New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement clean long-term analysis #708

Open
botherder opened this Issue Dec 22, 2015 · 3 comments

Comments

Projects
None yet
3 participants
@botherder
Member

botherder commented Dec 22, 2015

Currently analyses have soft and hard timeouts and they are cleanly or abruptly terminated in case either of those timeouts are hit. However, in some contexts we might want to execute the analysis for an indeterminate amount of time.

In order to do so we need:

  • Set a flag in existing Task table or create a new Commands table to allow the user to insert a stop instructions associated to a task ID
  • Have the Analyzer poll the ResultServer asking for pending commands (this can be used for other purposes too)
  • Have the GuestManager re-create a timeout after the stop command has been issued (perhaps 10 minutes after it), in case the Analyzer isn't able to terminate cleanly anymore.

@botherder botherder self-assigned this Dec 22, 2015

@botherder botherder added this to the 2.0 milestone Dec 22, 2015

@KillerInstinct

This comment has been minimized.

Contributor

KillerInstinct commented Dec 22, 2015

Also it should be noted that longer analysis times means more API logs, and this you may run into the MongoDB document size limit more often with this type of analysis. (I use cuckoo to run 30min analysis on some samples, and ran into this frequently)

@botherder

This comment has been minimized.

Member

botherder commented Dec 22, 2015

That's for sure, but perhaps in this case we can have a dedicate DLL that only monitors very basic APIs (create file, create process, write registry key) and nothing else.

@jbremer

This comment has been minimized.

Member

jbremer commented Dec 22, 2015

As this has already been implemented in a slightly different form, some takeaway features may be obtained from https://github.com/jbremer/longcuckoo.
For a limited set of behavioral results we could create a monitoring mode in the new monitor which, as @botherder mentioned, would only look at very basic functionality (instead of all 300+ functions).
An additional feature request from my side for longer term analysis is RDP/VNC integration of the analysis VM into the Cuckoo web interface.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment