Malware / ANNE -FAQ
From CSRRT-LU
A first step is to have a look at anne.log and anne_web.log, normally in these files a detailed behaviour and error cause is noted. An general aproach is to run the tests and see the behaviour.
| Table of contents |
On which platforms anne runs?
Anne is designed for a *nix platform but has currently been tested on a gentoo r3 linux.
Installer fails
When you get following error
gerard@haegar ~/anne/anne-backend $ ./install.sh Check installer integrity ... [ok] Check distribution integrity ... t/test.txt not found, abort
You have an outdated installer. You can go inside the install directory and make a grep with the file name that has not been found and remove the line from the apropriate file inside your install directory.
cd install grep "test.txt" * vim belist
How to run tests?
Go to the directoy ./t and start the script ./allTests.sh
I get no result at all from anne server
You have to be sure that your UML is running correctly. Anne daemon, cleans your UML, copies your binary inside your UML via SSH, starts the simulation and collects the results.
Web interface cannot access the anne server / daemon
In case you often get following error message.
It is not possible to process your job. It might be that the anlysis core is not available or busy.
It might that anne server and anne daemon is not running. In case you start ./startAnne.sh and ./startAnneProc.sh your console should be blocked. In case anne runs properly you can start the scripts followed by the character &, then they run in background.
There is no sandbox output
Every item in the section sandbox is set to " information not avaialable ". In that case when you check anne.log and see that anne daemon could not communicate with your UML. (cannot clean UML, binary deployment failed) The user that runs anne server and daemon must have some SSH keys inside your UML, so that no password is asked for accessing your uml. A simple test is described below:
su anne (user under which runs anne server and daemon) ssh -p 10022 -l wein 192.168.5.2 ls /
If you are asked no password everything is fine. A next step is to enter your UML via SSH and do a simulation manually and observe the results.
gerard@haegar ~ $ ssh -p 10022 -l wein 192.168.5.2 Last login: Fri Jul 28 18:48:42 2006 Welcome to haegar's UML ... wein@hgrum ~ $ cd /home/wein wein@hgrum ~ $ ls TestTools.sh demo.exe sandbox tools.sh cleanExe.sh exe simulation.rc wine_unmodified createCleanWine.sh reports startSim.sh winesim.log wein@hgrum ~ $ ./cleanExe.sh wein@hgrum ~ $ cp demo.exe ./exe/ wein@hgrum ~ $ ./startSim.sh wein@hgrum ~ $ ls ./reports/ demo.diff demo.wine demo_wine_dir.tar.bz2 winesim.log wein@hgrum ~ $
At first the simulation environment is cleaned, then demo.exe is copied inside the exe directory. Then the simulation is started. At the end the raw results are contained in the report directory. The simulation behaviour has been loggedd in the file winesim.log. You can modify the file simulation.rc to configure the simulation scripts.
Web Interface displays some warnings
In case anne web interface displays following warning.
Warning: fopen(/tmp/anne/var/log/anneweb.log): failed to open stream: No such file or directory in /var/www/localhost/htdocs/anneweb/admin/index.php on line 71
The web server cannot write to the local log file. You can change the ownership of that file to the web server's user or simply change the file permissions.
