SaxHornet commented 7 years ago

Hello,

I've installed cuckoo on my serveur ( a debian). My web install is Ok ( I can browse cuckoo GUI on my VM browser) but cuckoo is not analyse my submission. My Ip host and Ip on my VM ping. I just don't understand this in config files :

memory.conf guest_profile = WinXPSP3x86 ( mine is Win7, what I have to mention ? )

vitualbox.conf machines = [Win7] label =

Other stuff My computer name ( Windows Vm is : IE10Win7). My Vm is a Windows 7. Virtualisation : virtualbox

My error when I run cuckoo is : 2017-03-08 16:13:38,498 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager 2017-03-08 16:14:53,372 [root] CRITICAL: CuckooCriticalError: Please update your configuration. Unable to shut 'IE10Win7' down or find the machine in its proper state: Timeout hit while for machine IE10Win7 to change status

Thanks for the help Bye

doomedraven commented 7 years ago

memory.conf
guest_profile = Win7SPXx86 # replace x with your SP

vitualbox.conf
machines = Win7

[Win7]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = IE10Win7

# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows

SaxHornet commented 7 years ago

Thanks . I've correct according to you, but still the same pb. Cuckoo runs 1 min, and says :

2017-03-08 16:47:01,025 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager 2017-03-08 16:48:15,784 [root] CRITICAL: CuckooCriticalError: Please update your configuration. Unable to shut 'IE10Win7' down or find the machine in its proper state: Timeout hit while for machine IE10Win7 to change status

I don't understand what's wrong. I haven't go the standard message : loaded 1 machine and waiting for analysis start

Thanks for your help.

doomedraven commented 7 years ago

in that vm IE10Win7 the snapshot was taken in running state?

SaxHornet commented 7 years ago

yes. I've taken my VM in a snapshot.

SaxHornet commented 7 years ago

Should I pause the machine and take a snapshot of it ?

SaxHornet commented 7 years ago

I've done it, in pause mode, and after I restart my VM. And still the same message ..;(

doomedraven commented 7 years ago

It should be in running state, did you read thr documentation?

SaxHornet commented 7 years ago

Yes I've read it. I've followed it.

And, this : http://digitalizedwarfare.com/2016/03/24/sandbox-stories-flight-of-the-great-cuckoo-bird/

SaxHornet commented 7 years ago

And, i'm stuck. How Can I help you more understand my lab ? to resolve it

doomedraven commented 7 years ago

Follow official documentation as in that there reference for stuff which is not even exist in official cuckoo

SaxHornet commented 7 years ago

Ok, it's what I going to do. So, I'm not the current version. Could it been the raison of my pb ?

jbremer commented 7 years ago

@Drx51 have your issue(s) been resolved by now?

jbremer commented 7 years ago

Closing for lack of further information. Feel free to reopen if you have new information.

zakariachatria commented 7 years ago

hi @jbremer I have the seam problem : 2017-08-06 21:31:25,702 [root] CRITICAL: CuckooCriticalError: Please update your configuration. Unable to shut 'machine1' down or find the machine in its proper state: Timeout hit while for machine machine1 to change status

help please

karikalansaitechnology commented 7 years ago

2017-08-16 16:01:01,986 [root] CRITICAL: CuckooCriticalError: Please update your configuration. Unable to shut 'windows' down or find the machine in its proper state: Timeout hit while for machine windows to change status i got same error pls help me to remedy this mail id karikalan4692@gmail.com

doomedraven commented 7 years ago

post configs, in which state is snapshot taken, etc etc, you have luck of information of you want get a help

karikalansaitechnology commented 7 years ago

cuckoo.conf: [cuckoo]

Enable or disable startup version check. When enabled, Cuckoo will connect

to a remote location to verify whether the running version is the latest

one available.

version_check = off

If turned on, Cuckoo will delete the original file after its analysis

has been completed.

