cuckoo-modified
cuckoo-modified copied to clipboard
spender-sandbox
'BSON message larger than MAX_MESSAGE_LENGTH' For Non-Content File
Hello people, i cant analyze any of bson logs. i changed the code little and tried to see error. and there is;
File:
netlog.py line - 78
I dont know why blen variable is really more than max_message_lenght without any content but just 'BSON'
def read_next_message(self):
data = self.handler.read(4) --------------- data : b'BSON'
blen = struct.unpack("I", data)[0] ----------- blen: 1313821506
if blen > MAX_MESSAGE_LENGTH:
log.critical("BSON message larger than MAX_MESSAGE_LENGTH, "
"stopping handler.")
return False
debug output:
BSON message larger than MAX_MESSAGE_LENGTH, stopping handler.
BSON message larger than MAX_MESSAGE_LENGTH, stopping handler.
BsonParser decoding problem bad eoo on data[:50] b'\n\xe4\x00\x00\x00\x10I\x00\x00\x00\x00\x00\x02name\x00\x0c\x00\x00\x00__process__\x00\x02type\x00\x05\x00\x00\x00info\x00\x02'
I dont really understand. all process logs has 'BSON' string on their first 4 chars. after the logs fullfilled, cuckoo logs same errors. Just 'BSON' lenght cant be 1313821506 bits
it can be encode or decode error, something that conflicting with index lenght.
can you share sample? it looks like it report with wring package header
before the example, extra info would be good.
-
i am in debug mode on cuckoomon,
-
is cuckoo decoding .log files into .bson inside the pipe or just analysis process .log files? (i cannot see any .bson file after i debugged cuckoomon, just .log extension exist.) i am trying to debug from behaviour.py for getting BsonParser into work.
-
before the fully sending example. the full results looks like this.
i also found this similar https://github.com/cuckoosandbox/cuckoo/issues/520
you need to check how logging working, it start netlogger and send bson data, and you answered your question in second part