Comments (9)
@Clevero: https://github.com/michaelweiser/PeekabooAV/tree/ruleset now contains code that allows message matching of rule cuckoo_analysis_failed to be configured. With this you can declare some other messages in your report success indicators and prevent the rule from failing your analyses. See ruleset.conf.sample
for docs.
However, looking at your report I see message ``end of analysis reached!` which according to the Cuckoo source means that the analysis not only ran beyond the timeout but refused to be shut down by the agent and ran into the critical timeout as well at which point Cuckoo just shut down the VM. This IMO is a clear indicator of failure because analysis did indeed not finish and had to be aborted. Therefore no conclusions about the malevolence of the sample can reliably be made based on this. So I'd recommend to let these continue to fail and handle failed scans in AMaViS as outlined above or look into why this analysis gets stuck so badly.
But, with the new config option it's up to you to decide. If you don't have any objections I'd merge the code to master and close this issue here. Okay?
from peekabooav.
👍
Will investigate. Thought that is normal behavior since a process is running that is not stopping by itself (Word for example), so cuckoo does not know if there is coming any harmful routine and waits for the timeout of the machine. Oversaw that the cuckoo agent refused to shut down the VM within a certain amount of time. Thanks for the feedback
Currently rebuilding my instance inside a vApp on vSphere
from peekabooav.
Retested it with my last version installed, should be scVENUS/PeekabooAV-Installer@c0167da
Also this behavior. Strange... Will see where my configuration is wrong and report back
from peekabooav.
Your cuckoo logs indeed look good. report.json
sectiondebug/cuckoo
actually does contain the success indicator.
Can you provide the Peekaboo log for the analysis in question?
from peekabooav.
Sorry, gave you the wrong exported report. I've noticed that while searching for the peekaboo log of that analysis.
Correct report: 143.zip
Peekaboo log excerpt: f.peekaboo.log.txt
from peekabooav.
I created a fresh instance of peekaboo in a new 18.04 VM with the latest installer and the error persists.
VM's, Postfix and AmaVis (in a separate VM) stayed the same
Will need to modify my local PeekabooAV/peekaboo/toolbox/cuckoo.py until version 1.7
from peekabooav.
@Clevero: I've been working to make Peekaboo correctly report failed analyses as failed instead as bad. If you like, you can check out https://github.com/michaelweiser/PeekabooAV/tree/ruleset to see if that solves your problem.
from peekabooav.
FWIW: All the changes referenced here are now merged to master.
from peekabooav.
Thanks for pointing out the problem with end of analysis reached!
:)
Could resolve it
I switched my VM's from Windows 7 x86 to x64 (should have followed the recommendations from the cuckoo project for OS versions...)
It seems to me that the agent crashed at some point and did not received the command to shutdown
While debugging I found also out that the new Agent version 0.9 has some issues with my installation
from peekabooav.
Related Issues (20)
- Server hits recv limit HOT 1
- Operational error 'Deadlock found' from SQLAlchemy with mysql when trying in-flight lock under load HOT 4
- Check file extension extraction for consistency / usefulness in conjunction with cuckoo being sensitive to spaces in filenames HOT 1
- Extract IOC out of Cuckoo report
- Another peepdf traceback in cuckoo HOT 1
- Consider raising minimum version of dependency on python magic to 0.4.17
- Reconsider database transaction locking
- Reconsider aggressive database connection pool recycling
- Validation error with dummy filereport and expression referencing type_as_text
- Add retries for additional database connectivity scenarios
- Handle URI-parameters-like notation in declared filenames
- Security vulnerability: Regex matching in ruleset HOT 3
- python3.10 incompatibility of colorclass affecting us via oletools HOT 4
- expressions cannot express empty set
- Support TLS on REST API
- PID file can contain our own pid and confuse us
- pyparsing 3 compatibility HOT 3
- urllib3.util.retry.Retry DeprecationWarning for 'method_whitelist'
- Early shutdown not working due to switch to asyncio signal handler HOT 1
- Dynamically learn available Cortex analysers and their versions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from peekabooav.