delete_original = off

If turned on, Cuckoo will delete the copy of the original file in the

local binaries repository after the analysis has finished. (On *nix this

will also invalidate the file called "binary" in each analysis directory,

as this is a symlink.)

delete_bin_copy = off

Specify the name of the machinery module to use, this module will

define the interaction between Cuckoo and your virtualization software

of choice.

machinery = virtualbox

Enable creation of memory dump of the analysis machine before shutting

down. Even if turned off, this functionality can also be enabled at

submission. Currently available for: VirtualBox and libvirt modules (KVM).

memory_dump = off

When the timeout of an analysis is hit, the VM is just killed by default.

For some long-running setups it might be interesting to terminate the

monitored processes before killing the VM so that connections are closed.

terminate_processes = off

Enable automatically re-schedule of "broken" tasks each startup.

Each task found in status "processing" is re-queued for analysis.

reschedule = off

Enable processing of results within the main cuckoo process.

This is the default behavior but can be switched off for setups that

require high stability and process the results in a separate task.

process_results = on

Limit the amount of analysis jobs a Cuckoo process goes through.

This can be used together with a watchdog to mitigate risk of memory leaks.

max_analysis_count = 0

Limit the number of concurrently executing analysis machines.

This may be useful on systems with limited resources.

Set to 0 to disable any limits.

max_machines_count = 0

Limit the amount of VMs that are allowed to start in parallel. Generally

speaking starting the VMs is one of the more CPU intensive parts of the

actual analysis. This option tries to avoid maxing out the CPU completely.

max_vmstartup_count = 10

Minimum amount of free space (in MB) available before starting a new task.

This tries to avoid failing an analysis because the reports can't be written

due out-of-diskspace errors. Setting this value to 0 disables the check.

(Note: this feature is currently not supported under Windows.)

freespace = 64

Temporary directory containing the files uploaded through Cuckoo interfaces

(api.py and Django web interface).

tmppath = /tmp

Path to the unix socket for running root commands.

rooter = /tmp/cuckoo-rooter

[routing]

Default network routing mode; "none", "internet", or "vpn_name".

In none mode we don't do any special routing - the VM doesn't have any

network access (this has been the default actually for quite a while).

In internet mode by default all the VMs will be routed through the network

interface configured below (the "dirty line").

And in VPN mode by default the VMs will be routed through the VPN identified

by the given name of the VPN (as per vpn.conf).

Note that just like enabling VPN configuration setting this option to

anything other than "none" requires one to run utils/rooter.py as root next

to the Cuckoo instance (as it's required for setting up the routing).

route = none

Network interface that allows a VM to connect to the entire internet, the

"dirty line" so to say. Note that, just like with the VPNs, this will allow

malicious traffic through your network. So think twice before enabling it.

(For example, to route all VMs through eth0 by default: "internet = eth0").

internet = none

Routing table name/id for "dirty line" interface. If "dirty line" is

also default gateway in the system you can leave "main" value. Otherwise add

new routing table by adding " " line to /etc/iproute2/rt_tables

(e.g., "200 eth0"). ID and name must be unique across the system (refer to

/etc/iproute2/rt_tables for existing names and IDs).

rt_table = main

To route traffic through multiple network interfaces Cuckoo uses

Policy Routing with separate routing table for each output interface

(VPN or "dirty line"). If this option is enabled Cuckoo on start will try

to automatically initialise routing tables by copying routing entries from

main routing table to the new routing tables. Depending on your network/vpn

configuration this might not be sufficient. In such case you would need to

initialise routing tables manually. Note that enabling this option won't

affect main routing table.

auto_rt = yes

[resultserver]

The Result Server is used to receive in real time the behavioral logs

produced by the analyzer.

Specify the IP address of the host. The analysis machines should be able

to contact the host through such address, so make sure it's valid.

NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option

`resultserver_ip` for all your virtual machines in machinery configuration.

ip = 192.168.56.1

Specify a port number to bind the result server on.

port = 2042

Force the port chosen above, don't try another one (we can select another

port dynamically if we can not bind this one, but that is not an option

in some setups)

force_port = no

Maximum size of uploaded files from VM (screenshots, dropped files, log)

The value is expressed in bytes, by default 10Mb.

upload_max_size = 10485760

[processing]

Set the maximum size of analyses generated files to process. This is used

to avoid the processing of big files which may take a lot of processing

time. The value is expressed in bytes, by default 100Mb.

analysis_size_limit = 104857600

Enable or disable DNS lookups.

resolve_dns = on

Enable PCAP sorting, needed for the connection content view in the web interface.

sort_pcap = on

[database]

Specify the database connection string.

NOTE: If you are using a custom database (different from sqlite), you have to

use utf-8 encoding when issuing the SQL database creation statement.

Examples, see documentation for more:

sqlite:///foo.db

postgresql://foo:bar@localhost:5432/mydatabase

mysql://foo:bar@localhost/mydatabase

If empty, default is a SQLite in db/cuckoo.db.

connection =

Database connection timeout in seconds.

If empty, default is set to 60 seconds.

timeout =60

[timeouts]

Set the default analysis timeout expressed in seconds. This value will be

used to define after how many seconds the analysis will terminate unless

otherwise specified at submission.

default = 120

Set the critical timeout expressed in (relative!) seconds. It will be added

to the default timeout above and after this timeout is hit

Cuckoo will consider the analysis failed and it will shutdown the machine

no matter what. When this happens the analysis results will most likely

be lost.

critical = 600

Maximum time to wait for virtual machine status change. For example when

shutting down a vm. Default is 60 seconds.

vm_state = 300 [virtualbox]

Specify which VirtualBox mode you want to run your machines on.

Can be "gui", "sdl" or "headless". Refer to VirtualBox's official

documentation to understand the differences.

mode = headless

Path to the local installation of the VBoxManage utility.

path = /usr/bin/VBoxManage

If you are running Cuckoo on Mac OS X you have to change the path as follows:

path = /Applications/VirtualBox.app/Contents/MacOS/VBoxManage

Default network interface.

interface = vboxnet0

Specify a comma-separated list of available machines to be used. For each

specified ID you have to define a dedicated section containing the details

on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)

machines = cuckoo1

windows

virtualbox.com [cuckoo1]

Specify the label name of the current machine as specified in your

VirtualBox configuration.

label = windows

Specify the operating system platform used by current machine

[windows/darwin/linux].

platform = windows

Specify the IP address of the current virtual machine. Make sure that the

IP address is valid and that the host machine is able to reach it. If not,

the analysis will fail.

ip = 192.168.56.101

(Optional) Specify the snapshot name to use. If you do not specify a snapshot

name, the VirtualBox MachineManager will use the current snapshot.

Example (Snapshot1 is the snapshot name):

snapshot = sandbox

(Optional) Specify the name of the network interface that should be used

when dumping network traffic from this machine with tcpdump. If specified,

overrides the default interface specified in auxiliary.conf

Example (vboxnet0 is the interface name):

interface = vboxnet0

(Optional) Specify the IP of the Result Server, as your virtual machine sees it.

The Result Server will always bind to the address and port specified in cuckoo.conf,

however you could set up your virtual network to use NAT/PAT, so you can specify here

the IP address for the Result Server as your machine sees it. If you don't specify an

address here, the machine will use the default value from cuckoo.conf.

NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.

Example:

resultserver_ip = 192.168.56.1

(Optional) Specify the port for the Result Server, as your virtual machine sees it.

The Result Server will always bind to the address and port specified in cuckoo.conf,

however you could set up your virtual network to use NAT/PAT, so you can specify here

the port for the Result Server as your machine sees it. If you don't specify a port

here, the machine will use the default value from cuckoo.conf.

