ashemery / cuckoovm Goto Github PK

The snort rules: /etc/snort/rules are circa 2015

websnort does not indicate how 'old' the snort rules are that a user is relying on for detection, I realize you do not develop this tool, etc. snort users, like myself, look at these first thing when using snort...others may not and rely on old rules, etc.

dav1d@tsurugi:~/Desktop$ ls /etc/snort/rules/ -alhr
total 1.6M
-rw-r--r-- 1 root root 1.5K Jun 30 2015 x11.rules
-rw-r--r-- 1 root root 36K Jun 30 2015 web-php.rules
-rw-r--r-- 1 root root 96K Jun 30 2015 web-misc.rules
-rw-r--r-- 1 root root 40K Jun 30 2015 web-iis.rules
-rw-r--r-- 1 root root 11K Jun 30 2015 web-frontpage.rules
-rw-r--r-- 1 root root 9.8K Jun 30 2015 web-coldfusion.rules
-rw-r--r-- 1 root root 11K Jun 30 2015 web-client.rules
-rw-r--r-- 1 root root 101K Jun 30 2015 web-cgi.rules
-rw-r--r-- 1 root root 11K Jun 30 2015 web-attacks.rules
-rw-r--r-- 1 root root 2.1K Jun 30 2015 virus.rules
-rw-r--r-- 1 root root 3.4K Jun 30 2015 tftp.rules
-rw-r--r-- 1 root root 5.0K Jun 30 2015 telnet.rules
-rw-r--r-- 1 root root 18K Jun 30 2015 sql.rules
-rw-r--r-- 1 root root 5.7K Jun 30 2015 snmp.rules
-rw-r--r-- 1 root root 24K Jun 30 2015 smtp.rules
-rw-r--r-- 1 root root 9.7K Jun 30 2015 shellcode.rules
-rw-r--r-- 1 root root 4.9K Jun 30 2015 scan.rules
-rw-r--r-- 1 root root 3.7K Jun 30 2015 rservices.rules
-rw-r--r-- 1 root root 52K Jun 30 2015 rpc.rules
-rw-r--r-- 1 root root 5.8K Jun 30 2015 porn.rules
-rw-r--r-- 1 root root 9.4K Jun 30 2015 pop3.rules
-rw-r--r-- 1 root root 2.1K Jun 30 2015 pop2.rules
-rw-r--r-- 1 root root 6.1K Jun 30 2015 policy.rules
-rw-r--r-- 1 root root 5.0K Jun 30 2015 p2p.rules
-rw-r--r-- 1 root root 2.2K Jun 30 2015 other-ids.rules
-rw-r--r-- 1 root root 174K Jun 30 2015 oracle.rules
-rw-r--r-- 1 root root 4.7K Jun 30 2015 nntp.rules
-rw-r--r-- 1 root root 278K Jun 30 2015 netbios.rules
-rw-r--r-- 1 root root 1.9K Jun 30 2015 mysql.rules
-rw-r--r-- 1 root root 3.7K Jun 30 2015 multimedia.rules
-rw-r--r-- 1 root root 19K Jun 30 2015 misc.rules
-rw-r--r-- 1 root root 199 Jun 30 2015 local.rules
-rw-r--r-- 1 root root 3.3K Jun 30 2015 info.rules
-rw-r--r-- 1 root root 14K Jun 30 2015 imap.rules
-rw-r--r-- 1 root root 5.3K Jun 30 2015 icmp.rules
-rw-r--r-- 1 root root 17K Jun 30 2015 icmp-info.rules
-rw-r--r-- 1 root root 22K Jun 30 2015 ftp.rules
-rw-r--r-- 1 root root 4.2K Jun 30 2015 finger.rules
-rw-r--r-- 1 root root 31K Jun 30 2015 exploit.rules
-rw-r--r-- 1 root root 1.4K Jun 30 2015 experimental.rules
-rw-r--r-- 1 root root 6.2K Jun 30 2015 dos.rules
-rw-r--r-- 1 root root 6.6K Jun 30 2015 dns.rules
-rw-r--r-- 1 root root 63K Jun 30 2015 deleted.rules
-rw-r--r-- 1 root root 7.5K Jun 30 2015 ddos.rules
-rw-r--r-- 1 root root 160K Jun 30 2015 community-web-php.rules
-rw-r--r-- 1 root root 68K Jun 30 2015 community-web-misc.rules
-rw-r--r-- 1 root root 1.5K Jun 30 2015 community-web-iis.rules
-rw-r--r-- 1 root root 254 Jun 30 2015 community-web-dos.rules
-rw-r--r-- 1 root root 4.5K Jun 30 2015 community-web-client.rules
-rw-r--r-- 1 root root 5.1K Jun 30 2015 community-web-cgi.rules
-rw-r--r-- 1 root root 2.4K Jun 30 2015 community-web-attacks.rules
-rw-r--r-- 1 root root 3.7K Jun 30 2015 community-virus.rules
-rw-r--r-- 1 root root 4.0K Jun 30 2015 community-sql-injection.rules
-rw-r--r-- 1 root root 2.7K Jun 30 2015 community-smtp.rules
-rw-r--r-- 1 root root 3.5K Jun 30 2015 community-sip.rules
-rw-r--r-- 1 root root 1.6K Jun 30 2015 community-policy.rules
-rw-r--r-- 1 root root 775 Jun 30 2015 community-oracle.rules
-rw-r--r-- 1 root root 621 Jun 30 2015 community-nntp.rules
-rw-r--r-- 1 root root 7.7K Jun 30 2015 community-misc.rules
-rw-r--r-- 1 root root 257 Jun 30 2015 community-mail-client.rules
-rw-r--r-- 1 root root 948 Jun 30 2015 community-inappropriate.rules
-rw-r--r-- 1 root root 2.8K Jun 30 2015 community-imap.rules
-rw-r--r-- 1 root root 689 Jun 30 2015 community-icmp.rules
-rw-r--r-- 1 root root 1.4K Jun 30 2015 community-game.rules
-rw-r--r-- 1 root root 249 Jun 30 2015 community-ftp.rules
-rw-r--r-- 1 root root 2.2K Jun 30 2015 community-exploit.rules
-rw-r--r-- 1 root root 2.0K Jun 30 2015 community-dos.rules
-rw-r--r-- 1 root root 1.2K Jun 30 2015 community-deleted.rules
-rw-r--r-- 1 root root 13K Jun 30 2015 community-bot.rules
-rw-r--r-- 1 root root 7.9K Jun 30 2015 chat.rules
-rw-r--r-- 1 root root 3.8K Jun 30 2015 bad-traffic.rules
-rw-r--r-- 1 root root 18K Jun 30 2015 backdoor.rules
-rw-r--r-- 1 root root 5.4K Jun 30 2015 attack-responses.rules
drwxr-xr-x 3 root root 4.0K May 1 08:28 ..
drwxr-xr-x 2 root root 4.0K May 15 2018 .

