Unable to stop auxiliary module

[manzy90]

My issue is:

Hi Cuckoo Support team

I am getting two errors when i submit a URL for analyses, Summary one from windows guest (VM) and the other from cuckoo Unable to stop auxiliary module: Sniffer. Not sure if they are related

The windows error i only get when i submit a url, example when i submit a .doc i dont get that.

I had read other issues and ensured the vb interface is up, and ensure the tcp dump has permissions by doing: sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump getcap /usr/sbin/tcpdump result - /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

My Cuckoo version and operating system are:

Cuckoo Sandbox 2.0.6 Ubuntu 16.04 VM - windows 7

This can be reproduced by:

The log, error, files etc can be found at:

This is from the cuckoo box terminal 2018-10-08 19:53:04,997 [cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager 2018-10-08 19:53:05,743 [cuckoo.core.scheduler] INFO: Loaded 1 machine/s 2018-10-08 19:53:05,752 [cuckoo.core.scheduler] INFO: Waiting for analysis tasks. 2018-10-08 19:53:28,489 [cuckoo.core.scheduler] INFO: Starting analysis of URL "https://poloniex.com.cropac.club" (task #4, options "procmemdump=yes,route=none") 2018-10-08 19:53:28,588 [cuckoo.core.scheduler] INFO: Task #4: acquired machine windowsxp (label=windowsxp) 2018-10-08 19:53:28,593 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 7016 (interface=vboxnet0, host=192.168.56.10) 2018-10-08 19:53:32,598 [cuckoo.core.guest] INFO: Starting analysis on guest (id=windowsxp, ip=192.168.56.10) 2018-10-08 19:53:35,637 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=windowsxp, ip=192.168.56.10) 2018-10-08 19:53:37,873 [cuckoo.core.guest] WARNING: windowsxp: analysis caught an exception Traceback (most recent call last): File "C:/tmpf5nkiv/analyzer.py", line 800, in success = analyzer.run() File "C:/tmpf5nkiv/analyzer.py", line 652, in run pids = self.package.start(self.target) File "C:\tmpf5nkiv\modules\packages\ie.py", line 127, in start iexplore, args=[target], maximize=True, mode="iexplore" File "C:\tmpf5nkiv\lib\common\abstracts.py", line 159, in execute self.init_regkeys(self.REGKEYS) File "C:\tmpf5nkiv\lib\common\abstracts.py", line 121, in init_regkeys SetValueEx(key_handle, key, 0, REG_DWORD, value) WindowsError: [Error 5] Access is denied

2018-10-08 19:53:37,970 [cuckoo.core.plugins] ERROR: Unable to stop auxiliary module: Sniffer Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 163, in stop module.stop() File "/usr/local/lib/python2.7/dist-packages/cuckoo/auxiliary/sniffer.py", line 156, in stop (out, err, faq("permission-denied-for-tcpdump")) CuckooOperationalError: Error running tcpdump to sniff the network traffic during the analysis; stdout = '' and stderr = 'dropped privs to root\ntcpdump: /home/cuckoo/.cuckoo/storage/analyses/4/dump.pcap: Permission denied\n'. Did you enable the extra capabilities to allow running tcpdump as non-root user and disable AppArmor properly (the latter only applies to Ubuntu-based distributions with AppArmor, see also https://cuckoo.sh/docs/faq/index.html#permission-denied-for-tcpdump)? 2018-10-08 19:53:40,334 [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files. 2018-10-08 19:53:40,341 [cuckoo.processing.network] WARNING: The PCAP file does not exist at path "/home/cuckoo/.cuckoo/storage/analyses/4/dump.pcap". 2018-10-08 19:53:40,350 [cuckoo.core.scheduler] INFO: Task #4: reports generation completed 2018-10-08 19:53:40,358 [cuckoo.core.scheduler] INFO: Task #4: analysis procedure completed

[doomedraven]

See prs i pushed update how to fix a lot of time ago

[doomedraven]

https://github.com/cuckoosandbox/cuckoo/pull/2132

[manzy90]

Thanks @doomedraven I am taking a look at that now.

[icedxu]

how to fix it?

[doomedraven]

read the 2132