RITOps commented 3 years ago

🐛 Summary

Getting errors when executing scan v.1.06 on Win2016 Std. Scan appears to be frozen in place. Please see output below.

To reproduce

1.Extract zip

Browse to chirp.exe
Double click chirp.exe

Expected behavior

Run all scans to completion

Any helpful log output or screenshots

10:36:43 NETWORK  Read 128 records, found 0 IoC hits.                                                        scan.py:56
10:36:44 REGISTRY Reading HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot                 scan.py:65
         REGISTRY Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot does not exist. registry.py:93
         REGISTRY Reading HKEY_LOCAL_MACHINE\Software\Microsoft\CTF                                          scan.py:65
         REGISTRY Reading HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution scan.py:65
                  Options\
         REGISTRY Found 0 hit(s) for Sibot - Registry indicator.                                             scan.py:47
         REGISTRY Found 0 hit(s) for Teardrop - Registry Activity indicator.                                 scan.py:47
         REGISTRY Found 0 hit(s) for IFEO Persistence indicator.                                             scan.py:47
         YARA     Enumerating the entire filesystem due to ['simpleseesharp : Webshell Unclassified',        run.py:161
                  'reGeorgTunnel : Webshell Commodity', 'sportsball : Webshell', 'Detection for the use of
                  procdump to dump LSASS process memory.', 'CISA Solar Fire', 'CISA Teardrop', 'CrowdStrike
                  Rempack', 'CrowdStrike Sunspot', 'FireEye Cosmic Gale', 'FireEye Sunburst']... this is
                  going to take a while.
10:36:44 EVENTS   Reading Windows Powershell event logs.                                                     scan.py:69
10:36:44 EVENTS   Reading Security event logs.                                                               scan.py:69
10:37:22 EVENTS   Reading KernelMode event logs.                                                             scan.py:69
         EVENTS   Reading Application event logs.                                                            scan.py:69
10:39:09 YARA     Beginning processing.                                                                      run.py:109
10:51:40 YARA     We're still working on scanning files. 50000 processed.                                    run.py:111
10:59:54 ERROR   multiprocessing.pool.RemoteTraceback:
"""
Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 122, in _run
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 33: surrogates not allowed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 125, in worker
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 48, in mapstar
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 132, in _run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 2045, in error
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1471, in error
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1585, in _log
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1595, in handle
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 1657, in callHandlers
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\logging\__init__.py", line 950, in handle
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\logging.py", line 153, in emit
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 1506, in print
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 776, in __exit__
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 735, in _exit_buffer
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\rich\console.py", line 1695, in _check_buffer
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 41, in write
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 162, in write
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 187, in write_and_convert
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\colorama\ansitowin32.py", line 195, in write_plain_text
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed
*** You may need to add PYTHONIOENCODING=utf-8 to your environment ***
"""

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp.py", line 17, in <module>
    run.run()
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 20, in run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 30, in run_plugins
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\asyncio\base_events.py", line 616, in run_until_complete
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\run.py", line 44, in _run_coroutines
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\chirp\plugins\yara\run.py", line 178, in run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 448, in <genexpr>
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~2\multiprocessing\pool.py", line 868, in next
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed

DeemOnSecurity commented 3 years ago

Interesting. We grab the DNS records with ipconfig /displaydns , does this properly return when you run from the terminal? That unicode value is this character: ◌��, does this appear in the DNS record?

RITOps commented 3 years ago

The ipconfig /displaydns command runs properly on the servers. I performed the following command "ipconfig /displaydns > dns.txt" In the output file, I found a few entries that contained the "y" with two dots character. Please see screen shot below.

DeemOnSecurity commented 3 years ago

Ah, ok, that gives some pointers. Thank you. I will need to figure out how to get those properly translated in Python and hopefully resolve this issue.

RITOps commented 3 years ago

Ah, ok, that gives some pointers. Thank you. I will need to figure out how to get those properly translated in Python and hopefully resolve this issue.

Please note that the screen shot was from one of our Win2012R2 servers. I just reviewed the dns output form one of our Win2016 server and I wasnt able to find similar characters. They were all standards alphabet, dash (-), period (.), parenthesis (), and numeric (0-9) characters.

DeemOnSecurity commented 3 years ago

Ah, ok, that gives some pointers. Thank you. I will need to figure out how to get those properly translated in Python and hopefully resolve this issue.

Please note that the screen shot was from one of our Win2012R2 servers. I just reviewed the dns output form one of our Win2016 server and I wasnt able to find similar characters. They were all standards alphabet, dash (-), period (.), parenthesis (), and numeric (0-9) characters.

