Cuckoo Configuration

Question

Cuckoo Configuration

fareedfauzi opened this issue 3 years ago · comments

Hi Alex.

May I know, if my cuckoo does not use HTTPS, what should I change for the "verify" part? I tried to change to "False" in the conf, and as a result, my sample cannot be submitted by select Cuckoo as the interface's scale. Vice versa, if I'm remain unchanged the default value "True", the sample submit successfully.

Alex Kornitzer · Answer 1 · Sat Jan 30 2021 16:48:50 GMT+0800 (China Standard Time)

So the cuckoo scale is just using requests under to hood, by default requests will set verify to True:
https://requests.readthedocs.io/en/master/api/#requests.request

In the scale we can see that is just does some lazy construction:

r = requests.post(CUCKOO_API + '/tasks/create/file', files={"file": (document['name'], f)}, verify=VERIFY)

So if CUCKOO_API is set to http://hostname:port it should work without touching verify.

Are you saying that the scale is not working at all and always erroring on submission?

fareedfauzi · Answer 2 · Mon Feb 01 2021 13:23:27 GMT+0800 (China Standard Time)

Oh. Okay.

The submission is working, but it seems to fail for the Cuckoo retrieving the sample (and analyze) from Snake. The Snake UI keeps showing "Loading..." and the Cuckoo log does not show any indicator of any sample come in.

I thought that the "verify" in my configuration is the problem, that's why I'm asking. I need to figure out other ways, why my Cuckoo can't retrieve the sample.

I also think that the API of my Cuckoo is the actual problem (which maybe misconfiguration or something), but manually submit a sample using the command, based on the Cuckoo docs was successfully submitted the sample in my Cuckoo.

curl -H "Authorization: Bearer S4MPL3" http://localhost:8090/tasks/create/submit -F files=@sample.exe

Thanks, Alex in advance.

Alex Kornitzer · Answer 3 · Tue Feb 02 2021 17:18:52 GMT+0800 (China Standard Time)

Ahh I think I understand the issue now, do you have authentication sitting on top of your Cuckoo instance?

fareedfauzi · Answer 4 · Wed Feb 03 2021 11:31:15 GMT+0800 (China Standard Time)

Based on the above instruction in Cuckoo docs... I never set API an token in my cuckoo.conf, so in my case, the authorization of the API might be default implemented.

Do I need to make some changes in /usr/local/lib/python3.8/dist-packages/snake_cuckoo/interface.py Alex for this matter based on the documentation of the request using Python?

Alex Kornitzer · Answer 5 · Wed Feb 03 2021 19:45:58 GMT+0800 (China Standard Time)

Right okay lets follow this one through to work out what the real issue is, because I am confused :)

So does the curl work without the authorization header?

If no, I will need to update the cuckoo scale to support auth headers (probably needs doing anyway)
If yes, then we have a different issue going on:
- Can you show me the errors that snake is outputting on submission and viewing?

fareedfauzi · Answer 6 · Fri Feb 05 2021 11:43:16 GMT+0800 (China Standard Time)

It looks like curl work without an authorization header

$ curl http://192.168.8.124:8090/tasks/create/submit -F files=@TimeApp.exe
{
  "errors": [],
  "submit_id": 5,
  "task_ids": [
    3
  ]
}

Snake log and cuckoo.conf as follow:

[I 210205 03:54:21 web:2105] 200 GET /store/143f41667d3b7ab0a22324a0ec6b42191e54db1fb20ffffa025b279c80b3e54b (127.0.0.1) 3.73ms
[I 210205 03:54:21 web:2105] 200 GET /file/143f41667d3b7ab0a22324a0ec6b42191e54db1fb20ffffa025b279c80b3e54b/hex (127.0.0.1) 11.42ms
[E 210205 03:54:21 web:1620] Uncaught exception POST /scale/cuckoo/interface (127.0.0.1)
    HTTPServerRequest(protocol='http', host='localhost:5000', method='POST', uri='/scale/cuckoo/interface', version='HTTP/1.1', remote_ip='127.0.0.1')
    Traceback (most recent call last):
      File "/usr/local/lib/python3.8/dist-packages/tornado-5.0.1-py3.8-linux-x86_64.egg/tornado/web.py", line 1543, in _execute
        result = yield result
      File "/usr/local/lib/python3.8/dist-packages/tornado-5.0.1-py3.8-linux-x86_64.egg/tornado/gen.py", line 1099, in run
        value = future.result()
      File "/usr/local/lib/python3.8/dist-packages/snake-1.0.2-py3.8.egg/snake/routes/scale.py", line 119, in post
        output = await loop.run_in_executor(None, command, data['args'], data['sha256_digest'])
      File "/usr/lib/python3.8/concurrent/futures/thread.py", line 57, in run
        result = self.fn(*self.args, **self.kwargs)
      File "/usr/local/lib/python3.8/dist-packages/snake-1.0.2-py3.8.egg/snake/scale.py", line 737, in wrapper
        output = func(args=args_, file=file_storage, opts=opts, self=self)
      File "/usr/local/lib/python3.8/dist-packages/snake_cuckoo/interface.py", line 28, in info
        except requests.exceptions.RequestException:
    TypeError: unsupported operand type(s) for +: 'int' and 'str'

Configuration

snake@snake:/var/log/snake$ cat /etc/snake/scales/cuckoo.conf
cuckoo_api: 8090
cuckoo_url: 192.168.8.124

verify: True

snake@snake:/var/log/snake$ cat /usr/local/lib/python3.8/dist-packages/snake_cuckoo/cuckoo.conf
cuckoo_api: 8090
cuckoo_url: 192.168.8.124

verify: True

Which part am I wrong Alex?

Alex Kornitzer · Answer 7 · Sat Feb 06 2021 00:22:56 GMT+0800 (China Standard Time)

Right from the logs I can see its due to some un-robust parsing. So if you change your settings to the following you should be good to go:

cuckoo_api: 'http://192.168.8.124:8090'
cuckoo_url: 'http://192.168.8.124'

fareedfauzi · Answer 8 · Sat Feb 06 2021 16:54:10 GMT+0800 (China Standard Time)

Ok issue solved! Thanks a lot.