Example:

resultserver_port = 2042

(Optional) Set your own tags. These are comma separated and help to identify

specific VMs. You can run samples on VMs with tag you require.

tags = windows7,64_bit,acrobat_reader_6

windows_xp_sp3,32_bit,acrobat_reader_6

[honeyd]

For more information on this VM please refer to the "services" section of

the conf/auxiliary.conf configuration file. This machine is a bit special

in the way that its used as an additional VM for an analysis.

NOTE that if this functionality is used, the VM should be registered in

the "machines" list in the beginning of this file.

label = honeyd platform = linux ip = 192.168.56.102

The tags should at least contain "service" and the name of this service.

This way the services auxiliary module knows how to find this particular VM.

tags = sandbox,32_bit,acrobat_reader_6

tags = service, honeyd

Not all services actually have a Cuckoo Agent running in the VM, for those

services one can specify the "noagent" option so Cuckoo will just wait until

the end of the analysis instead of trying to connect to the non-existing

Cuckoo Agent. We can't really intercept any inter-VM communication from the

host / gateway so in order to dump traffic between VMs we have to use a

different network dumping approach. For this machine we use the "nictrace"

functionality from VirtualBox (which is basically their internal tcpdump)

and thus properly dumps inter-VM traffic.

options = nictrace noagent Memory.conf

Volatility configuration

Basic settings

[basic]

Profile to avoid wasting time identifying it

guest_profile = WinXPSP2x86

Delete memory dump after volatility processing.

delete_memdump = no

List of available modules

enabled: enable this module

filter: use filters to remove benign system data from the logs

Filters are defined in the mask section at below

Scans for hidden/injected code and dlls

http://code.google.com/p/volatility/wiki/CommandReferenceMal23#malfind

[malfind] enabled = yes filter = on

Lists hooked api in user mode and kernel space

Expect it to be very slow when enabled

http://code.google.com/p/volatility/wiki/CommandReferenceMal23#apihooks

[apihooks] enabled = no filter = on

Lists official processes. Does not detect hidden processes

http://code.google.com/p/volatility/wiki/CommandReference23#pslist

[pslist] enabled = yes filter = off

Lists hidden processes. Uses several tricks to identify them

http://code.google.com/p/volatility/wiki/CommandReferenceMal23#psxview

[psxview] enabled = yes filter = off

Show callbacks

http://code.google.com/p/volatility/wiki/CommandReferenceMal23#callbacks

[callbacks] enabled = yes filter = off

Show idt

http://code.google.com/p/volatility/wiki/CommandReferenceMal23#idt

[idt] enabled = yes filter = off

Show timers

http://code.google.com/p/volatility/wiki/CommandReferenceMal23#timers

[timers] enabled = yes filter = off

Show messagehooks

Expect it to be very slow when enabled

http://code.google.com/p/volatility/wiki/CommandReferenceGui23#messagehooks

[messagehooks] enabled = no filter = off

Show sids

http://code.google.com/p/volatility/wiki/CommandReference23#getsids

[getsids] enabled = yes filter = off

Show privileges

http://code.google.com/p/volatility/wiki/CommandReference23#privs

[privs] enabled = yes filter = off

Display processes' loaded DLLs- Does not display hidden DLLs

http://code.google.com/p/volatility/wiki/CommandReference23#dlllist

[dlllist] enabled = yes filter = on

List open handles of processes

http://code.google.com/p/volatility/wiki/CommandReference23#handles

[handles] enabled = yes filter = on

Displays processes' loaded DLLs - Even hidden one (unlinked from PEB linked list)

http://code.google.com/p/volatility/wiki/CommandReferenceMal23#ldrmodules

[ldrmodules] enabled = yes filter = on

Scan for Mutexes (whole system)

http://code.google.com/p/volatility/wiki/CommandReference23#mutantscan

[mutantscan] enabled = yes filter = on

List devices and drivers

http://code.google.com/p/volatility/wiki/CommandReferenceMal23#devicetree

[devicetree] enabled = yes filter = on

Scan for services

http://code.google.com/p/volatility/wiki/CommandReferenceMal23#svcscan

[svcscan] enabled = yes filter = on

Scan for kernel drivers (includes hidden, unloaded)

http://code.google.com/p/volatility/wiki/CommandReference23#modscan

[modscan] enabled = yes filter = on

[yarascan] enabled = yes filter = on

[ssdt] enabled = yes filter = on

[gdt] enabled = yes filter = on

This will only run on XP profiles.

