No Network Results produced

[landw1re]

I believe I have everything configured correctly for cuckoo and everything seems to be running as expected with the exception of behavioral analysis as it relates to network activity. I get results for pretty much everything but now network activity at all.

I have the following in place as per the cuckoo documentation:

• I have Tcpdump configured with as outlined in the docs
  • sudo setcap cap_net_raw,cap_net_admin=eip /user/sbin/tcpdump
• Cuckoo is the owner of cuckoo directory and all subdirectories
• enabled = yes is set in the [sniffer] section of the auxiliary file
• I have the correct network interface defined in my virtualbox.conf file
  • Note: I'm using bridged networking and forwarding via iptables

Here is the interface setup of the interface I've configured my VM in the virtualbox.conf to listen to.

auto privatebr1
iface privatebr1 inet static
address 192.168.57.1
netmask 255.255.255.0
pre-up brctl addbr privatebr1
post-down brctl delbr privatebr1

TEST SCENARIO I submitted a URL to the sandbox via the Django interface. Once the VM loaded and submitted the URL to IE, I then started just surfing around to different pages on the internet to generate network traffic. All the networking works fine between the VM and the outside world and I was able to get out to any of the sites that I went to.

At the same time, I ran Tcpdump as the cuckoo user by itself in another terminal window and I was able to see all the traffic that I would expect to see while interacting with the VM. When the analysis stopped, I receive only one WARNING in the cuckoo console output (see below). When I look in that directory noted in that warning (/cuckoo/storage/analyses/39/) all I see is a dump.pcap and not a dump_sorted.pcap. Also, the dump.pcap is only 24 bytes in size and doesn't contain anything other than a simple header.

Any idea what might be going on or if there is a configuration parameter that I have missed? All of my pertinent configuration files are below.

Console Output

2015-04-21 08:34:16,165 [Processing.Pcap] WARNING: The PCAP file does not exist at path "/data/cuckoo/storage/analyses/39/dump_sorted.pcap".

CUCKOO.CONF

[cuckoo]
# Enable or disable startup version check. When enabled, Cuckoo will connect
# to a remote location to verify whether the running version is the latest
# one available.
version_check = off

# If turned on, Cuckoo will delete the original file after its analysis
# has been completed.
delete_original = off

# If turned on, Cuckoo will delete the copy of the original file in the
# local binaries repository after the analysis has finished. (On *nix this
# will also invalidate the file called "binary" in each analysis directory,
# as this is a symlink.)
delete_bin_copy = off

# Specify the name of the machinery module to use, this module will
# define the interaction between Cuckoo and your virtualization software
# of choice.
machinery = virtualbox

# Enable creation of memory dump of the analysis machine before shutting
# down. Even if turned off, this functionality can also be enabled at
# submission. Currently available for: VirtualBox and libvirt modules (KVM).
memory_dump = off

# When the timeout of an analysis is hit, the VM is just killed by default.
# For some long-running setups it might be interesting to terminate the
# moinitored processes before killing the VM so that connections are closed.
terminate_processes = off

# Enable automatically re-schedule of "broken" tasks each startup.
# Each task found in status "processing" is re-queued for analysis.
reschedule = off

# Enable processing of results within the main cuckoo process.
# This is the default behavior but can be switched off for setups that
#  require high stability and process the results in a separate task.
process_results = on

# Limit the amount of analysis jobs a Cuckoo process goes through.
# This can be used together with a watchdog to mitigate risk of memory leaks.
max_analysis_count = 0

# Limit the number of concurrently executing analysis machines.
# This may be useful on systems with limited resources.
# Set to 0 to disable any limits.
max_machines_count = 0

# Minimum amount of free space (in MB) available before starting a new task. 
# This tries to avoid failing an analysis because the reports can't be written 
# due out-of-diskspace errors. Setting this value to 0 disables the check.
# (Note: this feature is currently not supported under Windows.)
freespace = 64

# Temporary directory containing the files uploaded through Cuckoo interfaces
# (web.py, api.py, Django web interface).
tmppath = /data/tmp_files_upload

[resultserver]
# The Result Server is used to receive in real time the behavioral logs
# produced by the analyzer.
# Specify the IP address of the host. The analysis machines should be able
# to contact the host through such address, so make sure it's valid.
# NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option
# `resultserver_ip` for all your virtual machines in machinery configuration.
ip = 192.168.56.1

