Failure in AnalysisManager.run - Name or service not known

[ghost]

Hi,

When I submit a file to Cuckoo I get the following error:

2016-03-21 14:02:45,290 [lib.cuckoo.core.scheduler] ERROR: Failure in AnalysisManager.run
Traceback (most recent call last):
  File "/home/remnux/Desktop/cuckoo/lib/cuckoo/core/scheduler.py", line 447, in run
    self.launch_analysis()
  File "/home/remnux/Desktop/cuckoo/lib/cuckoo/core/scheduler.py", line 339, in launch_analysis
    self.guest_manage(options)
  File "/home/remnux/Desktop/cuckoo/lib/cuckoo/core/scheduler.py", line 257, in guest_manage
    guest.start_analysis(options, monitor)
  File "/home/remnux/Desktop/cuckoo/lib/cuckoo/core/guest.py", line 382, in start_analysis
    r = self.get("/")
  File "/home/remnux/Desktop/cuckoo/lib/cuckoo/core/guest.py", line 255, in get
    return requests.get(url, *args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 69, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 415, in send
    raise ConnectionError(err, request=request)
ConnectionError: ('Connection aborted.', gaierror(-2, 'Name or service not known'))

The host and the guest are communicating properly and Virtual Box is working well too, but it seems like it fails whenever it has to launch the analysis.

[botherder]

Was the agent running when you created the snapshot of the VM?

[ghost]

@botherder Yes it was.

[jbremer]

Well, the host is definitely not able to connect to the Guest. Try connecting manually after starting the VM - are you sure the IP/port is correctly defined?

[icaman]

Hi Folks,

I have just finished the installation on Linux CuckooVM 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux and I'm facing the same error.

As you suggested, I've just copied the agent pythong script in the Guest VM, that's all.

Below the error:

Cuckoo Sandbox 2.0-rc1 www.cuckoosandbox.org Copyright (c) 2010-2015

Checking for updates... Good! You have the latest version available.

2016-04-29 15:37:41,685 [root] INFO: Updated running task ID 13 status to failed_analysis 2016-04-29 15:37:41,697 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager 2016-04-29 15:37:41,929 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s 2016-04-29 15:37:41,943 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks. 2016-04-29 15:37:49,162 [lib.cuckoo.core.scheduler] INFO: Starting analysis of URL "malwr.com" (task #14, options "") 2016-04-29 15:37:49,182 [lib.cuckoo.core.scheduler] INFO: Task #14: acquired machine cuckoo1 (label=Win7SP0x86-VM1) 2016-04-29 15:37:49,186 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 1180 (interface=vboxnet0, host=192.168.56.101 snapshot = Snapshot3 interface = vboxnet0, pcap=/home/analyst/Downloads/cuckoo/storage/analyses/14/dump.pcap) tcpdump: syntax error 2016-04-29 15:37:54,729 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.56.101 snapshot = Snapshot3 interface = vboxnet0) 2016-04-29 15:38:02,162 [lib.cuckoo.core.scheduler] ERROR: Failure in AnalysisManager.run Traceback (most recent call last): File "/home/analyst/Downloads/cuckoo/lib/cuckoo/core/scheduler.py", line 447, in run self.launch_analysis() File "/home/analyst/Downloads/cuckoo/lib/cuckoo/core/scheduler.py", line 339, in launch_analysis self.guest_manage(options) File "/home/analyst/Downloads/cuckoo/lib/cuckoo/core/scheduler.py", line 257, in guest_manage guest.start_analysis(options, monitor) File "/home/analyst/Downloads/cuckoo/lib/cuckoo/core/guest.py", line 382, in start_analysis r = self.get("/") File "/home/analyst/Downloads/cuckoo/lib/cuckoo/core/guest.py", line 255, in get return requests.get(url, _args, _kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 69, in get return request('get', url, params=params, _kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 50, in request response = session.request(method=method, url=url, _kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 465, in request resp = self.send(prep, _send_kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 573, in send r = adapter.send(request, *_kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 415, in send raise ConnectionError(err, request=request) ConnectionError: ('Connection aborted.', gaierror(-2, 'Name or service not known'))

Please let me know if you need any further details about that.

Thanks!

[jbremer]

@icaman Doesn't look like the Agent is running ;-)

[icaman]

for nc it looks like open: analyst@CuckooVM:~/Downloads/cuckoo/conf$ nc -n -v 192.168.56.101 8000 Connection to 192.168.56.101 8000 port [tcp/*] succeeded! :)

[jbremer]

Oke. Can you also show the output for curl.

[icaman]

analyst@CuckooVM:~/Downloads/cuckoo/conf$ curl -i 192.168.56.101:8000 HTTP/1.0 501 Unsupported method ('GET') Server: BaseHTTP/0.3 Python/2.7.11 Date: Tue, 03 May 2016 14:15:25 GMT Content-Type: text/html Connection: close

Error response

Error code 501.