[sockscan] enabled = yes filter = off

This will only run on Vista/7 profiles.

[netscan] enabled = yes filter = off

Masks. Data that should not be logged

Just get this information from your plain VM Snapshot (without running malware)

This will filter out unwanted information in the logs

[mask] enabled = no pid_generic =

doomedraven commented 7 years ago

uff use code escape, that is difficult to read

and i can't find answer to my question about the vm snapshot state

karikalansaitechnology commented 7 years ago

2017-08-16 16:01:01,986 [root] CRITICAL: CuckooCriticalError: Please update your configuration. Unable to shut 'windows' down or find the machine in its proper state: Timeout hit while for machine windows to change status i got same error pls help me to remedy this mail id karikalan4692@gmail.com

karikalansaitechnology commented 7 years ago

[cuckoo]

Enable or disable startup version check. When enabled, Cuckoo will connect

to a remote location to verify whether the running version is the latest

one available.

version_check = off

If turned on, Cuckoo will delete the original file after its analysis

has been completed.

delete_original = off

If turned on, Cuckoo will delete the copy of the original file in the

local binaries repository after the analysis has finished. (On *nix this

will also invalidate the file called "binary" in each analysis directory,

as this is a symlink.)

delete_bin_copy = off

Specify the name of the machinery module to use, this module will

define the interaction between Cuckoo and your virtualization software

of choice.

machinery = virtualbox

Enable creation of memory dump of the analysis machine before shutting

down. Even if turned off, this functionality can also be enabled at

submission. Currently available for: VirtualBox and libvirt modules (KVM).

memory_dump = off

When the timeout of an analysis is hit, the VM is just killed by default.

For some long-running setups it might be interesting to terminate the

monitored processes before killing the VM so that connections are closed.

terminate_processes = off

Enable automatically re-schedule of "broken" tasks each startup.

Each task found in status "processing" is re-queued for analysis.

reschedule = off

Enable processing of results within the main cuckoo process.

This is the default behavior but can be switched off for setups that

require high stability and process the results in a separate task.

process_results = on

Limit the amount of analysis jobs a Cuckoo process goes through.

This can be used together with a watchdog to mitigate risk of memory leaks.

max_analysis_count = 0

Limit the number of concurrently executing analysis machines.

This may be useful on systems with limited resources.

Set to 0 to disable any limits.

max_machines_count = 0

Limit the amount of VMs that are allowed to start in parallel. Generally

speaking starting the VMs is one of the more CPU intensive parts of the

actual analysis. This option tries to avoid maxing out the CPU completely.

max_vmstartup_count = 10

Minimum amount of free space (in MB) available before starting a new task.

This tries to avoid failing an analysis because the reports can't be written

due out-of-diskspace errors. Setting this value to 0 disables the check.

(Note: this feature is currently not supported under Windows.)

freespace = 64

Temporary directory containing the files uploaded through Cuckoo interfaces

(api.py and Django web interface).

tmppath = /tmp

Path to the unix socket for running root commands.

rooter = /tmp/cuckoo-rooter

[routing]

Default network routing mode; "none", "internet", or "vpn_name".

In none mode we don't do any special routing - the VM doesn't have any

network access (this has been the default actually for quite a while).

In internet mode by default all the VMs will be routed through the network

interface configured below (the "dirty line").

And in VPN mode by default the VMs will be routed through the VPN identified

by the given name of the VPN (as per vpn.conf).