# Specify a port number to bind the result server on.
port = 2042

# Should the server write the legacy CSV format?
# (if you have any custom processing on those, switch this on)
store_csvs = off

# Maximum size of uploaded files from VM (screenshots, dropped files, log)
# The value is expressed in bytes, by default 10Mb.
upload_max_size = 10485760

[processing]
# Set the maximum size of analyses generated files to process. This is used
# to avoid the processing of big files which may take a lot of processing
# time. The value is expressed in bytes, by default 100Mb.
analysis_size_limit = 104857600

# The number of calls per process to process. 0 switches the limit off.
#10000 api calls should be processed in less than 2 minutes
analysis_call_limit = 0

# Enable or disable DNS lookups.
resolve_dns = off

# Use ram to boost processing speed. You will need more than 20GB of RAM for this feature.
# Please read "performance" section in the documentation.
ram_boost = off

# Enable PCAP sorting, needed for the connection content view in the web interface.
sort_pcap = on

[database]
# Specify the database connection string.
# Examples, see documentation for more:
# sqlite:///foo.db
# postgresql://foo:bar@localhost:5432/mydatabase
# mysql://foo:bar@localhost/mydatabase
# If empty, default is a SQLite in db/cuckoo.db.
connection = postgresql://cuckoo:REDACTED@localhost:5432/cuckoo

# Database connection timeout in seconds.
# If empty, default is set to 60 seconds.
timeout =

[timeouts]
# Set the default analysis timeout expressed in seconds. This value will be
# used to define after how many seconds the analysis will terminate unless
# otherwise specified at submission.
default = 300

# Set the critical timeout expressed in seconds. After this timeout is hit
# Cuckoo will consider the analysis failed and it will shutdown the machine
# no matter what. When this happens the analysis results will most likely
# be lost. Make sure to have a critical timeout greater than the
# default timeout.
critical = 600

# Maximum time to wait for virtual machine status change. For example when
# shutting down a vm. Default is 300 seconds.
vm_state = 300

AUXILIARY.CONF

[sniffer]
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
enabled = yes

# Specify the path to your local installation of tcpdump. Make sure this
# path is correct.
tcpdump = /usr/sbin/tcpdump

# Specify the network interface name on which tcpdump should monitor the
# traffic. Make sure the interface is active.
interface = privatebr0

# Specify a Berkeley packet filter to pass to tcpdump.
# bpf = not arp

VIRTUALBOX.CONF

[virtualbox]
# Specify which VirtualBox mode you want to run your machines on.
# Can be "gui", "sdl" or "headless". Refer to VirtualBox's official
# documentation to understand the differences.
mode = gui

# Path to the local installation of the VBoxManage utility.
path = /usr/bin/VBoxManage

# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = MALVIC1_winxpprosp3

[MALVIC1_winxpprosp3]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = MALVIC1_winxpprosp3

# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows

# Specify the IP address of the current virtual machine. Make sure that the
# IP address is valid and that the host machine is able to reach it. If not,
# the analysis will fail.
ip = 192.168.56.10

# (Optional) Specify the snapshot name to use. If you do not specify a snapshot
# name, the VirtualBox MachineManager will use the current snapshot.
# Example (Snapshot1 is the snapshot name):
snapshot = malvic1_snapshotv1

# (Optional) Specify the name of the network interface that should be used
# when dumping network traffic from this machine with tcpdump. If specified,
# overrides the default interface specified in auxiliary.conf
# Example (vboxnet0 is the interface name):
interface = privatebr1

# (Optional) Specify the IP of the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the IP address for the Result Server as your machine sees it. If you don't specify an
# address here, the machine will use the default value from cuckoo.conf.
# NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.
# Example:
# resultserver_ip = 192.168.56.1

# (Optional) Specify the port for the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the port for the Result Server as your machine sees it. If you don't specify a port
# here, the machine will use the default value from cuckoo.conf.
# Example:
# resultserver_port = 2042

# (Optional) Set your own tags. These are comma separated and help to identify
# specific VMs. You can run samples on VMs with tag you require.
# Note that the 64_bit tag is currently special.  For submitted 64-bit PE files,
# the 64_bit tag will automatically be added, forcing them to be run on a 64-bit
# VM.  For this reason, make sure all 64-bit VMs have the 64_bit tag.
tags = winxpprosp3,32_bit,acrobat_reader_10,flash_10.0.45.2,jre_1.6,office_pro_2010,ie_8

# (Optional) Specify a memory profile to be used by volatility for this
# virtual machine. This will override the guest_profile variable in
# memory.conf which solves the problem of having multiple types of VM's
# and properly determining which profile to use. Examples below:
mem_profile = WinXPSP3x86

PROCESSING.CONF

# Enable or disable the available processing modules [on/off].
# If you add a custom processing module to your Cuckoo setup, you have to add
# a dedicated entry in this file, or it won't be executed.
# You can also add additional options under the section of your module and
# they will be available in your Python class.

