WebUI issue

[yujiaxinlong]

met trouble when visiting page of analyzed file in webUI

I saw similar problem in #736 I also met [modules.processing.network] ERROR: Failed to process packet: 'type' Traceback (most recent call last): and https://github.com/cuckoosandbox/cuckoo/commit/ff06882db68058797aebcb7d3f24d01e8b24f48f fixed it, but not the webUI problem error message:

Error during template rendering

In template /home/yu/cuckoo/web/templates/analysis/network/_dns.html, error at line 14 Reverse for 'analysis.views.moloch' with arguments '()' and keyword arguments '{u'host': u'yujia-VirtualBox [08:00:27:5a:13:07]._workstation._tcp.local'}' not found. 1 pattern(s) tried: ['analysis/moloch/(?P<ip>[\\d\\.]+)?/(?P<host>[a-zA-Z0-9-\\.]+)?/(?P<src_ip>[a-zA-Z0-9\\.]+)?/(?P<src_port>\\d+|None)?/(?P<dst_ip>[a-zA-Z0-9\\.]+)?/(?P<dst_port>\\d+|None)?/(?P<sid>\\d+)?']

[jbremer]

The template rendering issue was resolved through 9c704f50e70227ed21ae1b79ba90540c3087fc57 :-)

[jbremer]

Will be linking to the FAQ from now one. Closing this issue as resolved ;-)

[ramirez3805]

Hi, sorry to bring up old news, it's just I've been stuck for weeks on this exact thing mentioned above. I also did the fix and see that error, I added the underscore already as well. No idea what else I may be able to check, if you need anything from me, please let me know.

[jbremer]

Can you share a screenshot of the exact error. Perhaps you have other characters that break the regex.

[ramirez3805]

Wow, thanks for the quick response, it's easier for me to send a picture since I have this machine off the network. I do this because I can't seem to find a straight answer and have no idea if there is a possibility malware can even have a remote chance of getting past the VM. Although I know cuckoo does allow you to upload the malware to the vault. Either way, attached is the picture. Thanks for your help.

[jbremer]

Yeah, there are some additional characters there that are currently not in the regex.. but this is an unusual case which probably shouldn't even be in the pcap in the first place. I'll think about the best way to resolve this issue, thanks for reporting.

[ramirez3805]

Wow thanks, how did that even end up happening? I really appreciate it.

[doomedraven]

can you pass sample from analysis 4?

[ramirez3805]

Not sure I understand the question, if I can pass a malware sample to the VM? Yes. The status shows reported.

[doomedraven]

No, can you send us a sample for testing

Best regards Andriy

El 1 nov 2016, a las 16:33, ramirez3805 notifications@github.com escribió:

The status shows reported.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[ramirez3805]

A malware sample correct?

[doomedraven]

Yes

[ramirez3805]

Andrada.a.zip

Thanks.

[doomedraven]

works just fine here

[doomedraven]

can you export and post here your analysis? you can type directly http://host_io:8000/analysis/4/export/ and you should be promted to export data, export all and upload please

[ramirez3805]

Sorry for the delay, I couldn't figure out how to use that line, I tried to use that line how it was, also tried localhost, but didn't work. I also tried to make it a zip file but it was too large to upload onto here. Any suggestions?

[doomedraven]

exclude memdump and create archive, then upload :)

[ramirez3805]

I finally have it for you guys, I appreciate all the help, this is so important for me. 4.zip

[doomedraven]

just checked your data, i don't see nothing weird, and can't reproduce this error

[ramirez3805]

Can I send you my configuration or something? I'm not sure what can be causing this issue, it's probably something simple if I had to guess.

On Nov 3, 2016 6:25 PM, "doomedraven" notifications@github.com wrote:

just checked your data, i don't see nothing weird, and can't reproduce this error

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/810#issuecomment-258292517, or mute the thread https://github.com/notifications/unsubscribe-auth/AWHl2usJqqSAc3N7zq2R6WBgJT3ahGbrks5q6l9KgaJpZM4HvoH9 .

[doomedraven]

If i remember correctly, you using rc1, try dev branch, i cant touch production server for changes

[ramirez3805]

Do you have a link with instructions on this please, going to work on this today for a good amount of hours.

[doomedraven]

just clone branch and yo uwill have the dev branch

[ramirez3805]

Sorry, I don't know what you mean by just clone branch, a lot of this is new to me and I'm trying to learn.....

[doomedraven]

git clone https://github.com/cuckoosandbox/cuckoo.git or green botton in https://github.com/cuckoosandbox/cuckoo clone or download

[ramirez3805]

If I do that, which I did but inside the old cuckoo folder so now I have the dev one inside the older one which I guess is fine, so, now, I copy the conf folder over? And then, what would be next?

[doomedraven]

Reconfigure better, you can overwrite conf but it can miss some new calues in confings

[ramirez3805]

So, I'm testing now, if it doesn't work, what do I send you?

[doomedraven]

test it first

[ramirez3805]

Not sure what the issue is now, I went ahead and did the listener startup script so I did a new snapshot, I had an issue before with snapshots actually but ended up getting it resolved, deleted all other ones so I just have one snapshot called snap and the current state, during the analysis I get the error, Machinery error: Timeout hit while for machine Ubuntu14 to change status. Then talks about the critical error, no longer in a working state. In yellow, it has the results folder does not exist and then in red, unable to open dump_sorted.pcap.

