This is due to a bug in the dispatcher/API.  The routing table forwards a copy of the data to every type of nugget that is registered to receive data of that type.  The rzbNugget software receives the data and passes it to all nuggets interested in the data type.  The following is what happens on my system:

Dispatcher routing table follows (3 different types of nuggets interested in PDF_FILE all from the same rzbNugget at 127.0.0.1:10003):
Defense Routing Table
=====================
Data Type: Alert Output Data (9bfc666d-c3d8-55cc-a2a5-4d66d5a50c59)
App Type: Output Nugget (a3d0d1f9-c049-474e-bf01-2128ea00a751)
Nugget ID: 5
Name: ringstinger2
Socket: 127.0.0.1:10003
Nugget Mem Loc: 0x8cec40
Data Type: Adobe Flash (7ab45fff-7c73-412c-8b86-c07619c8fc7d)
App Type: SF - TEST Detector v.2 (90ad2ed4-69ba-11df-8425-33609fdc1302)
Nugget ID: 5
Name: ringstinger2
Socket: 127.0.0.1:10003
Nugget Mem Loc: 0x8cec40
Nugget ID: 5
Name: ringstinger2
Socket: 127.0.0.1:10003
Nugget Mem Loc: 0x8cec40
Data Type: PDF Document (005d5464-7a44-4907-af57-4db08a61e13c)
App Type: Unknown (31d751b9-a79a-01eb-1b69-8c681bde593d)
Nugget ID: 5
Name: ringstinger2
Socket: 127.0.0.1:10003
Nugget Mem Loc: 0x8cec40
App Type: SF - TEST Detector v.2 (90ad2ed4-69ba-11df-8425-33609fdc1302)
Nugget ID: 5
Name: ringstinger2
Socket: 127.0.0.1:10003
Nugget Mem Loc: 0x8cec40
App Type: Unknown (e05c5801-0000-0000-3c99-984cb87f0000)
Nugget ID: 5
Name: ringstinger2
Socket: 127.0.0.1:10003
Nugget Mem Loc: 0x8cec40
Data Type: Suspected Shellcode (4e72c8ec-ff88-4371-a0f0-dfe2b4c733dc)
App Type: Unknown (36ebbbd8-409a-495d-a049-d72ddfebc06e)
Nugget ID: 5
Name: ringstinger2
Socket: 127.0.0.1:10003
Nugget Mem Loc: 0x8cec40
Data Type: SMTP Mail Capture (d147f215-128e-4746-a1e2-b6c978bb1869)
App Type: SF - TEST Detector v.2 (90ad2ed4-69ba-11df-8425-33609fdc1302)
Nugget ID: 5
Name: ringstinger2
Socket: 127.0.0.1:10003
Nugget Mem Loc: 0x8cec40
Data Type: PE Executable (ba9beb5f-0653-4b04-9552-3bfb634ca7fc)
App Type: Unknown (e05c5801-0000-0000-3c99-984cb87f0000)
Nugget ID: 5
Name: ringstinger2
Socket: 127.0.0.1:10003
Nugget Mem Loc: 0x8cec40

The rzbNugget output when I use the collector nugget to send a 2 byte file (0x61 0x0A) is as follows:

Searching for 60b725f10c9c85c70d97880dfe8191b3: Searching for 60b725f10c9c85c70d97880dfe8191b3: Searching for 60b725f10c9c85c70d97880dfe8191b3: Not found
pdf_nugget received 2 bytes of data
sh: /usr/src/nrt/detection/pdf-dissector/dissector.py: not found
Event id: 1
Size: 2
File:

a

Not found
pdf_nugget received 2 bytes of data
Not found
pdf_nugget received 2 bytes of data
sh: /usr/src/nrt/detection/pdf-dissector/dissector.py: not found
Event id: 1
Size: 2
File:

a

sh: /usr/src/nrt/detection/pdf-dissector/dissector.py: not found
Event id: 1
Size: 2
File:

a

The dispatcher sends the data to be inspected by the pdf_dissector nugget and rzbNugget calls the pdf_dissector, simple, and virustotal nuggets.
The dispatcher sends the data to be inspected by the simple nugget and rzbNugget calls the pdf_dissector, simple, and virustotal nuggets.
The dispatcher sends the data to be inspected by the virustotal nugget and rzbNugget calls the pdf_dissector, simple, and virustotal nuggets.

Thus, the file is inspected by all 3 nuggets, 3 times.  This bug will be addressed in the next release.

Ron


On Mon, Oct 25, 2010 at 5:14 PM, Jonathan Blount <jjbnq2@mst.edu> wrote:
I was misinterpreting how nuggets connect to the dispatcher and the rzbNugget Server, also I was confused about the location of the nugget directory,
I built a Ubuntu 10.10 VM and after dropping virustotal.so.1 in the correct place: /usr/local/lib/razorback/, and restarting rzbNugget everything works now.  Thanks for the help, Christopher and Ron.

Another issue I have is when I use the collector nugget to send files to the dispatcher, and the file type is PDF_FILE, the output is now printed twice in the rzbNugget window.
I assume this is because two nuggets have registered to dispatcher to take PDF type data, but I haven't figured out why its printing output from the nuggets (virustotal, simple, and output_nugget) twice.
When I rerun collector using PE_FILE it only prints once.
Any thoughts?


On Mon, Oct 25, 2010 at 1:18 PM, Christopher McBee <christopher.mcbee@sourcefire.com> wrote:
I tested with http://oss.metaparadigm.com/json-c/json-c-0.9.tar.gz
which is the version shipping with 10.10 currently and it works
without issue.  That should fix the library dependency issue. As for
the segfault, is this on 64-bit or 32-bit ubuntu 9.10?

2010/10/24 Jonathan Blount <jjbnq2@mst.edu>:
> I'm trying to run Christopher McBee's virustotal nugget from the SVN. I'm
> using a fresh install of Ubuntu 9.10 and got razorback running.
> The problem is with the json library required for virustotal, libjson0-dev
> is in lucid but not karmic, I tried libjson-glib-dev, but couldn't get it to
> work.
> So I found and built json-c from here: http://oss.metaparadigm.com/json-c/
> .  I added my API key to the source and ran make, but when I run it, it seg
> faults.
>
> After a lot of searching, this thread
> http://stackoverflow.com/questions/1691014/qt-application-crashing-immediately-without-debugging-info-how-do-i-track-down
> leads me to believe there's a static initializers problem in the library.
> So I'm back to trying to find a json library, what one should I use in
> Ubuntu 9.10?  Or should I start over in 10.4/10.10?
>
> Thanks,
> Jon
>
> ------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America contest
> Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> Nuggetfarm-devel mailing list
> Nuggetfarm-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nuggetfarm-devel
>
>