[analysisinfo]
enabled = yes

[behavior]
enabled = yes

[debug]
enabled = yes

[dropped]
enabled = yes

[memory]
enabled = no

[network]
enabled = yes

[procmemory]
enabled = yes

[static]
enabled = yes

[strings]
enabled = yes
nullterminated_only = yes
minchars = 5

[targetinfo]
enabled = yes

[virustotal]
enabled = yes
timeout = 60
# Add your VirusTotal API key here. The default API key, kindly provided
# by the VirusTotal team, should enable you with a sufficient throughput
# and while being shared with all our users, it shouldn't affect your use.
key = a0283a2c3d55728300d064874239b5346fb991317e8449fe43c902879d758088

[botherder]

I'm not sure I understand your network configuration, but why do you have privatebr0 in auxiliary.conf and privatebr1 in virtualbox.conf?

[landw1re]

I'm using a bridged networking setup. I have 2 bridge adapters configured on my Ubuntu 14.04 host machine (Dell R710 Server) using bridge-utils and 1 physical NIC (em1 = 10.0.0.62)

1. privatebr0 (192.168.56.1) = all the cuckoo result server traffic traverses this adapter

auto privatebr0
iface privatebr0 inet static
address 192.168.56.1
netmask 255.255.255.0
pre-up brctl addbr privatebr0
post-down brctl delbr privatebr0

1. privatebr1 (192.168.57.1) = all the Internet/outside resource traffic traverses this adapter

auto privatebr1
iface privatebr1 inet static
address 192.168.57.1
netmask 255.255.255.0
pre-up brctl addbr privatebr1
post-down brctl delbr privatebr1

I have iptables rules in place to forward all traffic from privatebr1 to em1 (Dell's eth0 equivalent) for external access. I also have TOR running and listening on port 9040 on the em1 interface which the traffic is routed through (iptables rules below). All of this works with the exception of cuckoo capturing the traffic.

The Victim VM is configured with 2 NICs:

• NIC 1 is connected to bridge adapter privatebr0
  • static IP 192.168.56.10
  • subnet mask 255.255.255.0
  • No default gateway or DNS set
• NIC 2 is connected to bridge adapter privatebr1
  • static IP 192.168.57.10
  • subnet mask 255.255.255.0
  • DNS 192.168.57.1
  • Default Gateway 192.168.57.1

IPTABLES RULES - output from iptables-save

# Generated by iptables-save v1.4.21 on Tue Apr 14 14:40:13 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [4:304]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -s 192.168.57.0/24 -p tcp -j DNAT --to-destination 10.0.0.62:9040
-A PREROUTING -s 192.168.57.0/24 -p icmp -j DNAT --to-destination 10.0.0.62:9040
-A PREROUTING -s 192.168.57.0/24 -p udp -j DNAT --to-destination 10.0.0.62:53
-A POSTROUTING -o em1 -j MASQUERADE
COMMIT
# Completed on Tue Apr 14 14:40:13 2015
# Generated by iptables-save v1.4.21 on Tue Apr 14 14:40:13 2015
*filter
:INPUT ACCEPT [12:2306]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:356]
-A FORWARD -i em1 -o privatebr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i privatebr1 -o em1 -j ACCEPT
COMMIT
# Completed on Tue Apr 14 14:40:13 2015

[landw1re]

@botherder what is your networking setup for your sandbox environment? Are you just using Host-only with iptables forwarding as outlined in the docs? Also, what is the dump_sorted.pcap used for and when does that get introduced/created in the analysis process? The only mention of it is within the mongodb.py and network.py files from what I can see.

I've been racking my brain on why cuckoo doesn't see any network traffic. If I open up a separate terminal window (as the cuckoo user) while cuckoo is running an analysis task and issue the same tcpdump syntax as cuckoo is using, I see the traffic without issue.

[landw1re]

I completely changed around my network configuration and went back to using 1 NIC on the guest VM. Everything is working as expected now.