David

I didn't see a torrent link/tracker for Win7_Intel.tar (windows 7 vm), the only download link I found is a direct d/l from http://archive.org (d/l rate here 128-295 kb/sec).

Win7_Intel.tar is linked here for download: http://bit.ly/2w9Sih5

• referral url: https://github.com/ashemery/CuckooVM

I do see a torrent link here:

• https://archive.org/download/CuckooVM/CuckooVM_archive.torrent

Is the Win7_Intel.tar file inside AMD or Intel?

• A file hash (of both) would help. I used tor to d/l this on 22 Apr 2020 1341hrs.

Thank you, david

Good morning, I 've this problem:

2020-07-21 13:57:12,974 [cuckoo.core.scheduler] ERROR: Error starting Virtual Machine! VM: cuckoo1, error: VBoxManage failed starting the machine in headless mode. Are you sure your machine is still functioning correctly when trying to use it manually? Error: VBoxManage: error: The VM session was aborted
VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component SessionMachine, interface ISession

then, probabily as a consequence this:
2020-07-21 13:57:13,579 [cuckoo.processing.debug] ERROR: Error processing task #7: it appears that the Virtual Machine hasn't been able to contact back to the Cuckoo Host......

Following check and screenshot of my controls:
3D/2D disabled on VBox , ping of IP 192.168.56.10 is ok reachable, changed virtualbox.conf mode from headless to gui generate error suggesting to use headless mode. Manual start of VM with vboxheadless -s win7 it's OK, Windows Firewall is disable.

Do you have some ideas? thanks regards

Getting an error message saying:

X86_CPUID_AMD_FEATURE_EDX_AXM_MX is not supported by the host but has already been exposed to the guest [ver=17 pass=final] (VERR_SSM_LOAD_CPUID_MISMATCH)

I (am) was unable to import the cuckoovm version 2 into my ESXi 6.7U3 server without the following error:

'Line 25: Unsupported hardware family 'vmx-16'.'