Note that just like enabling VPN configuration setting this option to

anything other than "none" requires one to run utils/rooter.py as root next

to the Cuckoo instance (as it's required for setting up the routing).

route = none

Network interface that allows a VM to connect to the entire internet, the

"dirty line" so to say. Note that, just like with the VPNs, this will allow

malicious traffic through your network. So think twice before enabling it.

(For example, to route all VMs through eth0 by default: "internet = eth0").

internet = none

Routing table name/id for "dirty line" interface. If "dirty line" is

also default gateway in the system you can leave "main" value. Otherwise add

new routing table by adding " " line to /etc/iproute2/rt_tables

(e.g., "200 eth0"). ID and name must be unique across the system (refer to

/etc/iproute2/rt_tables for existing names and IDs).

rt_table = main

To route traffic through multiple network interfaces Cuckoo uses

Policy Routing with separate routing table for each output interface

(VPN or "dirty line"). If this option is enabled Cuckoo on start will try

to automatically initialise routing tables by copying routing entries from

main routing table to the new routing tables. Depending on your network/vpn

configuration this might not be sufficient. In such case you would need to

initialise routing tables manually. Note that enabling this option won't

affect main routing table.

auto_rt = yes

[resultserver]

The Result Server is used to receive in real time the behavioral logs

produced by the analyzer.

Specify the IP address of the host. The analysis machines should be able

to contact the host through such address, so make sure it's valid.

NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option

`resultserver_ip` for all your virtual machines in machinery configuration.

ip = 192.168.56.1

Specify a port number to bind the result server on.

port = 2042

Force the port chosen above, don't try another one (we can select another

port dynamically if we can not bind this one, but that is not an option

in some setups)

force_port = no

Maximum size of uploaded files from VM (screenshots, dropped files, log)

The value is expressed in bytes, by default 10Mb.

upload_max_size = 10485760

[processing]

Set the maximum size of analyses generated files to process. This is used

to avoid the processing of big files which may take a lot of processing

time. The value is expressed in bytes, by default 100Mb.

analysis_size_limit = 104857600

Enable or disable DNS lookups.

resolve_dns = on

Enable PCAP sorting, needed for the connection content view in the web interface.

sort_pcap = on

[database]

Specify the database connection string.

NOTE: If you are using a custom database (different from sqlite), you have to

use utf-8 encoding when issuing the SQL database creation statement.

Examples, see documentation for more:

sqlite:///foo.db

postgresql://foo:bar@localhost:5432/mydatabase

mysql://foo:bar@localhost/mydatabase

If empty, default is a SQLite in db/cuckoo.db.

connection =

Database connection timeout in seconds.

If empty, default is set to 60 seconds.

timeout =60

[timeouts]

Set the default analysis timeout expressed in seconds. This value will be

used to define after how many seconds the analysis will terminate unless

otherwise specified at submission.

default = 120

Set the critical timeout expressed in (relative!) seconds. It will be added

to the default timeout above and after this timeout is hit

Cuckoo will consider the analysis failed and it will shutdown the machine

no matter what. When this happens the analysis results will most likely

be lost.

critical = 600

Maximum time to wait for virtual machine status change. For example when

shutting down a vm. Default is 60 seconds.

vm_state = 300

i confgured already but i don't know where problems come

doomedraven commented 7 years ago

i won't contact you by email, you don't using code escape for posting configs, and you don't answer my question about snapshot, snapshot is not configured in configs, is taken in virtual machines manager, without correct information nobody will help you

cuckoosandbox / cuckoo

Pb run cuckoo #1324

hi @jbremer I have the seam problem : 2017-08-06 21:31:25,702 [root] CRITICAL: CuckooCriticalError: Please update your configuration. Unable to shut 'machine1' down or find the machine in its proper state: Timeout hit while for machine machine1 to change status

Enable or disable startup version check. When enabled, Cuckoo will connect

to a remote location to verify whether the running version is the latest

one available.

