Cuckoo Sandbox使用过程中可能出现的问题及解决方法 |
您所在的位置:网站首页 › libssl10 › Cuckoo Sandbox使用过程中可能出现的问题及解决方法 |
|
问题一: You do not have the m2crypto library installed preventing certificate extraction. Please read the Cuckoo documentation on installing m2crypto (you need SWIG installed and then pip install m2crypto==0.24.0)! 解决方法: 使用pip命令安装m2cryptopip install m2crypto==0.24.0 # 此命令安装大概率会报错 pip install m2crypto # 直接安装最新版问题二:It appears that you haven't loaded any Cuckoo Signatures. Signatures are highly recommended and improve & enrich the information extracted during an analysis. They also make up for the analysis score that you see in the Web Interface - so, pretty important! 解决方法: cuckoo community ## 如果网速较慢,建议使用代理将 master.tar.gz 先下载下来,然后再执行以下命令 ## 地址:https://github.com/cuckoosandbox/community/archive/master.tar.gz # cuckoo community --file /home/master.tar.gz问题三:2020-12-20 20:19:31,634 [cuckoo.core.plugins] ERROR: Failed to run the processing module "Static" for task #28: Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 246, in process data = current.run() File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/static.py", line 1075, in run static.update(PortableExecutable(f.file_path).run()) File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/static.py", line 317, in run results["signature"] = self._get_signature() File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/static.py", line 279, in _get_signature "locality": subject.L, File "/usr/lib/python2.7/dist-packages/M2Crypto/X509.py", line 321, in __getattr__ return util.py3str(m2.x509_name_by_nid(self.x509_name, self.nid[attr])) File "/usr/lib/python2.7/dist-packages/M2Crypto/util.py", line 66, in py3str raise TypeError('No string argument provided') TypeError: No string argument provided 这个问题出现是由于m2crypto安装的版本过高,官网指定版本为 m2crypto==0.24.0 解决方法: 下载deb安装包和依赖包安装sudo apt remove python-m2crypto # 卸载通过apt安装的m2crypto sudo pip uninstall m2crypto # 卸载通过pip安装的m2crypto ## 以上两个命令都执行一下 wget http://security.debian.org/debian-security/pool/updates/main/o/openssl1.0/libssl1.0.2_1.0.2u-1~deb9u3_amd64.deb # m2crypto所需的依赖包libssl1.0.2_1.0.2u-1~deb9u3_amd64.deb wget http://ftp.br.debian.org/debian/pool/main/m/m2crypto/python-m2crypto_0.24.0-1.1_amd64.deb # 0.24.0版本的m2crypto sudo dpkg -i python-m2crypto_0.24.0-1.1_amd64.deb sudo dpkg -i libssl1.0.2_1.0.2u-1~deb9u3_amd64.deb # 为了避免更新,需要锁定版本为0.24.0 sudo apt-mark hold python-m2crypto问题四:guest端的Windows7虚拟机网络配置为host-only后无法访问网络,但是windows7虚拟机可以与Ubuntu宿主机相互ping通。 解决方法: 开启ip转发编辑 /etc/sysctl.conf, sudo vim /etc/sysctl.conf找到 net.ipv4.ip_forward=1 去掉注释,保存,再执行以下命令使配置生效 sysctl -p /etc/sysctl.conf需要配置iptables转发规则(临时生效)sudo -i iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE配置完成后,guest端的windows7虚拟机是可以正常访问网络的,但是host端的Ubuntu访问网络会出现问题,这个是由于DNS的配置问题,修改 /etc/resolv.conf,将 nameserver 127.0.0.53 改为 nameserver 114.114.114.114,保存后即可正常访问网络。 持久化iptables转发规则,使用iptables-persistent工具可实现sudo apt-get install iptables-persistent sudo netfilter-persistent save sudo netfilter-persistent reload sudo systemctl enable netfilter-persistent.service ## 说明 # 保存的规则文件路径如下 #/etc/iptables/rules.v4 #/etc/iptables/rules.v6解决dns覆盖写入127.0.0.53的问题sudo systemctl stop systemd-resolved sudo systemctl disable systemd-resolved sudo apt install unbound sudo rm -rf /etc/resolv.conf sudo vim /etc/NetworkManager/NetworkManager.conf在main下面添加下面一行: dns=unbound再重启即可问题五:2020-12-21 08:58:46,225 [cuckoo] ERROR: The maximum number of open files is low (4096). If you do not increase it, you may run into errors later on. 2020-12-21 08:58:46,225 [cuckoo] ERROR: See also: https://cuckoo.sh/docs/faq/index.html#ioerror-errno-24-too-many-open-files 解决方法 增加文件限制查看当前文件数量限制:ulimit -n 修改 /etc/systemd/user.conf 和 /etc/systemd/system.conf DefaultLimitNOFILE=65535修改 /etc/security/limits.conf增加以下两行: mkasberg hard nofile 65535 mkasberg soft nofile 65535重启问题六:2020-12-22 10:32:18,751 [cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload. 修改 cuckoo.conf配置文件,将默认的文件上传最大128MB改为512MB(134217728 Bytes) [processing] # Set the maximum size of analyses generated files to process. This is used # to avoid the processing of big files which may take a lot of processing # time. The value is expressed in bytes, by default 128 MB. analysis_size_limit = 134217728问题七:2020-12-22 16:31:25,236 [cuckoo.core.plugins] ERROR: Unable to stop auxiliary module: Sniffer Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 164, in stop module.stop() File "/usr/local/lib/python2.7/dist-packages/cuckoo/auxiliary/sniffer.py", line 156, in stop (out, err, faq("permission-denied-for-tcpdump")) CuckooOperationalError: Error running tcpdump to sniff the network traffic during the analysis; stdout = '' and stderr = 'tcpdump: vboxnet0: That device is not up\n'. Did you enable the extra capabilities to allow running tcpdump as non-root user and disable AppArmor properly (the latter only applies to Ubuntu-based distributions with AppArmor, see also https://cuckoo.sh/docs/faq/index.html#permission-denied-for-tcpdump)? 