Giters

KasperskyLab / TinyCheck

TinyCheck allows you to easily capture network communications from a smartphone or any device which can be associated to a Wi-Fi access point in order to quickly analyze them. This can be used to check if any suspect or malicious communication is outgoing from a smartphone, by using heuristics or specific Indicators of Compromise (IoCs). In order to make it working, you need a computer with a Debian-like operating system and two Wi-Fi interfaces. The best choice is to use a Raspberry Pi (2+) a Wi-Fi dongle and a small touch screen. This tiny configuration (for less than $50) allows you to tap any Wi-Fi device, anywhere.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Analyze Error

colder1989 opened this issue · comments

commented

When i try to analyze the pcap i have this error in loop:

192.168.1.2 - - [26/Nov/2022 20:40:02] "GET /api/analysis/report/08378CB8 HTTP/1.1" 200 -
192.168.1.2 - - [26/Nov/2022 20:40:03] "GET /api/analysis/report/08378CB8 HTTP/1.1" 200 -
192.168.1.2 - - [26/Nov/2022 20:40:03] "GET /api/analysis/report/08378CB8 HTTP/1.1" 200 -
192.168.1.2 - - [26/Nov/2022 20:40:04] "GET /api/analysis/report/08378CB8 HTTP/1.1" 200 -
192.168.1.2 - - [26/Nov/2022 20:40:04] "GET /api/analysis/report/08378CB8 HTTP/1.1" 200 -
192.168.1.2 - - [26/Nov/2022 20:40:05] "GET /api/analysis/report/08378CB8 HTTP/1.1" 200 -
192.168.1.2 - - [26/Nov/2022 20:40:05] "GET /api/analysis/report/08378CB8 HTTP/1.1" 200 -
192.168.1.2 - - [26/Nov/2022 20:40:06] "GET /api/analysis/report/08378CB8 HTTP/1.1" 200 -
Process Process-2:
Traceback (most recent call last):
File "/usr/lib/python3.9/multiprocessing/process.py", line 315, in _bootstrap
self.run()
File "/usr/lib/python3.9/multiprocessing/process.py", line 108, in run
self._target(*self._args, **self._kwargs)
File "/usr/share/tinycheck/analysis/analysis.py", line 28, in zeekengine
zeek.start_zeek()
File "/usr/share/tinycheck/analysis/classes/zeekengine.py", line 456, in start_zeek
self.files_check(self.working_dir + "/assets/")
File "/usr/share/tinycheck/analysis/classes/zeekengine.py", line 272, in files_check
"ip_src": record["tx_hosts"],
KeyError: 'tx_hosts'
Traceback (most recent call last):
File "/usr/share/tinycheck/analysis/analysis.py", line 89, in
analyze(sys.argv[2], True)
File "/usr/share/tinycheck/analysis/analysis.py", line 61, in analyze
for alert in (alerts["zeek"] + alerts["suricata"]):
File "", line 2, in getitem
File "/usr/lib/python3.9/multiprocessing/managers.py", line 824, in _callmethod
raise convert_to_error(kind, result)
KeyError: 'zeek'
[2022-11-26 20:40:09,545] ERROR in app: Exception on /api/analysis/report/08378CB8 [GET]
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/flask/app.py", line 2447, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python3/dist-packages/flask/app.py", line 1952, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python3/dist-packages/flask/app.py", line 1821, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python3/dist-packages/flask/_compat.py", line 39, in reraise
raise value
File "/usr/lib/python3/dist-packages/flask/app.py", line 1950, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python3/dist-packages/flask/app.py", line 1936, in dispatch_request
return self.view_functionsrule.endpoint
File "/usr/share/tinycheck/server/frontend/app/blueprints/analysis.py", line 29, in api_report_analysis
return jsonify(Analysis(token).get_report())
File "/usr/share/tinycheck/server/frontend/app/classes/analysis.py", line 59, in get_report
alerts = json.load(f)
File "/usr/lib/python3.9/json/init.py", line 293, in load
return loads(fp.read(),
File "/usr/lib/python3.9/json/init.py", line 346, in loads
return _default_decoder.decode(s)
File "/usr/lib/python3.9/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python3.9/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
192.168.1.2 - - [26/Nov/2022 20:40:09] "GET /api/analysis/report/08378CB8 HTTP/1.1" 500 -
[2022-11-26 20:40:09,568] ERROR in app: Exception on /api/analysis/report/08378CB8 [GET]
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/flask/app.py", line 2447, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python3/dist-packages/flask/app.py", line 1952, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python3/dist-packages/flask/app.py", line 1821, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python3/dist-packages/flask/_compat.py", line 39, in reraise
raise value
File "/usr/lib/python3/dist-packages/flask/app.py", line 1950, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python3/dist-packages/flask/app.py", line 1936, in dispatch_request
return self.view_functionsrule.endpoint
File "/usr/share/tinycheck/server/frontend/app/blueprints/analysis.py", line 29, in api_report_analysis
return jsonify(Analysis(token).get_report())
File "/usr/share/tinycheck/server/frontend/app/classes/analysis.py", line 59, in get_report
alerts = json.load(f)
File "/usr/lib/python3.9/json/init.py", line 293, in load
return loads(fp.read(),
File "/usr/lib/python3.9/json/init.py", line 346, in loads
return _default_decoder.decode(s)
File "/usr/lib/python3.9/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python3.9/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

commented

i think the problem might be zeek

commented

Running into the same problem. It seems like the log file format of zeek has changed. The offending python code is checking trying to find tx_hosts in /tmp/<id>/assets/files.log, but that string isn't in there.

commented

I changed lines 272 and 274 in /usr/share/tinycheck/analysis/classes/zeekengine.py like this:

          c = {"ip_dst": record["id.resp_h"],
                 ...
                 "port_dst": record["id.resp_p"],

Then I was able to run the analysis manually by calling sudo python3 /usr/share/tinycheck/analysis/analysis.py /tmp/<id>/ and found results in alerts.json.

I'll create a PR tomorrow.

EDIT: Fixed typo in code