I'm rearranging the process to hopefully resolve most of the issues here.

We currently:

Run the command and capture the output
Translate the data from bytes to utf8 strings <<< Where it's failing for you
Check if it matches values and return matches

Revising it now to translate to utf8 on the return, so if there is some output that is not being processed properly it will not kill the entire module.

DeemOnSecurity commented 3 years ago

The v1.0.7 prerelease should hopefully solve this bug. Please try it out and let me know if you get the same error.

RITOps commented 3 years ago

Getting same error on Windows2016. Ran on 2 Win2012R2 servers and completed successfully.

DeemOnSecurity commented 3 years ago

Ah, it seems the error is in the logging of the Unicode error in the yara process. I'm compiling a new prerelease now for your testing.

DeemOnSecurity commented 3 years ago

Prerelease can be found here

RITOps commented 3 years ago

14:14:38 ERROR   multiprocessing.pool.RemoteTraceback:
"""
Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\chirp\plugins\yara\run.py", line 122, in _run
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 33: surrogates not allowed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\multiprocessing\pool.py", line 125, in worker
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\multiprocessing\pool.py", line 48, in mapstar
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\chirp\plugins\yara\run.py", line 132, in _run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\logging\__init__.py", line 2049, in error
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\logging\__init__.py", line 1475, in error
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\logging\__init__.py", line 1589, in _log
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\logging\__init__.py", line 1599, in handle
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\logging\__init__.py", line 1661, in callHandlers
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\logging\__init__.py", line 954, in handle
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\rich\logging.py", line 153, in emit
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\rich\console.py", line 1506, in print
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\rich\console.py", line 776, in __exit__
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\rich\console.py", line 735, in _exit_buffer
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\rich\console.py", line 1695, in _check_buffer
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\colorama\ansitowin32.py", line 41, in write
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\colorama\ansitowin32.py", line 162, in write
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\colorama\ansitowin32.py", line 187, in write_and_convert
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\colorama\ansitowin32.py", line 195, in write_plain_text
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed
*** You may need to add PYTHONIOENCODING=utf-8 to your environment ***
"""

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Users\<\AppData\Local\Temp\ONEFIL~3\chirp.py", line 17, in <module>
    run.run()
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 20, in run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 30, in run_plugins
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\asyncio\base_events.py", line 616, in run_until_complete
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 44, in _run_coroutines
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\chirp\plugins\yara\run.py", line 178, in run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\multiprocessing\pool.py", line 448, in <genexpr>
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\multiprocessing\pool.py", line 868, in next
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed

DeemOnSecurity commented 3 years ago

14:14:38 ERROR   multiprocessing.pool.RemoteTraceback:
"""
Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\chirp\plugins\yara\run.py", line 122, in _run
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 33: surrogates not allowed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\multiprocessing\pool.py", line 125, in worker
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\multiprocessing\pool.py", line 48, in mapstar
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\chirp\plugins\yara\run.py", line 132, in _run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\logging\__init__.py", line 2049, in error
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\logging\__init__.py", line 1475, in error
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\logging\__init__.py", line 1589, in _log
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\logging\__init__.py", line 1599, in handle
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\logging\__init__.py", line 1661, in callHandlers
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\logging\__init__.py", line 954, in handle
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\rich\logging.py", line 153, in emit
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\rich\console.py", line 1506, in print
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\rich\console.py", line 776, in __exit__
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\rich\console.py", line 735, in _exit_buffer
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\rich\console.py", line 1695, in _check_buffer
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\colorama\ansitowin32.py", line 41, in write
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\colorama\ansitowin32.py", line 162, in write
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\colorama\ansitowin32.py", line 187, in write_and_convert
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\colorama\ansitowin32.py", line 195, in write_plain_text
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed
*** You may need to add PYTHONIOENCODING=utf-8 to your environment ***
"""

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Users\<\AppData\Local\Temp\ONEFIL~3\chirp.py", line 17, in <module>
    run.run()
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 20, in run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 30, in run_plugins
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\asyncio\base_events.py", line 616, in run_until_complete
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\chirp\run.py", line 44, in _run_coroutines
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\chirp\plugins\yara\run.py", line 178, in run
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\multiprocessing\pool.py", line 448, in <genexpr>
  File "C:\Users\<username>\AppData\Local\Temp\ONEFIL~3\multiprocessing\pool.py", line 868, in next
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 34: surrogates not allowed

You'll notice this error is coming from the _run function in chirp/plugins/yara/run.py and is triggering when we try to log which file is throwing the error. It appears that odd character is in a file name on your system. Hopefully the prerelease fixes this error.