If turned on, Cuckoo will delete the original file after its analysis

has been completed.

If turned on, Cuckoo will delete the copy of the original file in the

local binaries repository after the analysis has finished. (On *nix this

will also invalidate the file called "binary" in each analysis directory,

as this is a symlink.)

Specify the name of the machinery module to use, this module will

define the interaction between Cuckoo and your virtualization software

of choice.

Enable creation of memory dump of the analysis machine before shutting

down. Even if turned off, this functionality can also be enabled at

submission. Currently available for: VirtualBox and libvirt modules (KVM).

When the timeout of an analysis is hit, the VM is just killed by default.

For some long-running setups it might be interesting to terminate the

monitored processes before killing the VM so that connections are closed.

Enable automatically re-schedule of "broken" tasks each startup.

Each task found in status "processing" is re-queued for analysis.

Enable processing of results within the main cuckoo process.

This is the default behavior but can be switched off for setups that

require high stability and process the results in a separate task.

Limit the amount of analysis jobs a Cuckoo process goes through.

This can be used together with a watchdog to mitigate risk of memory leaks.

Limit the number of concurrently executing analysis machines.

This may be useful on systems with limited resources.

Set to 0 to disable any limits.

Limit the amount of VMs that are allowed to start in parallel. Generally

speaking starting the VMs is one of the more CPU intensive parts of the

actual analysis. This option tries to avoid maxing out the CPU completely.

Minimum amount of free space (in MB) available before starting a new task.

This tries to avoid failing an analysis because the reports can't be written

due out-of-diskspace errors. Setting this value to 0 disables the check.

(Note: this feature is currently not supported under Windows.)

Temporary directory containing the files uploaded through Cuckoo interfaces

(api.py and Django web interface).

Path to the unix socket for running root commands.

Default network routing mode; "none", "internet", or "vpn_name".

In none mode we don't do any special routing - the VM doesn't have any

network access (this has been the default actually for quite a while).

In internet mode by default all the VMs will be routed through the network

interface configured below (the "dirty line").

And in VPN mode by default the VMs will be routed through the VPN identified

by the given name of the VPN (as per vpn.conf).

Note that just like enabling VPN configuration setting this option to

anything other than "none" requires one to run utils/rooter.py as root next

to the Cuckoo instance (as it's required for setting up the routing).

Network interface that allows a VM to connect to the entire internet, the

"dirty line" so to say. Note that, just like with the VPNs, this will allow

malicious traffic through your network. So think twice before enabling it.

(For example, to route all VMs through eth0 by default: "internet = eth0").

Routing table name/id for "dirty line" interface. If "dirty line" is

also default gateway in the system you can leave "main" value. Otherwise add

new routing table by adding " " line to /etc/iproute2/rt_tables

(e.g., "200 eth0"). ID and name must be unique across the system (refer to

/etc/iproute2/rt_tables for existing names and IDs).

To route traffic through multiple network interfaces Cuckoo uses

Policy Routing with separate routing table for each output interface

(VPN or "dirty line"). If this option is enabled Cuckoo on start will try

to automatically initialise routing tables by copying routing entries from

main routing table to the new routing tables. Depending on your network/vpn

configuration this might not be sufficient. In such case you would need to

initialise routing tables manually. Note that enabling this option won't

affect main routing table.

The Result Server is used to receive in real time the behavioral logs

produced by the analyzer.

Specify the IP address of the host. The analysis machines should be able

to contact the host through such address, so make sure it's valid.

NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option

resultserver_ip for all your virtual machines in machinery configuration.

Specify a port number to bind the result server on.

Force the port chosen above, don't try another one (we can select another

port dynamically if we can not bind this one, but that is not an option

in some setups)

Maximum size of uploaded files from VM (screenshots, dropped files, log)

The value is expressed in bytes, by default 10Mb.

`resultserver_ip` for all your virtual machines in machinery configuration.