global name 'results_db' is not defined

[jbertman]

Both the VT (antivirus) and suri* modules seem to only support MongoDB without checks. When using an ES backend, I get the above alert when trying to access the VT or surialert modules (default) on arbitrary reports.

All suri* modules (including shrike) as well as the antivirus modules do the following: Antivirus module (web/analysis/views.py) - line 622:

def antivirus(request,task_id):
    # Should be a check here - if enabledconf["mongodb"], there's also no support for ES at the moment
    rtmp = results_db.analysis.find_one({"info.id": int(task_id)},{"virustotal": 1,"info.category": 1},sort=[("_id", pymongo.DESCENDING)])
    if not rtmp:
        return render_to_response("error.html",
                                  {"error": "The specified analysis does not exist"},
                                  context_instance=RequestContext(request))
    if settings.MOLOCH_ENABLED:
        if settings.MOLOCH_BASE[-1] != "/":
            settings.MOLOCH_BASE = settings.MOLOCH_BASE + "/"
        if rtmp.has_key("virustotal"):
            rtmp["virustotal"]=gen_moloch_from_antivirus(rtmp["virustotal"])

    return render_to_response("analysis/antivirus.html",
                              {"analysis": rtmp},
                              context_instance=RequestContext(request))

[ghost]

Same problem here. Also the API does not seem to work for me, @jbertman can you confirm that you're having this problem too?

[seanthegeek]

I've actually had to switch back to mongodb due to a vauge parsing error that occours with some samples when ES tries to create an index :\

[jbertman]

@GeoffreyVDB The API appears to be working for me without issue. Do you think it's related to this issue? @seanthegeek I'm thinking of switching back as well, seems that we're not quite there with ES.

[KillerInstinct]

I originally ported over the code for ES support from Drainware's implementation. However I only had it setup for the time I was porting the code over.

I think that this error is due to some cleanup code, as well as merging from a repo which didn't use ES: https://github.com/spender-sandbox/cuckoo-modified/commit/b4224f91fb7ace6ddd6c1d73cd3fb14f1c7a775a

Not sure if there's any interest if someone finishing up porting it over, but I haven't used the ES stuff in a while and it would take me some time (busy with other things) to be able to setup another rig with an ES backend.

[jpalanco]

Our implementation it was limited to the reporting module, it seems these errors are related to the webapp. @KillerInstinct has all the credits related to webapp support (we just tried to give him a basic support)

As @KillerInstinct said, after merging some code that was only tested in mongo, it is possible to get issues related to ES mapping.

Personally I think ES is much more powerful than mongo, however, meanwhile the committers are stuck in mongo, it will be hard to maintain ES support.

The ES query changed a lot between 1.4 and 2.0, but I think it didn't affect the current implementation.