RITOps commented 3 years ago

Getting similar error. Still in the _run function as you pointed out earlier. Win2016, latest pre-release

multiprocessing.pool.RemoteTraceback:
"""
Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp\plugins\yara\run.py", line 122, in _run
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 33: surrogates not allowed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\multiprocessing\pool.py", line 125, in worker
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\multiprocessing\pool.py", line 48, in mapstar
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp\plugins\yara\run.py", line 132, in _run
TypeError: can only concatenate str (not "bytes") to str
"""

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp.py", line 17, in <module>
    run.run()
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp\run.py", line 20, in run
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp\run.py", line 30, in run_plugins
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\asyncio\base_events.py", line 616, in run_until_complete
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp\run.py", line 44, in _run_coroutines
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp\plugins\yara\run.py", line 178, in run
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\multiprocessing\pool.py", line 448, in <genexpr>
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\multiprocessing\pool.py", line 868, in next
TypeError: can only concatenate str (not "bytes") to str

DeemOnSecurity commented 3 years ago

Getting similar error. Still in the _run function as you pointed out earlier. Win2016, latest pre-release

multiprocessing.pool.RemoteTraceback:
"""
Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp\plugins\yara\run.py", line 122, in _run
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 33: surrogates not allowed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\multiprocessing\pool.py", line 125, in worker
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\multiprocessing\pool.py", line 48, in mapstar
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp\plugins\yara\run.py", line 132, in _run
TypeError: can only concatenate str (not "bytes") to str
"""

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp.py", line 17, in <module>
    run.run()
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp\run.py", line 20, in run
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp\run.py", line 30, in run_plugins
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\asyncio\base_events.py", line 616, in run_until_complete
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp\run.py", line 44, in _run_coroutines
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\chirp\plugins\yara\run.py", line 178, in run
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\multiprocessing\pool.py", line 448, in <genexpr>
  File "C:\Users\<username>\AppData\Local\Temp\ON04D8~1\multiprocessing\pool.py", line 868, in next
TypeError: can only concatenate str (not "bytes") to str

This one was my fault 😅 . I didn't properly convert the strings to bytes when logging the output. Expect a new prerelease within a half hour. Hopefully we can get this resolved today. Thank you for your patience.

RITOps commented 3 years ago

Thank you for your help.

DeemOnSecurity commented 3 years ago

Prerelease is out. Let me know if it fixes your bug, I have one more potential fix in the bag, but definitely worst case.

RITOps commented 3 years ago

I ran this on a Win2016 server and got the following errors:

09:15:55 YARA     Beginning processing.                                                                      run.py:109
09:19:52 EVENTS   Reading Windows Powershell event logs.                                                     scan.py:69
09:20:49 EVENTS   Reading Security event logs.                                                               scan.py:69
09:28:21 YARA     We're still working on scanning files. 50000 processed.                                    run.py:111
09:34:06 YARA     We're still working on scanning files. 100000 processed.                                   run.py:111
multiprocessing.pool.RemoteTraceback:
"""
Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ON727C~1\chirp\plugins\yara\run.py", line 122, in _run
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 33: surrogates not allowed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ON727C~1\multiprocessing\pool.py", line 125, in worker
  File "C:\Users\<username>\AppData\Local\Temp\ON727C~1\multiprocessing\pool.py", line 48, in mapstar
  File "C:\Users\<username>\AppData\Local\Temp\ON727C~1\chirp\plugins\yara\run.py", line 132, in _run
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 33: surrogates not allowed
"""

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Users\<username>\AppData\Local\Temp\ON727C~1\chirp.py", line 17, in <module>
    run.run()
  File "C:\Users\<username>\AppData\Local\Temp\ON727C~1\chirp\run.py", line 20, in run
  File "C:\Users\<username>\AppData\Local\Temp\ON727C~1\chirp\run.py", line 30, in run_plugins
  File "C:\Users\<username>\AppData\Local\Temp\ON727C~1\asyncio\base_events.py", line 616, in run_until_complete
  File "C:\Users\<username>\AppData\Local\Temp\ON727C~1\chirp\run.py", line 44, in _run_coroutines
  File "C:\Users\<username>\AppData\Local\Temp\ON727C~1\chirp\plugins\yara\run.py", line 178, in run
  File "C:\Users\<username>\AppData\Local\Temp\ON727C~1\multiprocessing\pool.py", line 448, in <genexpr>
  File "C:\Users\<username>\AppData\Local\Temp\ON727C~1\multiprocessing\pool.py", line 868, in next
UnicodeEncodeError: 'utf-8' codec can't encode character '\ud8d0' in position 33: surrogates not allowed

DeemOnSecurity commented 3 years ago

Last iteration of this fix, I promise 🤞. If this doesn't work I will drop the file for now so you can at least finish your run and try to address this later. New pre-release here.