解决方法 sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump问题八:无界面启动virtualbox出现以下错误: 2021-04-15 21:54:08,824 [cuckoo.core.scheduler] ERROR: Error starting Virtual Machine! VM: Windows7-SP1, error: VBoxManage failed starting the machine in headless mode. Are you sure your machine is still functioning correctly when trying to use it manually? Error: VBoxManage: error: The VM session was aborted VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component SessionMachine, interface ISession 2021-04-15 21:54:09,438 [cuckoo.core.scheduler] WARNING: Unable to stop machine Windows7-SP1: Trying to stop an already stopped VM: Windows7-SP1 2021-04-15 21:54:09,675 [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files. 2021-04-15 21:54:11,439 [cuckoo.processing.debug] ERROR: Error processing task #2: it appears that the Virtual Machine hasn't been able to contact back to the Cuckoo Host. There could be a few reasons for this, please refer to our documentation on the matter: https://cuckoo.sh/docs/faq/index.html#troubleshooting-vm-network-configuration解决方法: 在设置中 >> 显示 >> 屏幕 >> 取消勾选硬件加速 再次启动虚拟机,以管理员身份运行 agent.pyw,重新生成快照 问题九:使用cuckoo api批量提交时出现以下错误: 2021-04-16 11:52:52,854 [cuckoo.core.database] ERROR: Database error counting machines: (sqlite3.OperationalError) database is locked [SQL: SELECT count(*) AS count_1 FROM (SELECT machines.rcparams AS machines_rcparams, machines.id AS machines_id, machines.name AS machines_name, machines.label AS machines_label, machines.ip AS machines_ip, machines.platform AS machines_platform, machines.options AS machines_options, machines.interface AS machines_interface, machines.snapshot AS machines_snapshot, machines.locked AS machines_locked, machines.locked_changed_on AS machines_locked_changed_on, machines.status AS machines_status, machines.status_changed_on AS machines_status_changed_on, machines.resultserver_ip AS machines_resultserver_ip, machines.resultserver_port AS machines_resultserver_port FROM machines WHERE machines.locked = 0) AS anon_1] (Background on this error at: http://sqlalche.me/e/e3q8) OperationalError: (sqlite3.OperationalError) database is locked [SQL: SELECT count(*) AS count_1 FROM (SELECT machines.rcparams AS machines_rcparams, machines.id AS machines_id, machines.name AS machines_name, machines.label AS machines_label, machines.ip AS machines_ip, machines.platform AS machines_platform, machines.options AS machines_options, machines.interface AS machines_interface, machines.snapshot AS machines_snapshot, machines.locked AS machines_locked, machines.locked_changed_on AS machines_locked_changed_on, machines.status AS machines_status, machines.status_changed_on AS machines_status_changed_on, machines.resultserver_ip AS machines_resultserver_ip, machines.resultserver_port AS machines_resultserver_port FROM machines WHERE machines.locked = 0) AS anon_1] (Background on this error at: http://sqlalche.me/e/e3q8)解决方法:将数据库由默认的sqlite更改为postgresql 安装PostgreSQL数据库sudo apt-get install postgresql libpq-dev -y pip install psycopg2创建数据库cuckoosudo -u postgres psql CREATE DATABASE cuckoo; CREATE USER cuckoo WITH ENCRYPTED PASSWORD 'password'; GRANT ALL PRIVILEGES ON DATABASE cuckoo TO cuckoo; \q后续cuckoo.conf配置需要用到 注意:密码要带单引号 配置 /etc/postgresql/10/main/pg_hba.conf,增加下面一行host all all 192.168.0.2/32 trust192.168.0.2是客户机(物理主机)ip地址 配置 cuckoo.conf 文件[database] # 不使用默认的sqlite,使用postgresql connection = postgresql://cuckoo:password@localhost:5432/cuckoo参考资料"pip install m2crypto" and "apt-get install python-m2crypto" :https://github.com/cuckoosandbox/cuckoo/issues/1137Community Download Utility:https://cuckoo-sandbox.readthedocs.io/zh_CN/latest/usage/utilities.html#community-download-utility多图超详细】从零开始安装配置Cuckoo sandbox并提交样本进行分析:https://www.cnblogs.com/BenjaminNL/p/11139517.htmliptables持久化方案:https://www.cnblogs.com/goldenstones/articles/8868577.html解决ubuntu系统 dns覆盖写入127.0.0.53的问题:https://blog.csdn.net/evanxuhe/article/details/90229597Cannot Increase open file limit past 4096 (Ubuntu):https://superuser.com/questions/1200539/cannot-increase-open-file-limit-past-4096-ubuntuVBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component SessionMachine, interface ISession #5:https://github.com/monetate/ectou-export/issues/5Cuckoo Sandbox Setup for People in a Hurry:https://hatching.io/blog/cuckoo-sandbox-setup/FATA:no pg_hba.conf entry for host "192.168.113.1",user "postgres",database "postgres",SSL off:https://blog.csdn.net/qq_32596527/article/details/83626617?utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-2.control&dist_request_id=&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-2.control |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |