Cuckoo sandbox and KVM - Githubissues

omers commented 8 years ago

I'm able to start the VM using virsh start windows-8.1, However seems like Cuckoo is unable to complete the task:

kvm.conf

[kvm] machines = windows-8.1 interface = virbr0

[windows-8.1] label = windows-8.1 platform = windows ip = 192.168.122.117 snapshot = cleaninstall tags = windows,windows-8.1 [root@dev cuckoo]# ./cuckoo.py -d

_|

     _|_|_|  _|    _|    _|_|_|  _|  _|      _|_|      _|_|
   _|        _|    _|  _|        _|_|      _|    _|  _|    _|
   _|        _|    _|  _|        _|  _|    _|    _|  _|    _|
     _|_|_|    _|_|_|    _|_|_|  _|    _|    _|_|      _|_|

 Cuckoo Sandbox 2.0-dev
 www.cuckoosandbox.org
 Copyright (c) 2010-2015

2016-03-10 11:58:49,084 [root] DEBUG: Importing modules...

2016-03-10 11:58:49,324 [root] DEBUG: Imported "signatures" modules:
2016-03-10 11:58:49,325 [root] DEBUG:    |-- CreatesExe
2016-03-10 11:58:49,325 [root] DEBUG:    `-- SystemMetrics
2016-03-10 11:58:49,325 [root] DEBUG: Imported "processing" modules:
2016-03-10 11:58:49,325 [root] DEBUG:    |-- AnalysisInfo
2016-03-10 11:58:49,325 [root] DEBUG:    |-- MetaInfo
2016-03-10 11:58:49,325 [root] DEBUG:    |-- ApkInfo
2016-03-10 11:58:49,325 [root] DEBUG:    |-- Baseline
2016-03-10 11:58:49,326 [root] DEBUG:    |-- BehaviorAnalysis
2016-03-10 11:58:49,326 [root] DEBUG:    |-- DroppedBuffer
2016-03-10 11:58:49,326 [root] DEBUG:    |-- Debug
2016-03-10 11:58:49,326 [root] DEBUG:    |-- Droidmon
2016-03-10 11:58:49,326 [root] DEBUG:    |-- Dropped
2016-03-10 11:58:49,326 [root] DEBUG:    |-- TLSMasterSecrets
2016-03-10 11:58:49,326 [root] DEBUG:    |-- GooglePlay
2016-03-10 11:58:49,326 [root] DEBUG:    |-- Memory
2016-03-10 11:58:49,327 [root] DEBUG:    |-- NetworkAnalysis
2016-03-10 11:58:49,327 [root] DEBUG:    |-- ProcessMemory
2016-03-10 11:58:49,327 [root] DEBUG:    |-- Screenshots
2016-03-10 11:58:49,327 [root] DEBUG:    |-- Snort
2016-03-10 11:58:49,327 [root] DEBUG:    |-- Static
2016-03-10 11:58:49,327 [root] DEBUG:    |-- Strings
2016-03-10 11:58:49,327 [root] DEBUG:    |-- Suricata
2016-03-10 11:58:49,328 [root] DEBUG:    |-- TargetInfo
2016-03-10 11:58:49,328 [root] DEBUG:    `-- VirusTotal
2016-03-10 11:58:49,328 [root] DEBUG: Imported "auxiliary" modules:
2016-03-10 11:58:49,328 [root] DEBUG:    |-- MITM
2016-03-10 11:58:49,328 [root] DEBUG:    |-- Services
2016-03-10 11:58:49,328 [root] DEBUG:    `-- Sniffer
2016-03-10 11:58:49,328 [root] DEBUG: Imported "reporting" modules:
2016-03-10 11:58:49,328 [root] DEBUG:    |-- ElasticSearchReporting
2016-03-10 11:58:49,329 [root] DEBUG:    |-- JsonDump
2016-03-10 11:58:49,329 [root] DEBUG:    |-- Moloch
2016-03-10 11:58:49,329 [root] DEBUG:    |-- MongoDB
2016-03-10 11:58:49,329 [root] DEBUG:    `-- ReportHTML
2016-03-10 11:58:49,329 [root] DEBUG: Imported "machinery" modules:
2016-03-10 11:58:49,329 [root] DEBUG:    `-- KVM
2016-03-10 11:58:49,331 [root] DEBUG: Checking for locked tasks..