[microbot007]

I am configuring cuckoo and followed the installation guide properly but still at end on running cuckoo.py i m getting following errors:

2016-11-01 16:50:42,217 [lib.cuckoo.core.resultserver] WARNING: Cannot bind ResultServer on port 2042, trying another port. 2016-11-01 16:50:42,217 [lib.cuckoo.core.resultserver] WARNING: Cannot bind ResultServer on port 2043, trying another port. 2016-11-01 16:50:42,219 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager 2016-11-01 16:50:42,493 [lib.cuckoo.common.abstracts] WARNING: Configuration details about machine win7 are missing: Option win7 is not found in configuration, error: Config instance has no attribute 'win7'

[jbremer]

First of all you're apparently running multiple Cuckoo instances. Secondly, as @doomedraven pointed out, your virtualbox.conf is incorrect as it's missing a win7 entry.

[mishamehra]

i` m getting the following error WARNING: Configuration details about machine windowsxp are missing: Option windowsxp is not found in configuration, error: Config instance has no attribute 'windowsxp' 2016-11-10 12:22:23,600 [root] CRITICAL: CuckooCriticalError: No machines available.

my virtualbox.conf file has following contents

mode = headless interface = vboxnet0 machines = windowsxp label = windowsxp platform = windows ip = 192.168.56.10 snapshot = snapshot1

the label name is correct as per my knowledge and my host and guest machine can ping each other

[microbot007]

Actually sometimes cuckoo don't find the virtual machine as non sudo. Do the following:

1. Sudo virtualbox
2. configure that virtual box with your windows xp.
3. then run cuckoo.py

It worked in my case.

[doomedraven]

Sudo it is bad idea, just add your user to virtualbox and enjoy

Best regards Andriy

El 10 nov 2016, a las 8:14, microbot007 notifications@github.com escribió:

Actually sometimes cuckoo don't find the virtual machine as non sudo. Do the following:

1. Sudo virtualbox
2. configure that virtual box with your windows xp.
3. then run cuckoo.py

It worked in my case.

Best Regards

Sonali Tyagi M.Tech (ISM) (+91 9582952543) TnP Coordinator ISEA Student Member

DeitY, Govt. of India https://in.linkedin.com/in/sonali-tyagi-92309798

On Thu, Nov 10, 2016 at 12:40 PM, mishamehra notifications@github.com wrote:

i m getting the following error WARNING: Configuration details about machine windowsxp are missing: Option windowsxp is not found in configuration, error: Config instance has no attribute 'windowsxp' 2016-11-10 12:22:23,600 [root] CRITICAL: CuckooCriticalError: No machines available. m virtualbox.conf file is [virtualbox] Specify which VirtualBox mode you want to run your machines on. Can be "gui", "sdl" or "headless". Refer to VirtualBox's official documentation to understand the differences.

mode = headless Path to the local installation of the VBoxManage utility.

path = /usr/bin/VBoxManage Default network interface.

interface = vboxnet0 Specify a comma-separated list of available machines to be used. For each specified ID you have to define a dedicated section containing the details on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)

machines = windowsxp

[cuckoo1] Specify the label name of the current machine as specified in your VirtualBox configuration.

label = windowsxp Specify the operating system platform used by current machine [windows/darwin/linux].

platform = windows Specify the IP address of the current virtual machine. Make sure that the IP address is valid and that the host machine is able to reach it. If not, the analysis will fail.

ip = 192.168.56.10 (Optional) Specify the snapshot name to use. If you do not specify a snapshot name, the VirtualBox MachineManager will use the current snapshot. Example (Snapshot1 is the snapshot name):

snapshot = snapshot1 (Optional) Specify the name of the network interface that should be used when dumping network traffic from this machine with tcpdump. If specified, overrides the default interface specified in auxiliary.conf Example (vboxnet0 is the interface name): interface = vboxnet0 (Optional) Specify the IP of the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the IP address for the Result Server as your machine sees it. If you don't specify an address here, the machine will use the default value from cuckoo.conf. NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf. Example: resultserver_ip = 192.168.56.1 (Optional) Specify the port for the Result Server, as your virtual machine sees it. The Result Server will always bind to the address and port specified in cuckoo.conf, however you could set up your virtual network to use NAT/PAT, so you can specify here the port for the Result Server as your machine sees it. If you don't specify a port here, the machine will use the default value from cuckoo.conf. Example: resultserver_port = 2042 (Optional) Set your own tags. These are comma separated and help to identify specific VMs. You can run samples on VMs with tag you require. tags = windows_xp_sp3,32_bit,acrobat_reader_6