Message: Unsupported method ('GET').

Error code explanation: 501 = Server does not support this operation.

[jbremer]

Seems to work fine - are you sure you've correctly setup the configuration?

[icaman]

it seems that I have to check them.

Thanks for the confirmation anyway

[icaman]

The configuration was fine. I've inserted the VM guest IP in the agent.py,

[jbremer]

Closing as most likely resolved by now. Please reopen if that's not the case.

[mishamehra]

where vm guest ip is to be inserted in agent.py file??

[doomedraven]

it just must be placed in vm and started as admin, you dont need specify ip inside

[jbremer]

Please provide full logs.

[mishamehra]

hi,

i would really apprecaite if you could help m in resloving this issue the error details are: python cuckoo.py

                           ),-.     /

Cuckoo Sandbox <(a ---',' no chance for malwares! (-, .> ) ) >.__/ /

Cuckoo Sandbox 2.0-rc1 www.cuckoosandbox.org Copyright (c) 2010-2015

Checking for updates... Good! You have the latest version available.

2016-11-17 14:26:47,190 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager 2016-11-17 14:26:50,711 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s 2016-11-17 14:26:50,719 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks. 2016-11-17 14:27:00,033 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "7081d8f6-6df7-11e6" (task #9, options "") 2016-11-17 14:27:00,106 [lib.cuckoo.core.scheduler] INFO: File already exists at "/home/misha/cuckoodir/cuckoo-rc1/cuckoo/storage/binaries/9edaa76d3af03b44639148d190785eab9720471ffc28c71468182b786ed0b0eb" 2016-11-17 14:27:00,271 [lib.cuckoo.core.scheduler] INFO: Task #9: acquired machine windowsxp (label=windowsxp) 2016-11-17 14:27:00,331 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 4932 (interface=vboxnet0, host=192.168.56.10 snapshot = snapshot2 resultserver_ip = 192.168.56.1 resultserver_port = 2042, pcap=/home/misha/cuckoodir/cuckoo-rc1/cuckoo/storage/analyses/9/dump.pcap) tcpdump: syntax error 2016-11-17 14:27:04,464 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=windowsxp, ip=192.168.56.10 snapshot = snapshot2 resultserver_ip = 192.168.56.1 resultserver_port = 2042) 2016-11-17 14:27:10,928 [lib.cuckoo.core.scheduler] ERROR: Failure in AnalysisManager.run Traceback (most recent call last): File "/home/misha/cuckoodir/cuckoo-rc1/cuckoo/lib/cuckoo/core/scheduler.py", line 447, in run self.launch_analysis() File "/home/misha/cuckoodir/cuckoo-rc1/cuckoo/lib/cuckoo/core/scheduler.py", line 339, in launch_analysis self.guest_manage(options) File "/home/misha/cuckoodir/cuckoo-rc1/cuckoo/lib/cuckoo/core/scheduler.py", line 257, in guest_manage guest.start_analysis(options, monitor) File "/home/misha/cuckoodir/cuckoo-rc1/cuckoo/lib/cuckoo/core/guest.py", line 393, in start_analysis r.json().get("version"), self.vmid, self.ipaddr) File "/usr/lib/python2.7/dist-packages/requests/models.py", line 741, in json return json.loads(self.text, kwargs) File "/usr/lib/python2.7/json/init**.py", line 338, in loads return _default_decoder.decode(s) File "/usr/lib/python2.7/json/decoder.py", line 366, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/usr/lib/python2.7/json/decoder.py", line 384, in raw_decode raise ValueError("No JSON object could be decoded") ValueError: No JSON object could be decoded

On 16 November 2016 at 15:58, Jurriaan Bremer notifications@github.com wrote:

Please provide full logs.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/822#issuecomment-260910237, or mute the thread https://github.com/notifications/unsubscribe-auth/AJaopN6-2Ww2BFAOtX2Kz00EwBoWgSWtks5q-trQgaJpZM4H1afT .

[doomedraven]

try rc2

[doomedraven]

Get Cuckoo Sandbox 2.0-RC2 now and start fighting malware! https://cuckoosandbox.org/

[doomedraven]

https://cuckoosandbox.org/2016-11-16-cuckoo-sandbox-20-rc2.html

[doomedraven]

you have answer in your log, read it ;)

2016-11-17 15:59:59,701 [lib.cuckoo.core.plugins] WARNING: Unable to stop
 auxiliary module: Error running tcpdump to sniff the network traffic during
 the analysis; stdout = '' and stderr = 'tcpdump: syntax error\n'. Did you
 enable the extra capabilities to allow running tcpdump as non-root user and
 disable AppArmor properly (only applies to Ubuntu)?

try:

sudo apt-get install apparmor-utils
sudo aa-disable /usr/sbin/tcpdump

[jbremer]

