countercept / snake-scales

snake-scales - the default repository of snake scales

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Cuckoo Configuration

fareedfauzi opened this issue · comments

Hi Alex.

May I know, if my cuckoo does not use HTTPS, what should I change for the "verify" part? I tried to change to "False" in the conf, and as a result, my sample cannot be submitted by select Cuckoo as the interface's scale. Vice versa, if I'm remain unchanged the default value "True", the sample submit successfully.

image

So the cuckoo scale is just using requests under to hood, by default requests will set verify to True:
https://requests.readthedocs.io/en/master/api/#requests.request

In the scale we can see that is just does some lazy construction:

r = requests.post(CUCKOO_API + '/tasks/create/file', files={"file": (document['name'], f)}, verify=VERIFY)

So if CUCKOO_API is set to http://hostname:port it should work without touching verify.

Are you saying that the scale is not working at all and always erroring on submission?

Oh. Okay.

The submission is working, but it seems to fail for the Cuckoo retrieving the sample (and analyze) from Snake. The Snake UI keeps showing "Loading..." and the Cuckoo log does not show any indicator of any sample come in.

image

I thought that the "verify" in my configuration is the problem, that's why I'm asking. I need to figure out other ways, why my Cuckoo can't retrieve the sample.

I also think that the API of my Cuckoo is the actual problem (which maybe misconfiguration or something), but manually submit a sample using the command, based on the Cuckoo docs was successfully submitted the sample in my Cuckoo.

curl -H "Authorization: Bearer S4MPL3" http://localhost:8090/tasks/create/submit -F files=@sample.exe

Thanks, Alex in advance.

Ahh I think I understand the issue now, do you have authentication sitting on top of your Cuckoo instance?

image

Based on the above instruction in Cuckoo docs... I never set API an token in my cuckoo.conf, so in my case, the authorization of the API might be default implemented.

Do I need to make some changes in /usr/local/lib/python3.8/dist-packages/snake_cuckoo/interface.py Alex for this matter based on the documentation of the request using Python?

image

Right okay lets follow this one through to work out what the real issue is, because I am confused :)

So does the curl work without the authorization header?

  • If no, I will need to update the cuckoo scale to support auth headers (probably needs doing anyway)
  • If yes, then we have a different issue going on:
    • Can you show me the errors that snake is outputting on submission and viewing?
  • It looks like curl work without an authorization header
$ curl http://192.168.8.124:8090/tasks/create/submit -F files=@TimeApp.exe
{
  "errors": [],
  "submit_id": 5,
  "task_ids": [
    3
  ]
}

image

  • Snake log and cuckoo.conf as follow:
[I 210205 03:54:21 web:2105] 200 GET /store/143f41667d3b7ab0a22324a0ec6b42191e54db1fb20ffffa025b279c80b3e54b (127.0.0.1) 3.73ms
[I 210205 03:54:21 web:2105] 200 GET /file/143f41667d3b7ab0a22324a0ec6b42191e54db1fb20ffffa025b279c80b3e54b/hex (127.0.0.1) 11.42ms
[E 210205 03:54:21 web:1620] Uncaught exception POST /scale/cuckoo/interface (127.0.0.1)
    HTTPServerRequest(protocol='http', host='localhost:5000', method='POST', uri='/scale/cuckoo/interface', version='HTTP/1.1', remote_ip='127.0.0.1')
    Traceback (most recent call last):
      File "/usr/local/lib/python3.8/dist-packages/tornado-5.0.1-py3.8-linux-x86_64.egg/tornado/web.py", line 1543, in _execute
        result = yield result
      File "/usr/local/lib/python3.8/dist-packages/tornado-5.0.1-py3.8-linux-x86_64.egg/tornado/gen.py", line 1099, in run
        value = future.result()
      File "/usr/local/lib/python3.8/dist-packages/snake-1.0.2-py3.8.egg/snake/routes/scale.py", line 119, in post
        output = await loop.run_in_executor(None, command, data['args'], data['sha256_digest'])
      File "/usr/lib/python3.8/concurrent/futures/thread.py", line 57, in run
        result = self.fn(*self.args, **self.kwargs)
      File "/usr/local/lib/python3.8/dist-packages/snake-1.0.2-py3.8.egg/snake/scale.py", line 737, in wrapper
        output = func(args=args_, file=file_storage, opts=opts, self=self)
      File "/usr/local/lib/python3.8/dist-packages/snake_cuckoo/interface.py", line 28, in info
        except requests.exceptions.RequestException:
    TypeError: unsupported operand type(s) for +: 'int' and 'str'

Configuration

snake@snake:/var/log/snake$ cat /etc/snake/scales/cuckoo.conf
cuckoo_api: 8090
cuckoo_url: 192.168.8.124

verify: True

snake@snake:/var/log/snake$ cat /usr/local/lib/python3.8/dist-packages/snake_cuckoo/cuckoo.conf
cuckoo_api: 8090
cuckoo_url: 192.168.8.124

verify: True

Which part am I wrong Alex?

Right from the logs I can see its due to some un-robust parsing. So if you change your settings to the following you should be good to go:

cuckoo_api: 'http://192.168.8.124:8090'
cuckoo_url: 'http://192.168.8.124'

Ok issue solved! Thanks a lot.

ezoic increase your site revenue