[honeyd] For more information on this VM please refer to the "services" section of the conf/auxiliary.conf configuration file. This machine is a bit special in the way that its used as an additional VM for an analysis. NOTE that if this functionality is used, the VM should be registered in the "machines" list in the beginning of this file.

label = honeyd platform = linux ip = 192.168.56.102 The tags should at least contain "service" and the name of this service. This way the services auxiliary module knows how to find this particular VM.

tags = service, honeyd Not all services actually have a Cuckoo Agent running in the VM, for those services one can specify the "noagent" option so Cuckoo will just wait until the end of the analysis instead of trying to connect to the non-existing Cuckoo Agent. We can't really intercept any inter-VM communication from the host / gateway so in order to dump traffic between VMs we have to use a different network dumping approach. For this machine we use the "nictrace" functionality from VirtualBox (which is basically their internal tcpdump) and thus properly dumps inter-VM traffic.

options = nictrace noagent

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/529#issuecomment-259617537, or mute the thread https://github.com/notifications/unsubscribe-auth/AWHXjQdKxquxZX-AayBMvrdNocySSx2uks5q8sNkgaJpZM4EFLYB .

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[mishamehra]

thanks for the replies guys, but i am already running the setup with sudo.. for running my virtual machine i issue the following command sudo vboxsetup startvm windowsxp and for run cuckoo.py i use sudo python cuckoo.py infact i have also assigned my user with the group through this command sudo usermod -a -G vboxusers misha

is there anything else i am missing...

[varunieet]

I m new to cuckoo.I have installed cuckoo in VM ware workstation and analysed few malware pcap files.I m able to generate reports in html and carry out the required analysis except the Network analysis shows Nothing to display. as shown in the file I have installed the sanbox and enabled the network behavior.Can somebody guide how to rectify this.Thanks in advance

[doomedraven]

post analysis log

[varunieet]

The analysis log is attached analysis.txt when i run it in debug mode i find that Network analysis module has executed but no shown in the analysis.txt. The pic is att In configuration I have enabled network analysis in processing module. and i m also getting dump.pcap for every malware file.Analysis of these dump.pcap only shows DLL protocols What i require is to determine DNS traffic, domains, IPs, HTTP requests, IRC and SMTP traffic. I have tested the malware pcap in wireshark for existence of network related info of TCP connection etc it shows but when i analyse in cuckoo it does not. Thank u for your patience.

[doomedraven]

looks like you have a lot of missed dependencies, and some crash inside of vm, change to gui mode and see what happens in vm, also look if pcap exists inside of analysis folder as network part is parsed from pcap

[varunieet]

the folder containing the pcap is shown that include dump.pcap and dump_sorted.pcap. . I changed the virtualbox config from headless to GUI and found that IE was opening but not opening the website. Does this means that the VM inside cuckoo must also be connected to the Internet. In my case cuckoo is inside VM workstation connected to internet but windows Xp inside cuckoo is not connected to internet. what all dependencies are required...can you pl elaborate i will try it.. thanks indeed.

[doomedraven]

just read http://docs.cuckoosandbox.org/en/latest/

[mishamehra]

hi, i want to use cuckoo sandbox in such a way thant i can automatically redirect document/files stored on some server to the machine where cuckoo is running.. and there i would like to run the sample and analyse the reports. Instead of fully parsing the reports..i only want to know whether the submitted file/document is infected or not.. Do we have any module already available with the cuckoo community which has automate this process. Why i am asking this is because i was going through book on cuckoo, and there was a mention of Cuckoo MX which automaticlaly re-direct email atachments.

On 17 February 2017 at 20:45, doomedraven notifications@github.com wrote:

just read http://docs.cuckoosandbox.org/en/latest/

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/529#issuecomment-280676475, or mute the thread https://github.com/notifications/unsubscribe-auth/AJaopHdiQWjYrQOD-vuVRV2treLApknmks5rdbl0gaJpZM4EFLYB .

[jbremer]

These are some things that we're working on, but currently that would require quite some effort because various parts are not in-place yet ;-) @doomedraven did some additional work on top of Cuckoo MX, but if you google Cuckoo MX you'll find the code for it. With that in place you're mostly good to go, I guess.