The AzSniffer module initialization failed, causing the initialization to return
JohnSmith054 opened this issue · 4 comments
About accounts on capesandbox.com
- Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
- I am running the latest version
- I did read the README!
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
- I'm reporting the issue to the correct repository (for multi-repository projects)
- I have read and checked all configs (with all optional parts)
Expected Behavior
Please describe the behavior you are expecting. If your samples(x64) stuck in pending ensure that you set tags=x64 in hypervisor conf for x64 vms
Current Behavior
The AzSniffer module initialization failed with an error, causing the sniffer to not load properly, and as a result, the pcap file was not generated
Failure Information (for bugs)
2024-07-31 20:05:18,651 [lib.cuckoo.core.plugins] ERROR: Failed to load the auxiliary module "<class 'modules.auxiliary.AzSniffer.AzSniffer'>": secret should be a Microsoft Entra application's client secret
Traceback (most recent call last):
File "/opt/CAPEv2/lib/cuckoo/core/plugins.py", line 125, in start
current = module()
File "/opt/CAPEv2/modules/auxiliary/AzSniffer.py", line 48, in init
self.credentials = self._get_credentials()
File "/opt/CAPEv2/modules/auxiliary/AzSniffer.py", line 58, in _get_credentials
return ClientSecretCredential(tenant_id=self.tenant_id, client_id=self.client_id, client_secret=self.client_secret)
File "/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/azure/identity/_credentials/client_secret.py", line 47, in init
raise ValueError("secret should be a Microsoft Entra application's client secret")
ValueError: secret should be a Microsoft Entra application's client secret
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
- Using the default az.conf can trigger the bug.
#Sniffer configurations
New sniffer logic implementing Azure Watchers packet capture with either local or blob storage file locations
the configurations for AzSniffer module will be used to create the dump.pcap file needed for network analysis when using Azure VMSS for Guest VMs
resource_group =
#Storage account where the .cap file will be placed by the Azure Packet Capture, soon the local file path logic will be implemented too
storage_account =
vmss_name =
#location of the network watcher (region name)
location =
tenant_id =
client_secret =
connection_string =
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).
| Question | Answer |
|---|---|
| Git commit | cfbea5e |
| OS version | Ubuntu 22.04.1 |
Failure Logs
As shown in the picture, the module created authorization during initialization, but I haven't installed Azure. The initialization failure caused the start function to return, this affected the subsequent module loading.
The current temporary solution is to directly delete AzSniffer
If anyone else makes it here. This seems to also break other sniffing tasks (like TCPDump).
Renaming the module file $PATH/modules/auxiliary/AzSniffer.py resolved the issue for me.
mv /path/to/install/modules/auxiliary/AzSniffer.py /path/to/install/modules/auxiliary/AzSniffer.py.old
Si quelqu'un d'autre le fait ici. Cela semble également interrompre d'autres tâches de détection (comme TCPDump).
Renommer le fichier du module $PATH/modules/auxiliary/AzSniffer.py a résolu le problème pour moi.
mv /path/to/install/modules/auxiliary/AzSniffer.py /path/to/install/modules/auxiliary/AzSniffer.py.old
Thanks, it worked for me
I have a PR up for this. #2292
@Ravoltek @benweber2 @JohnSmith054 Can you guys try out the changes? You can just copy/paste in the few lines that I added.
@doomedraven This should be closable now.