Closed JohnSmith054 closed 3 weeks ago
benweber2
commented
1 month ago If anyone else makes it here. This seems to also break other sniffing tasks (like TCPDump).
Renaming the module file $PATH/modules/auxiliary/AzSniffer.py resolved the issue for me.
mv /path/to/install/modules/auxiliary/AzSniffer.py /path/to/install/modules/auxiliary/AzSniffer.py.old
Ravoltek
commented
1 month ago Si quelqu'un d'autre le fait ici. Cela semble également interrompre d'autres tâches de détection (comme TCPDump).
Renommer le fichier du module $PATH/modules/auxiliary/AzSniffer.py a résolu le problème pour moi.
mv /path/to/install/modules/auxiliary/AzSniffer.py /path/to/install/modules/auxiliary/AzSniffer.py.old
Thanks, it worked for me
ChrisThibodeaux
commented
1 month ago I have a PR up for this. https://github.com/kevoreilly/CAPEv2/pull/2292
@Ravoltek @benweber2 @JohnSmith054 Can you guys try out the changes? You can just copy/paste in the few lines that I added.
ChrisThibodeaux
commented
3 weeks ago @doomedraven This should be closable now.
About accounts on capesandbox.com
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Expected Behavior
Please describe the behavior you are expecting. If your samples(x64) stuck in pending ensure that you set tags=x64 in hypervisor conf for x64 vms
Current Behavior
The AzSniffer module initialization failed with an error, causing the sniffer to not load properly, and as a result, the pcap file was not generated
Failure Information (for bugs)
2024-07-31 20:05:18,651 [lib.cuckoo.core.plugins] ERROR: Failed to load the auxiliary module "<class 'modules.auxiliary.AzSniffer.AzSniffer'>": secret should be a Microsoft Entra application's client secret Traceback (most recent call last): File "/opt/CAPEv2/lib/cuckoo/core/plugins.py", line 125, in start current = module() File "/opt/CAPEv2/modules/auxiliary/AzSniffer.py", line 48, in init self.credentials = self._get_credentials() File "/opt/CAPEv2/modules/auxiliary/AzSniffer.py", line 58, in _get_credentials return ClientSecretCredential(tenant_id=self.tenant_id, client_id=self.client_id, client_secret=self.client_secret) File "/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/azure/identity/_credentials/client_secret.py", line 47, in init raise ValueError("secret should be a Microsoft Entra application's client secret") ValueError: secret should be a Microsoft Entra application's client secret
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
Sniffer configurations
New sniffer logic implementing Azure Watchers packet capture with either local or blob storage file locations
the configurations for AzSniffer module will be used to create the dump.pcap file needed for network analysis when using Azure VMSS for Guest VMs
resource_group =
Storage account where the .cap file will be placed by the Azure Packet Capture, soon the local file path logic will be implemented too
storage_account = vmss_name =
location of the network watcher (region name)
location =
tenant_id = client_secret = connection_string =
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).
Failure Logs
As shown in the picture, the module created authorization during initialization, but I haven't installed Azure. The initialization failure caused the start function to return, this affected the subsequent module loading. The current temporary solution is to directly delete AzSniffer