'BSON message larger than MAX_MESSAGE_LENGTH' For Non-Content File

[sust4in]

Hello people, i cant analyze any of bson logs. i changed the code little and tried to see error. and there is;

File:

netlog.py line - 78

I dont know why blen variable is really more than max_message_lenght without any content but just 'BSON'

    def read_next_message(self):
        data = self.handler.read(4) --------------- data : b'BSON'
        blen = struct.unpack("I", data)[0] ----------- blen: 1313821506
        if blen > MAX_MESSAGE_LENGTH:
            log.critical("BSON message larger than MAX_MESSAGE_LENGTH, "
                         "stopping handler.")
            return False

debug output:

BSON message larger than MAX_MESSAGE_LENGTH, stopping handler.
BSON message larger than MAX_MESSAGE_LENGTH, stopping handler.

BsonParser decoding problem bad eoo on data[:50] b'\n\xe4\x00\x00\x00\x10I\x00\x00\x00\x00\x00\x02name\x00\x0c\x00\x00\x00__process__\x00\x02type\x00\x05\x00\x00\x00info\x00\x02'

[doomedraven]

no hash no happens :P

[sust4in]

I dont really understand. all process logs has 'BSON' string on their first 4 chars.
after the logs fullfilled, cuckoo logs same errors. Just 'BSON' lenght cant be 1313821506 bits

it can be encode or decode error, something that conflicting with index lenght.

[doomedraven]

can you share sample? it looks like it report with wring package header

[sust4in]

before the example,
extra info would be good.

• i am in debug mode on cuckoomon,
  

• is cuckoo decoding .log files into .bson inside the pipe or just analysis process .log files? (i cannot see any .bson file after i debugged cuckoomon, just .log extension exist.)
  i am trying to debug from behaviour.py for getting BsonParser into work.

• before the fully sending example. the full results looks like this.
  

i also found this similar cuckoosandbox/cuckoo#520

[doomedraven]

you need to check how logging working, it start netlogger and send bson data, and you answered your question in second part