strace streaming terminates unexpectedly, leading to an incomplete behavior tree generation #2740
Description
About accounts on capesandbox.com
- Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
- I am running the latest version
- I did read the README!
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
- I'm reporting the issue to the correct repository (for multi-repository projects)
- I have read and checked all configs (with all optional parts)
- Asked and no solution about my issue with deepwiki
Expected Behavior
Please describe the behavior you are expecting. If your samples(x64) stuck in pending ensure that you set tags=x64 in hypervisor conf for x64 vms
strace streaming should work without disconnecting abruptly. My log file in guest is more than 20MB but I am able to get only less than 7MB of data.
Current Behavior
What is the current behavior?
The strace logs are not fully streamed from the guest to the host resulting in limited behavior Analysis
Failure Information (for bugs)
Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
- Set up Linux Guest
- Enable strace
- Try any elf or preferably this one from malware bazaar
- Let the analysis complete
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).
| Question | Answer |
|---|---|
| Git commit | Type $ git log | head -n1 to find out |
| OS version | Ubuntu 16.04, Windows 10, macOS 10.12.3 |
Git commit: b7ede03
OS Version: Linux Ubuntu-2404-noble-amd64-base 6.14.0-34-generic #34~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Sep 23 15:35:20 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Failure Logs
2025-11-04 16:27:33,658 [modules.auxiliary.tracee] INFO: Try to stream
2025-11-04 16:27:33,660 [modules.auxiliary.tracee] INFO: <lib.common.results.NetlogFile object at 0x76010c9da1d0>
2025-11-04 16:27:33,661 [modules.auxiliary.tracee] INFO: Streamstart
2025-11-04 16:27:33,661 [root] DEBUG: Started auxiliary module "Docker"
2025-11-04 16:27:33,667 [lib.core.packages] INFO: sh -c
2025-11-04 16:27:33,667 [lib.core.packages] INFO: sudo strace -o /dev/stderr -s 800 -ttf sh -c /tmp/bd0141e88a0d56b508bc52db
2025-11-04 16:27:33,669 [lib.core.packages] INFO: Process started with strace
2025-11-04 16:27:33,670 [root] INFO: Added new process to list with pid: 3509
2025-11-04 16:27:33,671 [lib.api.process] CRITICAL: Could not get process status for pid 3509
2025-11-04 16:27:33,671 [root] INFO: Process with pid 3509 has terminated
2025-11-04 16:27:33,672 [root] INFO: Process list is empty, terminating analysis
2025-11-04 16:27:33,927 [root] INFO: New child process detected: 3512
2025-11-04 16:27:34,673 [root] INFO: Stopping auxiliary modules
2025-11-04 16:27:34,674 [lib.core.packages] INFO: Strace streaming connection has been closed <-----------
2025-11-04 16:27:34,674 [root] INFO: Stopping auxiliary module: FileCollector
Please include any relevant log snippets or files here.
I have added few other logs while printing but it did not change the functionality.
strace.log
My research:
I tried reading following files and also tried to set retry=True but with no luck
Thank you for your time in advance.