Getting what appears to be a timeout with Cuckoo #56
Comments
|
Could someone share configuration settings in FAME to work with Cuckoo? I was getting timeout errors and I changed the tcp_keepalive settings which appeared to have helped (no longer getting connection reset problems) but now I get "could not get report before timeout" errors for the Cuckoo process. If I run the same URL analysis on Cuckoo instead of feeding it from FAME, it works just fine! |
|
The default configuration values work fine for a local instance of cuckoo. Could you provide us with the cuckoo logs related to this analysis ? (is there a cuckoo analysis created ? is it 'reported' before the timeout ?) |
|
The Cuckoo analysis completes. I can see it in the Cuckoo dashboard. Here is a copy of the relevent logs. Note that about an hour of processing occurs before the analysis is completed. This is Cuckoo 2.0.6. 2018-11-09 14:54:48,654 [cuckoo.core.scheduler] INFO: Task #1122: acquired machine win1 (label=win1) |
|
I may try forking a change to the module which would download the report and then parse it, locally. There seem to be two issues. In one case, Cuckoo seems to produce an occasional malformed JSON report for reasons that I am not clear about. But, in other cases, it appears that a connection is timing out during the processing of the report by extract_info() which causes the ijson parser to fail. If I download the report and then process it with extract_info(), it completes without errors. Unless someone has a better suggestion, this seems like a decent way to go. |
I have verified that Cuckoo was able to download and analyze the file so I'm looking for suggestions as to how to proceed. The parameters for the Cuckoo module are:
WAIT_TIMEOUT 5400
WAIT_STEP 30
ANALYSIS_TIME 300
2018-10-16 08:52: debug: Trying to run cuckoo
2018-10-16 09:05: error: cuckoo: Could not run on http://microsoftupdate.dynamicdns.org.uk/host/290.exe.
Traceback (most recent call last):
File "/home/cirt/fame/fame/core/module.py", line 492, in _try_each
return self.each_with_type(target, file_type)
File "/home/cirt/fame/fame/modules/community/processing/cuckoo/cuckoo.py", line 97, in each_with_type
self.process_report()
File "/home/cirt/fame/fame/modules/community/processing/cuckoo/cuckoo.py", line 159, in process_report
self.extract_info(response)
File "/home/cirt/fame/fame/modules/community/processing/cuckoo/cuckoo.py", line 166, in extract_info
for prefix, event, value in parser:
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/common.py", line 65, in parse
for event, value in basic_events:
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 185, in basic_parse
for value in parse_value(lexer):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 119, in parse_value
for event in parse_object(lexer):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 163, in parse_object
for event in parse_value(lexer, None, pos):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 119, in parse_value
for event in parse_object(lexer):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 163, in parse_object
for event in parse_value(lexer, None, pos):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 116, in parse_value
for event in parse_array(lexer):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 138, in parse_array
for event in parse_value(lexer, symbol, pos):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 119, in parse_value
for event in parse_object(lexer):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 163, in parse_object
for event in parse_value(lexer, None, pos):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 116, in parse_value
for event in parse_array(lexer):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 138, in parse_array
for event in parse_value(lexer, symbol, pos):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 119, in parse_value
for event in parse_object(lexer):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 163, in parse_object
for event in parse_value(lexer, None, pos):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 119, in parse_value
for event in parse_object(lexer):
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 170, in parse_object
pos, symbol = next(lexer)
File "/home/cirt/fame/env/local/lib/python2.7/site-packages/ijson/backends/python.py", line 65, in Lexer
data = f.read(buf_size)
File "/home/cirt/fame/env/lib/python2.7/codecs.py", line 488, in read
newdata = self.stream.read(size)
File "/usr/lib/python2.7/socket.py", line 384, in read
data = self._sock.recv(left)
error: [Errno 104] Connection reset by peer
The text was updated successfully, but these errors were encountered: