About accounts on capesandbox.com

Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

[x] I am running the latest version
[x] I did read the README!
[x] I checked the documentation and found no answer
[x] I checked to make sure that this issue has not already been filed
[x] I'm reporting the issue to the correct repository (for multi-repository projects)
[x] I have read and checked all configs (with all optional parts)

Expected Behavior

The AzSniffer module should correctly create packet captures for multiple machines in a VM Scale Set (VMSS) environment.

Current Behavior

When multiple machines are present inside a VMSS, the analysis module generates an incorrect folder structure: ...network-watcher-logs/Packet_Capture_{task_id}/{machine_name}_Packet_Capture_{task_id} This structure is not correctly aligned with the code.
The AzSniffer module fails to create packet captures for individual VMs within the VMSS, resulting in an "UnsupportedTargetResourceId" error.

Failure Information (for bugs)

Steps to Reproduce

Set up a VMSS environment in Azure for CAPESandbox
Attempt to run an analysis that involves packet capture using the AzSniffer module
Observe the error in the logs and the incorrect folder structure

Context

Question	Answer
Git commit	(User needs to provide this information)
OS version	(User needs to provide this information)

Additional context:

Environment: Azure VM Scale Set (VMSS)
Module: AzSniffer

Network Watchers are based on:

VM
VirtualNetwork
Subnet
VMScaleSet

The current implementation seems to be targeting individual VMs within the VMSS, which is not supported.

Failure Logs

2024-07-13 17:41:45,263 [msal.authority] INFO: Initializing with Entra authority: https://login.microsoftonline.com/[TENANT_ID]
2024-07-13 17:41:46,101 [modules.auxiliary.AzSniffer] ERROR: Azure error occurred while creating packet capture: (UnsupportedTargetResourceId) Target resource identifier /subscriptions/[SUBSCRIPTION_ID]/resourceGroups/[RESOURCE_GROUP]/providers/Microsoft.Compute/virtualMachineScaleSets/[VMSS_NAME]/virtualMachines/10/networkInterfaces/[NIC_NAME] is not an allowed target resource. The supported resource types for the target resource are VM, VirtualNetwork, Subnet, VMScaleSet.
Code: UnsupportedTargetResourceId
Message: Target resource identifier /subscriptions/[SUBSCRIPTION_ID]/resourceGroups/[RESOURCE_GROUP]/providers/Microsoft.Compute/virtualMachineScaleSets/[VMSS_NAME]/virtualMachines/10/networkInterfaces/[NIC_NAME] is not an allowed target resource. The supported resource types for the target resource are VM, VirtualNetwork, Subnet, VMScaleSet.
2024-07-13 17:41:46,101 [lib.cuckoo.core.plugins] WARNING: Unable to start auxiliary module AzSniffer: (UnsupportedTargetResourceId) Target resource identifier /subscriptions/[SUBSCRIPTION_ID]/resourceGroups/[RESOURCE_GROUP]/providers/Microsoft.Compute/virtualMachineScaleSets/[VMSS_NAME]/virtualMachines/10/networkInterfaces/[NIC_NAME] is not an allowed target resource. The supported resource types for the target resource are VM, VirtualNetwork, Subnet, VMScaleSet.
Code: UnsupportedTargetResourceId
Message: Target resource identifier /subscriptions/[SUBSCRIPTION_ID]/resourceGroups/[RESOURCE_GROUP]/providers/Microsoft.Compute/virtualMachineScaleSets/[VMSS_NAME]/virtualMachines/10/networkInterfaces/[NIC_NAME] is not an allowed target resource. The supported resource types for the target resource are VM, VirtualNetwork, Subnet, VMScaleSet.

I'm opening this issue to track the fix and then publish it in the public repo too, I'm already working on this by myself so no help is expected, still if anyone has suggestions/ideas i will be more than happy to hear them

kevoreilly / CAPEv2

AzSniffer module not working properly when sniffing multiple VMSS instances #2229