[doomedraven]

it should be something in your configuration as it works just fine here

[ramirez3805]

Would you know which file to look at first?

On Nov 4, 2016 4:24 PM, "doomedraven" notifications@github.com wrote:

it should be something in your configuration as it works just fine here

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/810#issuecomment-258538228, or mute the thread https://github.com/notifications/unsubscribe-auth/AWHl2oQqSPuxBYw7r4H-mqdmcUs_f3hFks5q65R7gaJpZM4HvoH9 .

[doomedraven]

no, as i can't reproduce it even with exported data

[ramirez3805]

I see. I'll try to get back to you as soon as I can. Thanks.

On Nov 4, 2016 4:36 PM, "doomedraven" notifications@github.com wrote:

no, as i can't reproduce it even with exported data

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/810#issuecomment-258540860, or mute the thread https://github.com/notifications/unsubscribe-auth/AWHl2ukvgrMlC49SEY_sogCAbWRJyUf8ks5q65dLgaJpZM4HvoH9 .

[ramirez3805]

Just to verify, the only conf files that need to be updated are cuckoo, virtualbox(since I'm using virtualbox) for a simple setup correct. I did read this. To get Cuckoo working you have to edit auxiliary.conf:, cuckoo.conf and .conf at least. but I think auxiliary and machinery can be left alone?

[doomedraven]

with cuckoo.conf and virtualbox.conf should be enoght for start

[ramirez3805]

Sorry but I'm stuck, I've updated the conf, I verified that I can ping the host, not sure what else can be wrong.I keep getting the timeout hit while for machine Ubuntu to change status. They want me to show a demo of this working by tomorrow x.x

[doomedraven]

@ramirez3805 you can contract the cuckoo consulting services and @jbremer or other member of the team will provide you needed support and will dedicate time, because i don't know what else can be wrong there

[ramirez3805]

:( What are typical areas to look at when that machinery error: Timeout hit while for machine to change status, then the no longer in a working state message which later leads on to saying, please report to developers. I have ran over the configs and IPs over and over again.

[ramirez3805]

Actually, noticed something odd, my new cuckoo, has an asterisk on the cuckoo.py, could this be related?

[jbremer]

Can you cuckoo.py -d and provide us with full logs?

[ramirez3805]

It might have been an issue with the location, I moved the new dev cuckoo directory out to the home directory and renamed it to cuckoo2, now it does not have the asterisk, but I still get the same error. Thanks.

[jbremer]

I don't know what an asterisk is in this context, but you're trying to do linux malware analysis?

[ramirez3805]

Yes, either way, the asterisk is gone now. After running it in debug mode I do see, machine Ubuntu14 status poweroff over and over again, do you want me to send you that?

[jbremer]

Can you show a screenshot from VirtualBox that you do in fact have a snapshot for this VM?

[ramirez3805]

I even named it Snapshot1

[jbremer]

Ok. And if you click the "restore snapshot" button it works correctly? And you can curl the Agent in the VM?

[ramirez3805]

I click the restore snapshot and it asks are you sure, so yes, so I assume it is doing it, can test, what does curl the agent in the vm mean?

On Nov 7, 2016 1:17 PM, "Jurriaan Bremer" notifications@github.com wrote:

Ok. And if you click the "restore snapshot" button it works correctly? And you can curl the Agent in the VM?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/810#issuecomment-258916607, or mute the thread https://github.com/notifications/unsubscribe-auth/AWHl2gIF0ZVVxtnCHzqowWGhGSJdIgkUks5q72tNgaJpZM4HvoH9 .

[doomedraven]

curl vm_ip:8000 and you should get error 50x what means communication works

Best regards Andriy

El 7 nov 2016, a las 20:43, ramirez3805 notifications@github.com escribió:

I click the restore snapshot and it asks are you sure, so yes, so I assume it is doing it, can test, what does curl the agent in the vm mean?

On Nov 7, 2016 1:17 PM, "Jurriaan Bremer" notifications@github.com wrote:

Ok. And if you click the "restore snapshot" button it works correctly? And you can curl the Agent in the VM?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/810#issuecomment-258916607, or mute the thread https://github.com/notifications/unsubscribe-auth/AWHl2gIF0ZVVxtnCHzqowWGhGSJdIgkUks5q72tNgaJpZM4HvoH9 .

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[ramirez3805]

I got error code 501, server does not support this operation. I also tested the restore of the snapshot and it works correctly.

On Nov 7, 2016 4:46 PM, "doomedraven" notifications@github.com wrote:

curl vm_ip:8000 and you should get error 50x what means communication works

Best regards Andriy

El 7 nov 2016, a las 20:43, ramirez3805 notifications@github.com escribió:

I click the restore snapshot and it asks are you sure, so yes, so I assume it is doing it, can test, what does curl the agent in the vm mean?

On Nov 7, 2016 1:17 PM, "Jurriaan Bremer" notifications@github.com wrote:

Ok. And if you click the "restore snapshot" button it works correctly? And you can curl the Agent in the VM?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/ 810#issuecomment-258916607, or mute the thread https://github.com/notifications/unsubscribe-auth/ AWHl2gIF0ZVVxtnCHzqowWGhGSJdIgkUks5q72tNgaJpZM4HvoH9 .

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/810#issuecomment-258972976, or mute the thread https://github.com/notifications/unsubscribe-auth/AWHl2gf02j3RlOL8DSNbvvzXlWawrasBks5q75wygaJpZM4HvoH9 .