Somewhere earlier you had the following error as well, which indicates that your configuration isn't parsed properly. The host contains a newline? What OS are you running Cuckoo on?

 raise ConnectionError(e) ConnectionError: HTTPConnectionPool(host='192.168.56.10%0Aresultserver_ip% 20=%20192.168.56.1%0Aresultserver_port%20=%202042', port=8000): Max retries exceeded with url: / (Caused by <class 'socket.gaierror'>: [Errno -2] Name or service not known)

[doomedraven]

http://docs.cuckoosandbox.org/en/latest/installation/host/requirements/#installing-tcpdump

[doomedraven]

provide mode logs, os version etc etc

[doomedraven]

@mishamehra i think in one of your issues @jbremer responded to "HTTPConnectionPool(host='192.168.56.10%0Ainterface%20=%20vboxnet0%0Aresultserver_ip%20=%20192.168.56.1%0Aresultserver_port%20=%202042' related bug

[doomedraven]

newline is you pressed enter after

192.168.56.10%0A <- 0x0A is a new line
>>> chr(int("0x0A", 16))
'\n'

it means you pressed enter after change host ip in edit mode, not in readonly(speaking in vi(m) format)

remove newline there and it should solve your problem

[jbremer]

What @doomedraven said.

[mishamehra]

thank you so very much guys..i has finally worked...my silly mistake..thank u so much..:)

On 21 November 2016 at 17:30, misha mehra mishamehra@gmail.com wrote:

understood...let me try..thanks...

On 21 November 2016 at 17:01, Jurriaan Bremer notifications@github.com wrote:

What @doomedraven https://github.com/doomedraven said.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/822#issuecomment-261913120, or mute the thread https://github.com/notifications/unsubscribe-auth/AJaopPbpEIt921GS3uESlahn7OhdolD1ks5rAYEPgaJpZM4H1afT .

[jbremer]

Please share your solution so that others can use it as a reference in the future in case they run into the same issue @mishamehra.

[mishamehra]

For cuckoo to work properly..pls follow the official documentation properly...follow step by step instruction for preparing your host. configure vm software properly and check the connectivity between host and guest machine. Also be very careful i configuring the conf file..pls donot add any extra lines or spaces.. i had to edit my conf file multiple times to get cuckoo working.. i have used cuckoo version rc2 for my purpose

for this error WARNING: Unable to stop auxiliary module: Error running tcpdump to sniff the network traffic during the analysis; stdout = '' and stderr = 'tcpdump: syntax error\n'. Did you enable the extra capabilities to allow running tcpdump as non-root user and disable AppArmor properly (only applies to Ubuntu)? 2016-11-18 11:59:02,409 [lib.cuckoo.core.scheduler] ERROR: Failure in AnalysisManager.run Traceback (most recent call last): File "/home/misha/cuckoodir/cuckoo-rc2/cuckoo/lib/cuckoo/core/scheduler.py", line 519, in run self.launch_analysis() File "/home/misha/cuckoodir/cuckoo-rc2/cuckoo/lib/cuckoo/core/scheduler.py", line 399, in launch_analysis self.guest_manage(options) File "/home/misha/cuckoodir/cuckoo-rc2/cuckoo/lib/cuckoo/core/scheduler.py", line 301, in guest_manage self.guest_manager.start_analysis(options, monitor) File "/home/misha/cuckoodir/cuckoo-rc2/cuckoo/lib/cuckoo/core/guest.py", line 384, in start_analysis r = self.get("/") File "/home/misha/cuckoodir/cuckoo-rc2/cuckoo/lib/cuckoo/core/guest.py", line 290, in get return session.get(url, *args, kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 467, in get return self.request('GET', url, kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in request resp = self.send(prep, send_kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 558, in send r = adapter.send(request, kwargs) File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 378, in send raise ConnectionError(e) ConnectionError: HTTPConnectionPool(host='192.168.56.10%0Ainterface%20=%20vboxnet0%0Aresultserver_ip%20=%20192.168.56.1%0Aresult ensure that proper permissions are assigned sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump and appapmor is disabled sudo service apparmor stop

and conf files are configured properly....enjoy :)

[mishamehra]

hi guys,

sorry for bugging you again.. i want to understand the theory behind working of sandboxes and virtual machine in detail.. can u please refer some good books on this subject. i have come across some theory on the Internet but its not elaborated and detailed. So can suggest some technical books or other stuff for the complete understanding of this interesting subject..

Thanks

On 22 November 2016 at 15:39, Jurriaan Bremer notifications@github.com wrote:

Please share your solution so that others can use it as a reference in the future in case they run into the same issue @mishamehra https://github.com/mishamehra.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/822#issuecomment-262199569, or mute the thread https://github.com/notifications/unsubscribe-auth/AJaopOUE9kmP48pEfrZ59bNbVDIA_kC3ks5rAr9kgaJpZM4H1afT .

[doomedraven]

https://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033