search

quarkslab / irma

IRMA is an asynchronous & customizable analysis system for suspicious files.
https://irma.quarkslab.com
Apache License 2.0
269 stars 55 forks source link

ssh2.exceptions.SFTPProtocolError #59

Closed icepaule closed 5 years ago

icepaule commented 5 years ago

Hello quarkslab,

thanks for the tool, but while I use the OVA I came on some strange message that keeps me from using it. - Despite the query for help resolfing the issue, what is IRMA trying to use the ssh for?

Cheers and thanks a lot Marcus

[2019-03-02 13:56:30,733: ERROR/Worker-2] brain.scan_tasks.scan_flush[3d0da3d9-8077-490e-93a0-49ed1b1b05c6]: Traceback (most recent call last): File "/opt/irma/irma-brain/current/venv/lib/python3.5/site-packages/irma/common/ftp/ftp.py", line 157, in delete self._rm(full_dstpath) File "/opt/irma/irma-brain/current/venv/lib/python3.5/site-packages/irma/common/ftp/sftpv2.py", line 101, in _rm self._client.unlink(remote) File "ssh2/sftp.pyx", line 296, in ssh2.sftp.SFTP.unlink File "ssh2/utils.pyx", line 157, in ssh2.utils.handle_error_codes ssh2.exceptions.SFTPProtocolError During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/irma/irma-brain/releases/20180719115813/brain/scan_tasks.py", line 192, in scan_flush scan_ctrl.flush(scan, session) File "/opt/irma/irma-brain/current/venv/lib/python3.5/site-packages/fasteners/process_lock.py", line 252, in wrapper return f(*args, **kwargs) File "/opt/irma/irma-brain/releases/20180719115813/brain/controllers/scanctrl.py", line 57, in flush ftp_ctrl.flush(ftpuser, scan.files) File "/opt/irma/irma-brain/releases/20180719115813/brain/controllers/ftpctrl.py", line 30, in flush ftp.delete(".", filename) File "/opt/irma/irma-brain/current/venv/lib/python3.5/site-packages/irma/common/ftp/ftp.py", line 159, in delete raise self._Exception("{0}".format(e)) irma.common.base.exceptions.IrmaSFTPv2Error

ch0k0bn commented 5 years ago

Hello Marcus

IRMA uses sftp to transfer files between frontend (permanent storage) and probes during analysis. When every component run on the same vm it is useless but a regular production server run on several virtual or physical machines (see https://irma.readthedocs.io/en/latest/intro/process.html). When the scan is finished, the temporary files are deleted.

Could you check inside the vm if there are files in /sftp directories and subdirectories ?