chopshop
chopshop copied to clipboard
MITRECND
Exception in thread ChopUi
Uploading webshell_chopper_decode.py.txt…
I am trying to get chopshop to decode chopper webshell traffic on Ubuntu 14.04 LTS SIFT vm and have hit a snag with webshell_chopper_decoder.py module. I haven't been able to locate any other resources online to assist with this issue. Any help is appreciated.
python chopshop -f ~/pcaps/test.pcap 'http | http_extractor | webshell_chopper_decode' > chopper.txt
Exception in thread ChopUi:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 810, in __bootstrap_inner
self.run()
File "/usr/local/libexec/chopshop/shop/ChopUi.py", line 218, in run
self.stdclass.handle_ctrl(message)
File "/usr/local/libexec/chopshop/shop/ChopUiStd.py", line 191, in handle_ctrl
raise ChopLibException("Error Shown Above")
ChopLibException: 'Error Shown Above'
I have confirmed the required modules are fine.
make dependency-check
Checking dependencies...
Checking python...
Python OK: Python 2.7.6
Checking pynids...
pynids OK
Checking pymongo...
pymongo OK
Checking htpy...
htpy OK
Checking dnslib...
dnslib OK
Checking yaraprocessor...
yaraprocessor OK
Checking pylibemu...
pylibemu OK
Checking M2Crypto...
M2Crypto OK
Not sure if it's related or not, but the http_extractor module, assuming you're using the one from the base and not a custom one, doesn't output anything for downstream modules so there shouldn't be anything to the right of it, although it can be used in a tee.
Also, although output redirection works, I'd recommend using the -F flag to output to files. If you want it all to go to a single file, this should work: -F "foo.txt" or you can separate it by component by doing -F "/somedirectory/%N.txt"
Take a look at your chopper.txt file, that exception output that you saw says "Error Shown Above" and it means above the exception output, which more than likely got logged to chopper.txt.
Thanks for your quick reply. I re-ran without output redirection and found that the script can't find webshell_chopper_decode, but the module is located in /home/user/Scripts/chopshop/modules with the rest of the modules.
Traceback (most recent call last):
File "/usr/local/libexec/chopshop/shop/ChopLib.py", line 491, in __loadModules_
(file, pathname, description) = imp.find_module(name, path)
ImportError: No module named webshell_chopper_decode
Ah, yeah, that's because your installation is system-wide and your modules are not, you'll need to inform chopshop where your custom modules are by either using the -B or -M flags or further you can create a config file so chopshop can pick up that information without manually passing flags. Take a look at the choshop documentation in the 'User Defined Directories' section for more details about the -B, -E, and -M flags and for creating config files.
https://chopshop.readthedocs.io/en/latest/chopshop/chopshop_usage.html#user-defined-directories https://chopshop.readthedocs.io/en/latest/chopshop/chopshop_usage.html#configuration-files
That makes complete sense. I will get that done today and report back. Thank you again for your help.