True/False in section “virustotal/automatic_upload”. When enabled, all samples uploaded are by default showing checked option.
- Change automatic comment = True/False in section “virustotal/comment_uploaded/enabled”. When enabled, all samples uploaded will have be commented on VirusTotal with the comment you define.
- Change automatic comment content in section “virustotal/comment_uploaded/comment”.
- Don’t forget to re-run the installation script if needed after changing this
YaraEditor (YED)
- Enable the module with section “yed/enabled” = True
- Put your YaraEditor API url in section “yed/url” (see documentation for YaraEditor)
- Put your YaraEditor API key in section “yed/key”
- Change automatic upload = True/False in section “yed/automatic_upload”. When enabled, all samples uploaded are by default showing checked option.
- Don’t forget to re-run the installation script if needed after changing this
Hybrid Analysis
- Enable the module with section “hybridanalysis/enabled” = True
- Put your YaraEditor API url in section “hybridanalysis/url” (see documentation for Hybrid Analysis)
- Put your YaraEditor API key in section “hybridanalysis/key”
- Change automatic upload = True/False in section “hybridanalysis/automatic_upload”. When enabled, all samples uploaded are by default showing checked option.
- Don’t forget to re-run the installation script if needed after changing this
Please find below a configuration file template with pre-configured options.
Don’t hesitate to use it as a starting point.
<?php
/*
The important thing to realize is that the config file should be included in every
page of your project, or at least any page you want access to these settings.
This allows you to confidently use these settings throughout a project because
if something changes such as your database credentials, or a path to a specific resource,
you'll only need to update it here.
*/
$config = array(
"version" => "6.2",
"db" => array(
"storage" => array(
"dbname" => "mrf", // {{CHANGE THIS}} database name for samples storage
"username" => "your_mysql_user", // {{CHANGE THIS}} database user for samples storage
"password" => "your_mysql_password", // {{CHANGE THIS}} database user password for samples storage
"host" => "localhost" // {{CHANGE THIS}} database host for samples storage
),
"usercake" => array(
"dbname" => "mrf", // {{CHANGE THIS}} database name for users storage
"username" => "your_mysql_user", // {{CHANGE THIS}} database user for users storage
"password" => "your_mysql_password", // {{CHANGE THIS}} database user password for users storage
"host" => "localhost" // {{CHANGE THIS}} database host for users storage
)
),
"leftnav" => array(
array(
"name" => "Dashboard",
"link" => "/index.php",
"icon" => "fa fa-dashboard",
),
array(
"name" => "Upload",
"link" => "/upload.php",
"icon" => "fa fa-upload",
),
array(
"name" => "Search",
"link" => "/search.php",
"icon" => "fa fa-search",
),
array(
"name" => "Discussions",
"icon" => "fa fa-comments",
"link" => array(
array(
"name" => "Create",
"link" => "/add_discussion.php",
"icon" => "fa fa-plus",
),
array(
"name" => "Browse",
"link" => "/discussions.php",
"icon" => "fa fa-search",
),
)
),
array(
"name" => "Feeds",
"icon" => "fa fa-rss",
"link" => array(
array(
"name" => "Urls Tracker",
"link" => "/urltracker.php",
"icon" => "fa fa-android",
),
)
),
array(
"name" => "Cuckoo",
"link" => "/cuckoo.php",
"icon" => "fa fa-fire",
"access" => "admin",
),
),
"user_settings" => array(
"email_notifications" => array(
"display" => "Email Notifications",
"settings" => array(
"new_comment_on_discussion" => array(
"name" => "email_notification_on_discussion",
"display" => "Email notification on discussion activity",
"default" => False
),
"new_comment_on_sample" => array(
"name" => "email_notification_on_sample",
"display" => "Email notification on sample comment",
"default" => False
)
)
),
"third_party" => array(
"display" => "VirusTotal per user Settings",
"settings" => array(
"user_virustotal_key" => array(
"name" => "user_virustotal_key",
"display" => "My VirusTotal API key (if empty, global is used)",
"default" => ""
)
)
)
),
"urls" => array(
"baseUrl" => "https://domain.tld/", // {{CHANGE THIS}} Base url of your website, TRAILING SLASH NEEDED
"storagePath" => "/data/mrf/storage/", // {{CHANGE THIS}} Samples storage full path (on disk), TRAILING SLASH NEEDED
"storageUrl" => "https://domain.tld/storage/" // {{CHANGE THIS}} (Optional, only for direct samples access) Samples public url, TRAILING SLASH NEEDED
),
"ui" => array(
"template" => "ampleadmin",
"colors" => "blue-dark",
"is_dark" => True,
"files_per_page" => 40,
"hex_max_length" => 65536,
),
"modules" => array(
"localstorage" => array(
"enabled" => True,
"class" => "LocalStorage",
"priority" => 10,
"cron" => True,
),
"mime" => array(
"enabled" => True,
"class" => "Mime",
"priority" => 9,
"cron" => True,
),
"pedata" => array(
"enabled" => True,
"class" => "PEData",
"priority" => 10,
"cron" => True,
),
"officedata" => array(
"enabled" => True,
"class" => "OfficeData",
"priority" => 10,
"cron" => True,
),
"pdfdata" => array(
"enabled" => True,
"class" => "PDFData",
"priority" => 10,
"cron" => True,