RITOps commented 3 years ago

Getting an error and quits abruptly. Had to use phone to video record to catch it. CHIRP: error: the following arguments are required: -a/--activity

Should I run this from PowerShell and manually add the arguments?

DeemOnSecurity commented 3 years ago

Getting an error and quits abruptly. Had to use phone to video record to catch it the error. CHIRP: error: the following arguments are required: -a/--activity

Should I run this from PowerShell and manually add the arguments?

Ah, shoot I didn't account for the double-click run. Yes, you have to specify the activity now, try .\chirp.exe -a AA21-008A

RITOps commented 3 years ago

I now get the same error, but the CMD window remains.

DeemOnSecurity commented 3 years ago

I now get the same error, but the CMD window remains.

The same error as in the unicode error?

RITOps commented 3 years ago

Sorry, no. The same use argument -a/--activity error. usage: CHIRP [-h] -a ACTIVITY [-o OUTPUT] [-p [PLUGINS [PLUGINS ...]]] [-t [TARGETS [TARGETS ...]]] [--non-interactive] [--silent] [-v] CHIRP: error: the following arguments are required: -a/--activity

DeemOnSecurity commented 3 years ago

Sorry, no. The same use argument -a/--activity error. usage: CHIRP [-h] -a ACTIVITY [-o OUTPUT] [-p [PLUGINS [PLUGINS ...]]] [-t [TARGETS [TARGETS ...]]] [--non-interactive] [--silent] [-v] CHIRP: error: the following arguments are required: -a/--activity

That is when running with the argument -a AA21-008A? That might be a bug in our compilation

RITOps commented 3 years ago

Here are the PS commands:

PS C:\kworking> cd .\chirp1.07.4_pre\
PS C:\kworking\chirp1.07.4_pre> dir

    Directory: C:\kworking\chirp1.07.4_pre

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/15/2021  11:07 AM                chirp
d-----        4/15/2021  11:07 AM                indicators
------        4/15/2021   2:56 PM       35694143 chirp.exe
------        4/15/2021   2:51 PM           1054 chirp.py
------        4/15/2021   2:51 PM           6671 LICENSE
------        4/15/2021   2:51 PM           7516 README.md
------        4/15/2021   2:51 PM           2432 setup.py

PS C:\kworking\chirp1.07.4_pre> .\chirp.exe -a AA21-008A
PS C:\kworking\chirp1.07.4_pre>

DeemOnSecurity commented 3 years ago

Standby while I ensure our compilation is executing properly -- allowing switches

DeemOnSecurity commented 3 years ago

This should squash the bug. You should be able to double click the executable and enter the activity number through the spawned terminal.

RITOps commented 3 years ago

Yes, the scan starts up now, and it pauses for input of activity. Per your previous message, I used the AA21-008A parameter. Will update once the scan completes, or if any issues come up. Thanks for looking into this!

DeemOnSecurity commented 3 years ago

Yes, the scan starts up now, and it pauses for input of activity. Per your previous message, I used the AA21-008A parameter. Will update once the scan completes, or if any issues come up. Thanks for looking into this!

Pinging before I call it a day to see if this issue is resolved so I can release v1.0.7 :)

RITOps commented 3 years ago

Yes, the scan starts up now, and it pauses for input of activity. Per your previous message, I used the AA21-008A parameter. Will update once the scan completes, or if any issues come up. Thanks for looking into this!

Pinging before I call it a day to see if this issue is resolved so I can release v1.0.7 :)

Most 2016 servers are running it. A few completed without further issue. Can you please confirm behavior. Is the comparison happening for the DNS records, or is it simply skipping it?

DeemOnSecurity commented 3 years ago

The comparison is still happening.

The root of the issue is that the library we were using to gather the output of ipconfig /displaydns returned byte data, which we then translated to utf-8 encoded strings to check against our utf-8 encoded strings. This caused issues if the library was returning data that could not be utf-8 encoded, so instead we now turn our encoded strings to byte data for comparison.

Comparison still happening, just decoding our stuff rather than encoding yours.

Additionally, any unicode errors will still be logged so you should see if there is an error that we actually can't handle.

RITOps commented 3 years ago

Thank you for the clarification. Initial systems have completed the scans. I think this case can be closed. Thanks again for your support.

DeemOnSecurity commented 3 years ago

No problemo! If you want to dive into the code, the relevant function for the yara error is here.

cisagov / CHIRP

UnicodeEncodeError on Win2016 Std #39

🐛 Summary

To reproduce

Expected behavior

Any helpful log output or screenshots