search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.55k stars 1.71k forks source link

First cuckoo sandbox analyses after reboot fails (DEBUG: not ready yet) #3089

Open SomeDunes opened 4 years ago

SomeDunes commented 4 years ago

Hello everyone, I have setuped cuckoo sandbox with as many features possible. Now I have decided to fix all my problems after my virtual server with cuckoo sandbox restarts. So I manage to modify mongod, elasticsearch, moloch, and supervisord (using it for starting all cuckoo parts) services so they w8 for eachother and starting on reboot. Also I made my own service for starting and shuting down virtualmachine on reboot so I can bring up Vboxnet Interface (I literally did not find any better solution for that ...)

My issue is:

After reboot, all services are Up and running good. But first analyses after reboot fails on this part:

INFO: Starting analysis #4 on guest (id=cuckoovm, ip=xxx.xxx.xxx.xxx) DEBUG: cuckoovm: not ready yet

From log I can see there is problem with contacting analyzer.py inside VM and since I can watch with remotecontroll that VM is all right, running and have connection setuped... Iam suspicious about my lil trick with bringing up vboxnet interface by starting and shutting down my VM. It clearly does not affect VM but I guess there is something missing in vboxnet interface ?

Interesting part is that second analyses is all right and no issues there I guess that starting VM with cuckoo for the first time actually make some changes on interface taht allows me to succed with all other analyses. Some details Are in lower part of this issue.

If you can throw some idas at me I would be glad.

Thank you

My ifconfig output before first (failed analyses) (I had to change Ip and max adreses, you have to trust me that they are OK)

vboxnet0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx broadcast xxx.xxx.xxx.xxx inet6 fe10::100:10ee:ee00:0 prefixlen 64 scopeid 0x20 ether 00:00:00:00:00:00 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8 bytes 656 (656.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

vboxnet0 after first analyses is exactly the same but this time working.... Any playce I should look at?

My Cuckoo version and operating system are:

Cuckoo version: 2.0.7 OS: Centos 7

soutzis commented 4 years ago

Why did you remove the IP address of the guest and the ip address of the vbox network interface? You do realise that those are not associated in any way with your public IPv4 address, right?

To start the vbox network interface on my host, I also start and then stop one of the VMs and I have no problems. I am not sure that I understand what your issue is, but it seems that you are referring to a debug message from cuckoo's logger "vm: not ready yet".

There is absolutely no issue there. It is just some of the information that goes in the log's 'DEBUG' category. See the below screenshot: image

Are you familiar with logging levels? If not, have a quick read to give you an idea of what the --debug flag outputs.

If this answers your question, I suggest you close this issue.

SomeDunes commented 4 years ago

Hello,

Thank you for your response. I am aware of IPv4 public and private address pools, also do you need to see my private Ip address or what is your point ... ?

Moving on to my issue than. As I said, there is no connection between host and guest on first analyes even tho Vbox intereface is up. this debug message "vm: not ready yet" is all I have right now.

What I did not mentioned is that whole my log is filled with: "vm: not ready yet" there is no part with INFO: Guest is running Cuckoo Agent...

Sure, basically your screen is my second and every other analyses.

Yes Im aware of logging levels.