2016-03-10 11:58:49,401 [root] INFO: Updated running task ID 4 status to failed_analysis
2016-03-10 11:58:49,402 [root] DEBUG: Checking for pending service tasks..
2016-03-10 11:58:49,414 [root] DEBUG: Initializing Yara...
2016-03-10 11:58:49,414 [root] DEBUG:    |-- index_binaries.yar
2016-03-10 11:58:49,414 [root] DEBUG:    `-- index_memory.yar
2016-03-10 11:58:49,420 [lib.cuckoo.core.resultserver] DEBUG: ResultServer running on 16.0.0.12:2042.
2016-03-10 11:58:49,422 [lib.cuckoo.core.scheduler] INFO: Using "kvm" as machine manager
2016-03-10 11:58:49,452 [lib.cuckoo.common.abstracts] DEBUG: Getting status for windows-8.1
2016-03-10 11:58:49,473 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2016-03-10 11:58:49,493 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.

2016-03-10 11:59:12,099 [lib.cuckoo.core.scheduler] DEBUG: Processing task #5
2016-03-10 11:59:12,114 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "README.md" (task #5, options "")
2016-03-10 11:59:12,152 [lib.cuckoo.core.scheduler] INFO: Task #5: acquired machine windows-8.1 (label=windows-8.1)
2016-03-10 11:59:12,157 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 44959 (interface=virbr0, host=192.168.122.117, pcap=/usr/local/cuckoo/storage/analyses/5/dump.pcap)
2016-03-10 11:59:12,157 [lib.cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2016-03-10 11:59:12,182 [lib.cuckoo.common.abstracts] DEBUG: Starting machine windows-8.1
2016-03-10 11:59:12,182 [lib.cuckoo.common.abstracts] DEBUG: Getting status for windows-8.1
2016-03-10 11:59:12,205 [lib.cuckoo.common.abstracts] DEBUG: No current snapshot, using latest snapshot
2016-03-10 11:59:12,206 [lib.cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2016-03-10 11:59:12,206 [lib.cuckoo.common.abstracts] DEBUG: Stopping machine windows-8.1
2016-03-10 11:59:12,206 [lib.cuckoo.common.abstracts] DEBUG: Getting status for windows-8.1
2016-03-10 11:59:12,215 [lib.cuckoo.core.scheduler] WARNING: Unable to stop machine windows-8.1: Trying to stop an already stopped machine windows-8.1
2016-03-10 11:59:12,227 [lib.cuckoo.core.scheduler] ERROR: Failure in AnalysisManager.run
Traceback (most recent call last):
  File "/usr/local/cuckoo/lib/cuckoo/core/scheduler.py", line 482, in run
    self.launch_analysis()
  File "/usr/local/cuckoo/lib/cuckoo/core/scheduler.py", line 360, in launch_analysis
    machinery.start(self.machine.label, self.task)
  File "/usr/local/cuckoo/lib/cuckoo/common/abstracts.py", line 384, in start
    elif self._get_snapshot(label):
  File "/usr/local/cuckoo/lib/cuckoo/common/abstracts.py", line 601, in _get_snapshot
    reverse=True)[0]
IndexError: list index out of range

jbremer commented 8 years ago

Does your VM have any snapshots configured?

omers commented 8 years ago

Yes.

The thing is that I created the snapshot the wrong way using qemu-img snapshot -c .

I tried virsh snapshot-create and now it works.

cuckoosandbox / cuckoo

Cuckoo sandbox and KVM #804