WebUI issue

[yujiaxinlong]

met trouble when visiting page of analyzed file in webUI

I saw similar problem in #736 I also met [modules.processing.network] ERROR: Failed to process packet: 'type' Traceback (most recent call last): and https://github.com/cuckoosandbox/cuckoo/commit/ff06882db68058797aebcb7d3f24d01e8b24f48f fixed it, but not the webUI problem error message:

Error during template rendering

In template /home/yu/cuckoo/web/templates/analysis/network/_dns.html, error at line 14 Reverse for 'analysis.views.moloch' with arguments '()' and keyword arguments '{u'host': u'yujia-VirtualBox [08:00:27:5a:13:07]._workstation._tcp.local'}' not found. 1 pattern(s) tried: ['analysis/moloch/(?P<ip>[\\d\\.]+)?/(?P<host>[a-zA-Z0-9-\\.]+)?/(?P<src_ip>[a-zA-Z0-9\\.]+)?/(?P<src_port>\\d+|None)?/(?P<dst_ip>[a-zA-Z0-9\\.]+)?/(?P<dst_port>\\d+|None)?/(?P<sid>\\d+)?']

[ramirez3805]

Anything else you recommend I should check?

[ramirez3805]

Okay guys, I'm back, and for the last time lol, If I don't get this working by tomorrow, I'm done. So, I started from complete scratch! This time I made sure I followed things to the T, I created a brand new host being Ubuntu and a brand new guest which is also Ubuntu, made sure I have the snapshot, configs looked good, just one thing I wasn't sure about, is my host machine supposed to have a static IP? I don't think it matters, either way, I'm getting the Machinery error:Timeout hit while for machine Ubuntu to change status. What can I send you guys to check? I also tried it with the debug parameter and got error that it is waiting for machine status to switch to 'saved'

[ramirez3805]

I notice after I run it and before the error, the virtualbox application flickers at the start button, not sure if that helps at all.

[doomedraven]

in which state is your snapshot? should be runned

[ramirez3805]

[doomedraven]

im not vbox user, so i don't know, but looking the snapshot icon it was stopped,

should be green as here i suppouse, create snapshot in running state

http://www.howtogeek.com/wp-content/uploads/2013/04/656x300ximage54.png.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.uka-Zp7vdE.png

[ramirez3805]

OMG, that was the issue. Wow, all this time and it was that, now question, it gave no errors, and it says analysis procedure completed, when I go to the web interface, it says status reported but I can't click on the reported text, just the MD5, but if I click the md5, it gives error of NoReverseMatch at templete _dns.html line 14

[ramirez3805]

It's basically then, at the error I had when I first started commented on this post with the image

[doomedraven]

dude you need learn read documentation, you have all that there.

you probably using incorrect django version, see requirements.txt to install correct version

[ramirez3805]

Sorry man, I've actually been trying to learn this stuff, I'm new to all this, I ran this sudo pip install -r requirements.txt when I first set everything up, doesn't that install everything for me?

[ramirez3805]

I'm running 1, 8, 4

[doomedraven]

the best way to learn is carefully read first time docu ;)

did you on last dev commit ? is your repo up to date?

[doomedraven]

cd /home/mario/cuckoo && git pull

[ramirez3805]

Thanks, it says Already up-to-date.

[doomedraven]

can you post screen of error, probably something escape

[ramirez3805]

[doomedraven]

that was fixed a lot of time ago https://github.com/cuckoosandbox/cuckoo/commit/9c704f50e70227ed21ae1b79ba90540c3087fc57

[doomedraven]

check if you have the same in file on your side

[ramirez3805]

[doomedraven]

well i don't know why that happens %) but i can say you what you can try as dirty hack

https://github.com/cuckoosandbox/cuckoo/blob/master/web/templates/analysis/network/_dns.html#L14 remove

                    <td>
                        <a target="_blank" href="{% url "analysis.views.moloch" host=p.request %}">{{p.request}}</a>
                    </td>

[ramirez3805]

Awesome, that worked, only thing is, I'm not getting any info it seems?

[ramirez3805]

On the image you posted earlier of when you tried this sample, showed more information.

[doomedraven]

post output from "show analyzer log" and "show cuckoo log" as execution was only for 16 seg so is incorrect

[ramirez3805]

[doomedraven]

is agent runned as root inside of ubuntu? @jbremer any clue?

[ramirez3805]

I do not run as root, I run it as mario, is there any configuration needed to be done to just run as the regular user?

[doomedraven]

try start it as root and take new snapshot and reexecute analysis, agent should have access to everythinfg as in windows

[ramirez3805]

I ran virtualbox as root, had to create the vm again, then turn on, do snapshot, powered down, ran cuckoo as root, submitted sample as root and below is the image.

[doomedraven]

looks like there missed kernel drivers see source

https://github.com/cuckoosandbox/cuckoo/blob/master/analyzer/linux/modules/auxiliary/lkm.py https://github.com/cuckoosandbox/cuckoo/blob/master/analyzer/linux/modules/auxiliary/stap.py

[ramirez3805]

I have both those files already......

[ramirez3805]

Thanks for all your help by the way, I very much appreciate it.

[doomedraven]

lkm.py and stap.py or probelkm.ko and https://github.com/cuckoosandbox/cuckoo/blob/master/analyzer/linux/modules/auxiliary/stap.py#L28

[ramirez3805]

I have that line in stap.py, what I don't have is that probelkm.ko? Am I supposed to have that file?

[ramirez3805]

It does say it in the lkm.py file though. Not sure if that is what you are asking me.

[ramirez3805]

I found this, https://github.com/cuckoosandbox/cuckoo/issues/1056 But it doesn't say much....

[ramirez3805]

Just to make sure, the resultserver IP is the IP of the static IP of the host system correct?

[ramirez3805]

Okay so, I switched it to GUI mode, I see that it disconnects the network on the guest, then reconnects, then it just shuts down. I went into the vm and I can ping the VBOXNetwork and also the host, I feel like we are close.

[doomedraven]

Just to make sure, the resultserver IP is the IP of the static IP of the host system correct?

yes

[ramirez3805]

Do you see anything wrong here?

[doomedraven]

the network conf looks good

[ramirez3805]

What seems weird to me is the on the guest, it doesn't show the ipv4 address but the ipv6 address, even though on the gui you can clearly see it. I'm thinking it is a networking issue, you have any ideas?

[doomedraven]

if you look in vm there wifi simbol like no connection but as far as i know even network ethernet should be there connected

[ramirez3805]

I know you said the network looks good, I recreated and I can ping back and forth but is it okay for the host to have the IP address of 192.168.56.1 for eth0 and for vboxnet0 or should eth0 be another IP?

[doomedraven]

they should be different, as .56.0 is vbox network default range

[ramirez3805]

So, that might be my issue then, so let's say I give it.... 10.102.204.139, now, does that have to be in the configurations anywhere? The result server?

[ramirez3805]

I tried setting it as the result server and still same issue, vm opens, disconnects network, then analysis is complete.

[doomedraven]

you need set result server the same ip as for vboxnet0 interface

[ramirez3805]

Done, still same issue with the network though, says disconnected, then connected, then shuts down and analysis is complete, any idea there?

[ramirez3805]

[doomedraven]

can you put new output from cuckoo.py -d