Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nothing in the database #31

Open
k41zen opened this issue Mar 8, 2019 · 15 comments

Comments

Projects
None yet
3 participants
@k41zen
Copy link

commented Mar 8, 2019

I'm getting the same issues as per #27. Nothing is showing up in the database but stdout says it already exists in viper.

screenshot 2019-03-08 at 12 09 16

I'm running the viper web interface and ph0neutria as the same user "spider". I've created a user in the webgui and named it spider, generated an API key and used that in the settings.conf file. The web interface is running on 0.0.0.0:8080 and have also added that in to the settings.conf file.

There's a .viper/ under /home/spider and an admin.db and viper.db file too. Although viper.db has an old date.

When I log in as either spider or admin user nothing is listed. Not sure where it's getting written.

Can anyone help?

@k41zen

This comment has been minimized.

Copy link
Author

commented Mar 8, 2019

Have simplified matters and done some further testing. I renamed the .viper directory under /home/spider to start again.

Left viper-web running as spider user as per the docs. Modified viper to listen on 0.0.0.0. Logged in as admin user using temp password, changed password and grabbed API key.

Added API key to settings.conf for ph0neutria. Left viper (addurl) pointing to 127.0.0.1:8080.

Created a test file in /tmp/file1.txt with some random content in it. Ran the test curl command from the Viper docs (changed example API key for the admin API key). Refreshed the web page (logged in as admin) and the sample is there. Naturally the viper-web screen began showing that analysis of the sample. So that tells me viper is listening, the API key is correct and submitting samples works as shown below:

screenshot 2019-03-08 at 13 15 30

Now re-ran ph0neutria and nothing is getting added. Nothing is showing in the output as getting added or already exists.

screenshot 2019-03-08 at 13 28 30

@k41zen

This comment has been minimized.

Copy link
Author

commented Mar 8, 2019

I've noticed this error in viper-web:

2019-03-08 15:20:18 - viper-web - DEBUG - views.py:106 - running decorator: get_project_open_db - called by: <viper.web.viperapi.views.MalwareViewSet object at 0x7f446874ff60>
File: [<TemporaryUploadedFile: NS7d8oilMNQKTEfpJvcwTNpvIoaRPGCP ()>] (<class 'list'>)
File Name: Q/file_13065.jpg (<class 'str'>)
2019-03-08 15:20:18 - django.request - WARNING - log.py:228 - Bad Request: /api/v3/project/default/malware/upload/
2019-03-08 15:20:18 - django.server - WARNING - basehttp.py:154 - "POST /api/v3/project/default/malware/upload/ HTTP/1.1" 400 41

@k41zen

This comment has been minimized.

Copy link
Author

commented Mar 9, 2019

Can anyone help me please?

@srcr

This comment has been minimized.

Copy link
Contributor

commented Mar 11, 2019

I have the same issue here. Also getting Bad Request: when posting the sample to viper

@phage-nz

This comment has been minimized.

Copy link
Owner

commented Mar 12, 2019

I'm tied up with OSCP and other work at the moment. When I get a chance I can look into this but cannot put a timeframe on that. Any help that other users can offer would be appreciated.

To better troubleshoot this I'd look at replacing these lines: https://github.com/phage-nz/ph0neutria/blob/master/core/viper_utils.py#L43-L47

... with:

            else:
                LOGGING.error('Problem submitting file {0} to Viper. Status code: {1}. Text: {2}'.format(file_name, response.status_code, response.text))

That'll dump out the full response in the case that the request is successful but the returned status code isn't 200. Could be there has been a change to Viper that has broken the code used to submit to it.

@k41zen

This comment has been minimized.

Copy link
Author

commented Mar 12, 2019

Thanks for this. Much appreciated.

Good luck with OSCP. It was BackTrack 3 when I did it many moons ago and you only had to present good notes at the time.

I've found that the issue is due to tag_list only accepting lowercase and no spaces and the contents do contain both. The content doesn't look like tags as I'd expect them to be:

file name =: image/reso.zip
url =: <core.class_utils.MalwareUrl object at 0x7f3176a48ef0>
class =: malware.generic
sample data =: {'tag_list': '12-03-2019, graphiccontent.tk, AS55293 A2 Hosting, Inc., US, AS55293 A2 Hosting, Inc., malware.generic'}

Ok so commenting out the checks for the tag_list format in "/opt/viper/viper/web/viperapi/serializers.py" works for me. Just added back in all my API keys (took them out to speed up the attempts to write to Viper) and running more tests.

Thinking of next forcing the lowercase change in viper_utils.py rather than changing the API requirements. Will let you know.

@srcr

This comment has been minimized.

Copy link
Contributor

commented Mar 12, 2019

I think i kinda have it fixed on ph0neutria side, In the viper_utils.py I have updated the tags_make function.
See pull request #32

@phage-nz

This comment has been minimized.

Copy link
Owner

commented Mar 13, 2019

Thank you @srcr. That's the exact fix I had in mind.

@k41zen - replace your viper_utils.py with the one in the master branch and see if this addresses your issue.

@k41zen

This comment has been minimized.

Copy link
Author

commented Mar 14, 2019

Confirmed fixed gents. Uncommented out the checks on the Viper side and all is good. Thanks so much.

@srcr

This comment has been minimized.

Copy link
Contributor

commented Mar 16, 2019

Welcome, one thing though I noticed that resolving the AS number sometimes results in string with a comma like "AS14061 DigitalOcean, LLC" now results in 2 tags "as14061_digitalocean" and "_llc" instead of "as14061_digitalocean_llc" this still needs to be fixed.
So I'm looking at this, but any hints or tips are welcome.

@srcr

This comment has been minimized.

Copy link
Contributor

commented Mar 16, 2019

@k41zen can you check my new code #33 if you approve perhaps @phage-nz can add it.

@k41zen

This comment has been minimized.

Copy link
Author

commented Mar 17, 2019

@k41zen

This comment has been minimized.

Copy link
Author

commented Mar 19, 2019

Finally got to test this out this afternoon and can confirm fixed. See screenshot below:

Screenshot 2019-03-19 at 16 15 00

@phage-nz

This comment has been minimized.

Copy link
Owner

commented Apr 20, 2019

Apologies for the delay. Have merged that PR. Thanks @srcr

@srcr

This comment has been minimized.

Copy link
Contributor

commented Apr 25, 2019

I understand the situation, still need to do my CEH exam :| . But I'm happy that I've been able to help and improve Ph0neutria.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.