search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.55k stars 1.71k forks source link

Cuckoo not registering signatures as loaded #2708

Open jtowns97 opened 5 years ago

jtowns97 commented 5 years ago
My issue is:

Cuckoo signatures do not appear to be loading. That is, upon cuckoo startup I receive the message: WARNING: It appears that you haven't loaded any Cuckoo Signatures. Signatures are highly recommended and improve & enrich the information extracted during an analysis. They also make up for the analysis score that you see in the Web Interface - so, pretty important! 2019-04-03 13:43:37,168 [cuckoo] WARNING: You'll be able to fetch all the latest Cuckoo Signaturs, Yara rules, and more goodies by running the following command: 2019-04-03 13:43:37,168 [cuckoo] INFO: $ cuckoo community

However, I have run cuckoo community multiple times, and I have verified that the signatures are being loaded in my ~/.cuckoo/signatures/ directory. Additionally, this causes my analysis to report all my samples as false negatives with respect to my analysis scores.

My Cuckoo version and operating system are:

Cuckoo: Version 2.0.6 OS: Ubuntu 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

This can be reproduced by:

For me at least, this happens every time I start up cuckoo, which I do by running /root/cuckoo-start.sh - which contains the code: `#!/bin/bash

Cuckoo run script

killall cuckoo pkill -f 'cuckoo web runserver' vboxmanage dhcpserver modify --ifname vboxnet0 --disable vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.87.1 --netmask 255.255.255.0 iptables -A FORWARD -o enp3s0 -i vboxnet0 -s 192.168.87.0/24 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE sysctl -w net.ipv4.ip_forward=1 runuser -l cuckoo -c 'cuckoo --debug' & runuser -l cuckoo -c 'cuckoo web runserver 0.0.0.0:8000' & runuser -l cuckoo -c 'cuckoo api --host 0.0.0.0 --port 8090' &`

Any help or guidance would be greatly appreciated, I'm quite new to using cuckoo sandbox.

atuioyu commented 5 years ago

Hello, I have the same problem. And I got to your open issue. I am working on solving this problem. And once the problem is solved, it will be shared here. If you have a problem solved, please share it here.

atuioyu commented 5 years ago

What if you add the following in ./cukoo/conf/reporting.conf? Show matched cuckoo signatures. show_signatures = yes In my case it looked like it was improved.

LetMeR00t commented 5 years ago

Hi. Did you run Cuckoo in debug mode to check if there is any issue at the startup more verbose about that ? It could help to understand. Did your environment variables for the CWD are set well ?

nadir3392 commented 4 years ago

hi run cuckoo -d and share the log. thank's