How to integrate sandboxing(cuckoo sanboxing) in OPNsense?

[nitish.patel]

I was trying to integrating cuckoo to the OPNsense as we don't have sanboxing in OPNsense so I want to integrate it on the firewall. I had searched for many articles how to but, no luck . Guide me regarding my issue.

[Patrick M. Hausen]

This project?

https://cuckoosandbox.org/blog

- seems to be dead since 2019
- does not support FreeBSD

So this looks like a major software development and porting effort. Nobody can guide you - the software is in no way able to run on OPNsense, currently.

What exactly do you want to achieve? There's ClamAV, Suricata and Zenarmor for malware and threat detection and mitigation.

[nitish.patel]

I don't want to add cuckoo particularly. Is their any other way to do so?

Let me know if any other sanboxing can be implemented on OPNsense or let me know if any feature is already available on OPNsense parallel to sanboxing?

[Patrick M. Hausen]

What exactly do you mean by sandboxing? Malware mitigation? As I said there is ClamAV (antivirus) and Suricata and Zenarmor (IDS/IPS).

[nitish.patel]

From sandboxing I mean "To prevent advance persistent threat". I want to implement concept like cuckoo in OPNsense, or similar to cuckoo sandboxing.

[Patrick M. Hausen]

How do you think a concept like sandboxed malware analysis can be employed in the context of a network perimeter device, i.e. a firewall?

[nitish.patel]

Gateway solutions like fortinet, sophos(they call it sandstorm) provide sandboxing for forensics along with gateway antivirus, IPS/IDS solutions was looking for something like that, was wandering if cuckoo can be used with some customization for the purpose of gateway sandboxing.

[Patrick M. Hausen]

Please explain to me what exactly is gateway sandboxing?

[nitish.patel]

Sandboxing is a technique in which you create an isolated test environment, a “sandbox,” in which to execute or “detonate” a suspicious file or URL that is attached to an email or otherwise reaches your network and then observe what happens. If the file or URL displays malicious behavior, then you’ve discovered a new threat. The sandbox must be a secure, virtual environment that accurately emulates the CPU of your production servers.

Sandboxing is particularly effective at defending against zero-day threats. Traditional inbound email filters scan emails for known malicious senders, URLs, and file types. Unfortunately, there are dozens of new (or “zero-day”) threats that appear every single day and are not yet discovered by email filters. Sandboxing, which is a key component of advanced threat protection, provides an added layer of protection in which any email that passes the email filter and still contains unknown URL links, file types, or suspicious senders can be tested before they reach your network or mail server.