I have sha256 hashed the files on my host below, d/l via tor on 22 Apr 2020 1341h EST:

dav1d@tsurugi:/Downloads/CuckooVM$ ls -alhr
total 31G
-rw-r--r-- 1 dav1d dav1d 9.0G Apr 22 13:41 Win7_Intel.tar
-rw-r--r-- 1 dav1d dav1d 2.2K Apr 22 09:11 README.txt
drwxr-xr-x 2 dav1d dav1d 4.0K Apr 22 09:12 .____padding_file
-rw-r--r-- 1 dav1d dav1d 1016 Apr 22 09:11 CuckooVM_meta.xml
-rw-r--r-- 1 dav1d dav1d 16K Apr 22 09:11 CuckooVM_meta.sqlite
-rw-r--r-- 1 dav1d dav1d 7.6K Apr 22 09:11 CuckooSRV.ovf
-rw-r--r-- 1 dav1d dav1d 183 Apr 22 09:11 CuckooSRV.mf
-rw-r--r-- 1 dav1d dav1d 23G Apr 22 13:41 CuckooSRV-disk1.vmdk
drwxr-xr-x 5 dav1d dav1d 4.0K Apr 24 16:25 ..
drwxr-xr-x 3 dav1d dav1d 4.0K Apr 22 13:41 .
dav1d@tsurugi:/Downloads/CuckooVM$ sha256sum .
34e713c9599b081811672ec5b851d775ed73b9ffa1c72581382e9168ccf88a7b CuckooSRV-disk1.vmdk
549faec62860c6d0b4c7a79ea52eb6db903c736bcd4b9fdf746e9326f19d72f9 CuckooSRV.mf
a5648a5e8e4db6ca4c136fc26662dcbc930e18898cd89512aadd43d99394f6a0 CuckooSRV.ovf
bf6185295b5f1d8fa1461ceabe9d861d5893a7e3c34d87390aa7640230a2aa89 CuckooVM_meta.sqlite
18a08edb345430066ce5e77cb8192ce860e3e2e7ed771c5c400eb3dd040b161d CuckooVM_meta.xml
ba9e418a1f5deef04f964ef6ade11dbf27562ca941f46c53e2848fa9b0be6fe4 README.txt
fcbfb37f40d999096871a37f090e95173cd19bcdce70cdcbcc50a173680cade4 Win7_Intel.tar
dav1d@tsurugi:~/Downloads/CuckooVM$

Screenshots follow from ESXi 6.7U3. My ESXi server is otherwise fine.
CPU: 8 CPUs x AMD Ryzen 7 2700X Eight-Core Processor, 32GB RAM

Thanks,
David

Hi All,

It's looks like no ability to analyse word or Excel files just wondering if this is was not considered while creating win7 box as per cuckoo documentation there was a set of commands to include these tools any clarification would be appreciated, Also I noticed that's once I am analysing a url the explorer web browsing dosent open but a CMD console instead establish http connection from my understanding that this might affect some malwares behaviours because some will be waiting for a specific web agent to perform the next action.

Can you please advise if i have to create a new machines and choose the missing tools and applications like excel word , pdf etc ...
Or edit the current machine and recreate a new snapahot.
Or the tools and applications already there?

thank you :)

Hi,

I followed the instruction on your blog and it should be plug an play but found the error. see screenshot.. Do I need to add some configuration? Hope you can check this please. Appreciate the work.thank you!

[cuckoo.processing.debug] ERROR: Error processing task #2: it appears that the Virtual Machine hasn't been able to contact back to the Cuckoo Host. There could be a few reasons for this, please refer to our documentation on the matter: https://cuckoo.sh/docs/faq/index.html#troubleshooting-vm-network-configuration

I launched the VM server and submit an analysis,
I did not change any network Configs, I can confirm that I can ping from the vm machine but not from the server

after using Win7_intel the crash been fixed but still can't communicate with the host :
ERROR: Error starting Virtual Machine! VM: cuckoo1, error: VBoxManage failed starting the machine in headless mode. Are you sure your machine is still functioning correctly when trying to use it manually? Error: VBoxManage: error: cpum#1: X86_CPUID_AMD_FEATURE_EDX_AXMMX is not supported by the host but has already exposed to the guest [ver=17 pass=final] (VERR_SSM_LOAD_CPUID_MISMATCH)
VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component ConsoleWrap, interface IConsole

Error processing task #31: it appears that the Virtual Machine hasn't been able to contact back to

Help please