Brain.Irma not reachable after installation.

[AsimSattar96]

Hello, I am trying to deploying IRMA to integrate it with Cuckoo Sandbox. After performing the installation as per the guide in the documentation, I run the command :

python2.7 irma-ansible.py environments/allinone_prod.yml playbooks/playbook.yml

and following error is returned.

brain.irma : ok=0 changed=0 unreachable=1 failed=0
localhost : ok=3 changed=0 unreachable=0 failed=0

I have followed the standard documentation guide. Basically I need the URL to IRMA installation in order to integrate it with cuckoo. On searching, I found out that the default URL for frontend is http://172.16.1.30 but I believe it belongs to brain.irma box which I do not have installed. Can yo please tell me what I need to do in order to get a valid IRMA URL? Thanks

[ch0k0bn]

Hello,

The command line you are running is for installing a complete IRMA server with a given configuration.

in the configuration file used (here environments/allinone_prod.yml) you have an ip address that is the one used to deploy irma, it should be reachable through ssh for user vagrant (defaut user). If you used vagrant before that it is automatic, if not and trying to install on a custom target you have to adapt username and ssh key to reach the target (option -u for user and --ssh-key for ssh-key).

What is your installation target a vm ? a physical host ?

[AsimSattar96]

I used the automatic method guide of installation given here:

https://irma.readthedocs.io/en/v1.1.1/install/automated/index.html

My installation target is a VM.

[ch0k0bn]

could you check the vm ip, verify that you could ssh into it and adjust environments/allinone_prod.yml accordingly?

[AsimSattar96]

I am currently SSHing into the machine using "vagrant ssh" command. it logs me in 127.0.0.1. When I log into it and check IP, it gives 10.0.2.15. I should mention I m using Virtualbox not KVM as virtual environment.

[ch0k0bn]

you could also try: $ vagrant ssh-config

and get the ip address used by vagrant to connect to the VM then you need to update environments/allinone_prod.yml and replace 172.16.1.30 with the correct ip.

[AsimSattar96]

Host default HostName 127.0.0.1 User vagrant Port 2222 UserKnownHostsFile /dev/null StrictHostKeyChecking no PasswordAuthentication no IdentityFile /home/asim/.vagrant.d/insecure_private_key IdentitiesOnly yes LogLevel FATAL

These are the results I have received. So i changed ip 172.16.1.30 to 127.0.0.1 . Now the unreachable error is gone. But Now its giving me the following error.

fatal: [brain.irma]: FAILED! => {"changed": false, "module_stderr": "sudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}

brain.irma : ok=0 changed=0 unreachable=0 failed=1
localhost : ok=1 changed=0 unreachable=0 failed=0

[ch0k0bn]

take care i think you are ssh-ing to your localhost. Try using the other IP 10.0.2.15.

[AsimSattar96]

Using the 10.0.2.15 IP gives me the same unreachable error. Can you please tell me what am I doing wrong here?

[ch0k0bn]

from your host ssh vagrant@10.0.2.15 does not work?

if not maybe you have to change in Virtualbox the interface network mode.

[AsimSattar96]

Nope it does not. I tried changing the interface type from NAT to Host-Only via VirtualBox GUI. But everytime I run "vagrant up" the interface settings go back to "NAT" . So then I added config.vm.network "private_network", ip: "192.168.56.110" to the VagrantFile which added another interface to the machine. which was reachable by my host. So i changed ip address in environment/allinone_prod.yml. and ran the command.

Now the error returned by the command is:

**TASK [franklinkim.ufw : Compatibility check] *** 2019-08-26T10:42:39.488893 (delta: 0.036461) elapsed: 0.243138 **** fatal: [brain.irma]: FAILED! => {"changed": false, "msg": "This role only works on Debian systems"}**

Please advise.

[ch0k0bn]

your target vm is a Debian 9 system? right?

[AsimSattar96]

Hello,

You were right in the previous comment. I was previously deploying it on a different system. So i created a debian 9 box and followed the standard procedure. Everything worked fine. and I got the web interface at http://172.16.1.30. Submitted scans, it seemed to be functional. After sometime, the web interface was down again, i tried running vagrant up and then checked the web interface again, still down. So then I ran again the following command: python irma-ansible.py environments/allinone_dev.yml playbooks/playbook.yml

But now I am getting the following errors in the process.

**TASK [quarkslab.avg : AVG | Check version] ***** 2019-08-27T10:47:54.708637 (delta: 0.007915) elapsed: 375.435982 ** fatal: [brain.irma]: FAILED! => {"changed": false, "cmd": "avgscan --version", "msg": "[Errno 2] No such file or directory", "rc": 2} ...ignoring**

**TASK [quarkslab.escan : eScan | Check version] ***** 2019-08-27T10:50:12.822859 (delta: 0.008905) elapsed: 513.550204 ** fatal: [brain.irma]: FAILED! => {"changed": false, "cmd": "escan --version", "msg": "[Errno 2] No such file or directory", "rc": 2}**

TASK [quarkslab.fsecure : F-Secure | Check version] ** 2019-08-27T10:53:20.169757 (delta: 0.010813) elapsed: 700.897102 ** fatal: [brain.irma]: FAILED! => {"changed": false, "cmd": "fsav --version", "msg": "[Errno 2] No such file or directory", "rc": 2}**

**TASK [quarkslab.fsecure : F-Secure | Download Package] ***** 2019-08-27T10:53:55.781721 (delta: 1.088296) elapsed: 736.509066 ** _fatal: [brain.irma]: FAILED! => {"changed": false, "dest": "/tmp/fsecure/fsls.tar.gz", "msg": "Request failed", "response": "HTTP Error 404: Not Found", "state": "absent", "statuscode": 404, "url": "https://download.f-secure.com/corpro/ls/current/fsls-11.10.68-rtm.tar.gz"}**

The command stops running after above error. Please advise.

[ch0k0bn]

url is outdated, could you add in your config file environments/allinone_dev.yml (adjust if not this one) this line in ansible_vars part:

fsecure_url: "https://download.f-secure.com/corpro/ls/ls11.10/fsls-11.10.68-rtm.tar.gz"

[AsimSattar96]

I updated the URL in both environments/allinone_dev.yml and environments/allinone_prod.yml and ran the command python irma-ansible.py environments/allinone_prod.yml playbooks/playbook.yml. New errors popped up.

PLAY [AVG update] 2019-09-02T07:02:53.977940 (delta: 0.001744) elapsed: 568.262371 ===============================================================================

TASK [include_role] 2019-09-02T07:02:53.984007 (delta: 0.006054) elapsed: 568.268438

TASK [quarkslab.avg : AVG | Kill a possibly running update] 2019-09-02T07:02:54.380676 (delta: 0.396652) elapsed: 568.665107 fatal: [brain.irma]: FAILED! => {"changed": true, "cmd": "pkill -9 avgupd", "delta": "0:00:00.021418", "end":"2019-09-02 07:02:55.597151", "msg": "non-zero return code", "rc": 1, "start": "2019-09-02 07:02:55.575733", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []} ...ignoring

TASK [quarkslab.avg : AVG | Update database] 2019-09-02T07:02:55.537761 (delta: 1.157064) elapsed: 569.822192 FAILED - RETRYING: AVG | Update database (5 retries left). FAILED - RETRYING: AVG | Update database (4 retries left). FAILED - RETRYING: AVG | Update database (3 retries left). FAILED - RETRYING: AVG | Update database (2 retries left). FAILED - RETRYING: AVG | Update database (1 retries left). fatal: [brain.irma]: FAILED! => {"attempts": 5, "changed": true, "cmd": "avgupdate", "delta": "0:00:00.010551", "end": "2019-09-02 07:05:32.569729", "failed_when_result": true, "msg": "non-zero return code", "rc": 1, "start": "2019-09-02 07:05:32.559178", "stderr": "", "stderr_lines": [], "stdout": "AVG command line update\nCopyright (c) 2013 AVG Technologies CZ\n\nRunning update.\nOperation failed. Checking component PID thread was not started.", "stdout_lines": ["AVG command line update", "Copyright (c) 2013 AVG Technologies CZ", "", "Running update.", "Operation failed. Checking component PID thread was not started."]}

Kindly let me know the solution to above errors. Thanks

[ch0k0bn]

it seems to be AVG related not irma, could you retry to update it through ansible (you could replace playbook.yml by updating.yml for just run the update), if it still fails, try to ssh into the vm and run the cmd manually to check what happens (cmd is "avgupdate")