Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudscan not recognizing modules #42

Closed
ghost opened this issue May 15, 2016 · 8 comments
Closed

Cloudscan not recognizing modules #42

ghost opened this issue May 15, 2016 · 8 comments

Comments

@ghost
Copy link

ghost commented May 15, 2016
edited by ghost
Loading

Platform: Operating on Ubuntu 14.04 EC2 instance
Overview: Attempting to run a networked instance of laikaboss and run files through a custom module
Problem: After starting a sever "./laikad.py" and attempting to use cloudscan as a client (as described here: #18), the output from the cloudscan request contains no module data.

Details:
$ ./laika.py {file}
"scanModules": ["SCAN_YARA", "META_HASH", "SCAN_TEST"]
works correctly w/ added scanModules and meta data
$ ./laikad.py + $ ./cloudscan.py {file}
"scanModules": []

  • Using default cloudscan and laikad conf files.

Any help would be appreciated.
@sterlecki
Copy link

Do you see anything in the laika errors logs

@ghost
Copy link
Author

ghost commented May 15, 2016

Where are those logs located?

@sterlecki
Copy link

I think by default they are coming out of syslog. I haven't looked in a
while but maybe check /var/log/messages. I have custom syslog config so I
have them coming out in my own logs.

On Sun, May 15, 2016, 4:25 PM Morgan Culbertson [email protected]
wrote:

Where are those logs located?


You are receiving this because you commented.

Reply to this email directly or view it on GitHub
#42 (comment)

@ghost
Copy link
Author

ghost commented May 15, 2016
edited by ghost
Loading

May 15 20:51:46 ip-**---* laikad: ERROR 2121|si_dispatch|df170689-ecea-4509-ba76-159ba1c7eb57|||module not found: XER0X

The module's file name is scan_xer0x.py
Class definition: class SCAN_XER0X(SI_MODULE):
Dispatch Additions: rule type_is_js, rule type_is_html
-> scan_modules = "SCAN_XER0X"

@sterlecki
Copy link

Is scan Xerox something you created? I don't see it in the default
dispatch.yara file.

On Sun, May 15, 2016, 5:04 PM Morgan Culbertson [email protected]
wrote:

May 15 20:51:46 ip-**---* laikad: ERROR
2121|si_dispatch|df170689-ecea-4509-ba76-159ba1c7eb57|||module not found:
XER0X

The module's file name is scan_xer0x.py
Class definition: class SCAN_XER0X(SI_MODULE):
Dispatch Additions:
`rule type_is_js
{
meta:
file_type = "js"
scan_modules = "SCAN_XER0X"
condition:
true
}

rule type_is_html
{
meta:
file_type = "html"
scan_modules = "SCAN_XER0X"
condition:
true
}`


You are receiving this because you commented.

Reply to this email directly or view it on GitHub
#42 (comment)

@ghost
Copy link
Author

ghost commented May 15, 2016
edited by ghost
Loading

Correct - I added scan_xer0x to dispatch.yara.
Is this not how it is intended to add a module to receive js/html files?

/----------------------------SCAN_XER0X Rules---------------------------------/
rule type_is_js
{
meta:
file_type = "js"
scan_modules = "SCAN_XER0X"
condition:
true
}
rule type_is_html
{
meta:
file_type = "html"
scan_modules = "SCAN_XER0X"
condition:
true
}
/___________________________________________________________________________/

@ghost
Copy link
Author

ghost commented May 17, 2016

I've haven't been able to debug the issue yet - any initial thoughts?

@ghost
Copy link
Author

ghost commented May 18, 2016

It was a problem with the build process not overwriting the build folder due to file privileges.

@ghost ghost closed this as completed May 18, 2016
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sterlecki