IRMA in maintenance mode

quarkslab / irma

IRMA is an asynchronous & customizable analysis system for suspicious files.

https://irma.quarkslab.com

Apache License 2.0

269 stars 55 forks source link

IRMA in maintenance mode #75

Closed solveryn91 closed 3 years ago

solveryn91 commented 3 years ago

Hi, would like to ask for help again.

My installation was a success after referring to my post #74. I am able to see the web interface on 172.16.1.30 for the first time.

However, the next time I reboot the machine and also manually turn on ansible_brainirma in VM, I am getting a message whereas it shows "Irma is currently in maintenance mode".

Help is greatly appreciated..

ch0k0bn commented 3 years ago

It usually means no probe available (it may take several seconds for probes to show up). If it fails after a minute check the status of celery daemons:

$ vagrant ssh <vm_name if multiple vms>
$ sudo journalclt -fu irma.probe_app
# If no errors look at others
$ sudo journalclt -fu irma.frontend_app
$ sudo journalclt -fu irma.result_app

solveryn91 commented 3 years ago

Hereby attached with logfile, it does looked suspicious..

log.txt

Before this happened I tested the installation twice resulting in the same problem. I made a snapshot of the working state before anything happens, will that help me in the investigation?

ch0k0bn commented 3 years ago

could you do the same command with scan_app:

$ sudo journalclt -fu irma.scan_app

solveryn91 commented 3 years ago

Hereby attached with the second logfile. log2.txt

ch0k0bn commented 3 years ago

Could you try to restart scan_app.

$ sudo systemctl restart irma.scan_app

scan_app handles the function that register probes called by probe_app at start. I dont see any errors in your log so based on register failing on probe_app logs, I assume that the register call is triggered but not processed, so restarting scan_app could solve it.

solveryn91 commented 3 years ago

Tested, but still producing the same output as both logs shown with: sudo journalclt -fu irma.probe_app and $ sudo journalclt -fu irma.scan_app

ch0k0bn commented 3 years ago

probe default config for rabbitmq server is "brain.irma" (config in file /opt/irma/irma-probe/current/config/probe.ini) could you try to reach from inside the vm brain.irma port 5672 (rabbitmq server)

solveryn91 commented 3 years ago

Sorry, where should i start from here?

ch0k0bn commented 3 years ago

try to ssh inside the vm and test various command like

# test name resolution
$ ping brain.irma
# test rabbitmq port
$ sudo apt install telnet
$ telnet brain.irma 5672

solveryn91 commented 3 years ago

Hi there,

After some further testing I think I messed up some of the network interfaces in my VM. Truly sorry about that. The problem was resolved.

However, should I open a new issue because I have a further problem to ask.. Or I am safe to ask here.

ch0k0bn commented 3 years ago

Good to hear. For your new problem it is better to go in a new issue.