),
"ssdeep" => array(
"enabled" => True,
"class" => "SSDEEP",
"priority" => 10,
"cron" => True,
),
"trid" => array(
"enabled" => True,
"class" => "TrID",
"priority" => 10,
"cron" => True,
),
"bin2img" => array(
"enabled" => True,
"class" => "Bin2Img",
"priority" => 10,
"cron" => True,
),
"cuckoo" => array(
"enabled" => False, // {{CHANGE THIS}} Optional, if you enable Cuckoo module, set True
"class" => "Cuckoo",
"priority" => 10,
"api_base_url" => 'http://cuckoo.me:8080/', // {{CHANGE THIS}} Cuckoo API url, TRAILING SLASH NEEDED: Used to communicate with the Cuckoo machine
"web_base_url" => 'http://cuckoo.me:80/', // {{CHANGE THIS}} Cuckoo web url, TRAILING SLASH NEEDED: Used to open reports
"scan" => array( // Cuckoo parameters, not supported yet
//"package" => "", // uncomment to use
//"timeout" => "", // uncomment to use
//"priority" => 3, // 1 to 3, uncomment to use
//"options" => "", // uncomment to use
//"machine" => "", // uncomment to use
//"platform" => "", // uncomment to use
//"tags" => "mrf", // uncomment to use
//"custom" => "", // uncomment to use
//"owner" => "", // uncomment to use
//"memory" => False // uncomment to use
),
"scan_optional" => array(
//"options" => [ "option1", "option2" ], // uncomment to use, define options that can be sent to Cuckoo (a checkbox is shown on submission)
),
"cron" => True,
"score" => False,
),
"virustotal" => array(
"enabled" => False, // {{CHANGE THIS}} Optional, if you enable VirusTotal module, set True
"class" => "VirusTotal",
"priority" => 10,
"key" => 'your_api_key', // {{CHANGE THIS}} Replace with your VirusTotal API key
"automatic_upload" => True, // {{CHANGE THIS}} True/False, whether you want to automatically upload unknown samples on submission.
// {{CHANGE THIS}} If False, only a check is done, and manual upload is possible later.
"comment_uploaded" => array(
"enabled" => True, // If true, files uploaded (new analysis) will be commented upon completion
"comment" => "Sample received on MRF honeypot system, adlice.com"
),
"vendors_priority" => array(
"Microsoft",
"Kaspersky",
"BitDefender",
"Malwarebytes"
),
"cron" => True,
),
"yed" => array(
"enabled" => False, // {{CHANGE THIS}} Optional, if you enable YaraEditor module, set True
"class" => "Yed",
"priority" => 10,
"url" => 'https://yed.server.com/', // {{CHANGE THIS}} Replace with your YaraEditorWeb server API url
'key' => 'your_api_key', // {{CHANGE THIS}} Replace with your YaraEditorWeb server API key
"automatic_upload" => False, // {{CHANGE THIS}} True/False, whether you want to automatically scan samples on submission.
"cron" => True,
),
"hybridanalysis" => array(
"enabled" => False, // {{CHANGE THIS}} Optional, if you enable Hybrid Analysis module, set True
"class" => "Hybrid",
"priority" => 10,
"url" => 'https://www.hybrid-analysis.com/', // {{CHANGE THIS}} Optional, Replace with your Hybrid Analysis server API url (if different)
'key' => 'your_api_key', // {{CHANGE THIS}} Replace with your Hybrid Analysis API key
"automatic_upload" => True, // {{CHANGE THIS}} True/False, whether you want to automatically upload samples on submission.
"cron" => True,
),
"urltracker" => array(
"enabled" => True,
"class" => "UrlTracker",
"priority" => 10,
"cron" => True,
),
),
// Warning: Cron isn't enabled by this framework.
// Setting enabled to true means YOU have registered /src/cron.php in the cron table
// and that VirusTotal/Cuckoo refreshes will be performed by it.
// This tells the uploader NOT to perform VirusTotal/Cuckoo refreshes when getting the samples to display.
// This drastically improves performance when you have many scans pending on the current page.
"cron" => array(
"enabled" => True,
"remove_old_samples" => array(
"enabled" => True,
"older_than_days_count" => 30
)
),
// Paths can be different on several machines, and have either redirections or restrictions.
// Default values are usually good, but can be tweaked for specific cases.
"path" => array (
"tmp" => "/tmp" // Temporary folder location, this must be in your authorized write locations
),
"options" => array(
// When public mode is enabled, APIs needed for sample page
// Are NOT checked for valid API Key.
// Instead, only a REFERER/ORIGIN basic check is performed.
// This allows the sample page to be browsed without any account
"public_mode" => False
),
);
$GLOBALS["config"] = $config;
function IsModuleEnabled($module) {
return isset($GLOBALS["config"]["modules"][$module]) && $GLOBALS["config"]["modules"][$module]["enabled"];
}
/*
I will usually place the following in a bootstrap file or some type of environment
setup file (code that is run at the start of every page request), but they work
just as well in your config file if it's in php (some alternatives to php are xml or ini files).
*/
/*
Creating constants for heavily used paths makes things a lot easier.
ex. require_once(LIBRARY_PATH . "Paginator.php")
*/
//defined("LIBRARY_PATH")
// or define("LIBRARY_PATH", realpath(dirname(__FILE__) . '/library'));
//defined("TEMPLATES_PATH")
// or define("TEMPLATES_PATH", realpath(dirname(__FILE__) . '/templates'));
/*
Error reporting.
*/
ini_set("error_reporting", "true");
error_reporting(E_ALL|E_STRCT);
?>