AzSniffer module not working properly when sniffing multiple VMSS instances #2229
Description
About accounts on capesandbox.com
- Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
- I am running the latest version
- I did read the README!
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
- I'm reporting the issue to the correct repository (for multi-repository projects)
- I have read and checked all configs (with all optional parts)
Expected Behavior
The AzSniffer module should correctly create packet captures for multiple machines in a VM Scale Set (VMSS) environment.
Current Behavior
-
When multiple machines are present inside a VMSS, the analysis module generates an incorrect folder structure:
...network-watcher-logs/Packet_Capture_{task_id}/{machine_name}_Packet_Capture_{task_id}
This structure is not correctly aligned with the code. -
The AzSniffer module fails to create packet captures for individual VMs within the VMSS, resulting in an "UnsupportedTargetResourceId" error.
Failure Information (for bugs)
Steps to Reproduce
- Set up a VMSS environment in Azure for CAPESandbox
- Attempt to run an analysis that involves packet capture using the AzSniffer module
- Observe the error in the logs and the incorrect folder structure
Context
| Question | Answer |
|---|---|
| Git commit | (User needs to provide this information) |
| OS version | (User needs to provide this information) |
Additional context:
- Environment: Azure VM Scale Set (VMSS)
- Module: AzSniffer
Network Watchers are based on:
- VM
- VirtualNetwork
- Subnet
- VMScaleSet
The current implementation seems to be targeting individual VMs within the VMSS, which is not supported.
Failure Logs
2024-07-13 17:41:45,263 [msal.authority] INFO: Initializing with Entra authority: https://login.microsoftonline.com/[TENANT_ID]
2024-07-13 17:41:46,101 [modules.auxiliary.AzSniffer] ERROR: Azure error occurred while creating packet capture: (UnsupportedTargetResourceId) Target resource identifier /subscriptions/[SUBSCRIPTION_ID]/resourceGroups/[RESOURCE_GROUP]/providers/Microsoft.Compute/virtualMachineScaleSets/[VMSS_NAME]/virtualMachines/10/networkInterfaces/[NIC_NAME] is not an allowed target resource. The supported resource types for the target resource are VM, VirtualNetwork, Subnet, VMScaleSet.
Code: UnsupportedTargetResourceId
Message: Target resource identifier /subscriptions/[SUBSCRIPTION_ID]/resourceGroups/[RESOURCE_GROUP]/providers/Microsoft.Compute/virtualMachineScaleSets/[VMSS_NAME]/virtualMachines/10/networkInterfaces/[NIC_NAME] is not an allowed target resource. The supported resource types for the target resource are VM, VirtualNetwork, Subnet, VMScaleSet.
2024-07-13 17:41:46,101 [lib.cuckoo.core.plugins] WARNING: Unable to start auxiliary module AzSniffer: (UnsupportedTargetResourceId) Target resource identifier /subscriptions/[SUBSCRIPTION_ID]/resourceGroups/[RESOURCE_GROUP]/providers/Microsoft.Compute/virtualMachineScaleSets/[VMSS_NAME]/virtualMachines/10/networkInterfaces/[NIC_NAME] is not an allowed target resource. The supported resource types for the target resource are VM, VirtualNetwork, Subnet, VMScaleSet.
Code: UnsupportedTargetResourceId
Message: Target resource identifier /subscriptions/[SUBSCRIPTION_ID]/resourceGroups/[RESOURCE_GROUP]/providers/Microsoft.Compute/virtualMachineScaleSets/[VMSS_NAME]/virtualMachines/10/networkInterfaces/[NIC_NAME] is not an allowed target resource. The supported resource types for the target resource are VM, VirtualNetwork, Subnet, VMScaleSet.
I'm opening this issue to track the fix and then publish it in the public repo too, I'm already working on this by myself so no help is expected, still if anyone has suggestions/ideas i will be more than happy to hear them