RubyGems - dorothy2 - Versions diffs - 0.0.1 - Mend

dorothy2 0.0.1

Files changed (33) hide show

data/.gitignore +21 -0
data/Gemfile +4 -0
data/LICENSE +644 -0
data/README.md +231 -0
data/Rakefile +1 -0
data/bin/dorothy_start +176 -0
data/bin/dorothy_stop +28 -0
data/bin/dparser_start +66 -0
data/bin/dparser_stop +23 -0
data/dorothy2.gemspec +30 -0
data/etc/ddl/dorothive.ddl +1803 -0
data/etc/dorothy copy.yml.example +39 -0
data/etc/sandboxes.yml.example +20 -0
data/etc/sources.yml.example +32 -0
data/lib/doroParser.rb +518 -0
data/lib/dorothy2/BFM.rb +156 -0
data/lib/dorothy2/MAM.rb +239 -0
data/lib/dorothy2/Settings.rb +35 -0
data/lib/dorothy2/deep_symbolize.rb +67 -0
data/lib/dorothy2/do-init.rb +296 -0
data/lib/dorothy2/do-logger.rb +43 -0
data/lib/dorothy2/do-parsers.rb +468 -0
data/lib/dorothy2/do-utils.rb +223 -0
data/lib/dorothy2/environment.rb +29 -0
data/lib/dorothy2/version.rb +3 -0
data/lib/dorothy2/vtotal.rb +84 -0
data/lib/dorothy2.rb +470 -0
data/share/img/Dorothy-Basic.pdf +0 -0
data/share/img/Setup-Advanced.pdf +0 -0
data/share/img/The_big_picture.pdf +0 -0
data/test/tc_dorothy_full.rb +95 -0
data/var/log/parser.log +0 -0
metadata +260 -0

data/lib/dorothy2/BFM.rb ADDED Viewed

@@ -0,0 +1,156 @@
+# Copyright (C) 2010-2013 marco riccardi.
+# This file is part of Dorothy - http://www.honeynet.it/dorothy
+# See the file 'LICENSE' for copying permission.
+###########################
+###BINARY FETCHER MODULE###
+###					          	###
+###########################
+module Dorothy
+  class DorothyFetcher
+    attr_reader :bins
+    def initialize(source)  #source struct: Hash, {:dir => "#{HOME}/bins/honeypot", :typeid=> 0 ..}
+      ndownloaded = 0
+      @bins = []
+      #case source.honeypot1[:type]
+      case source["type"]
+        when "ssh" then
+          LOGGER.info "BFM", " Fetching trojan from > Honeypot"
+          #file = "/opt/dionaea/var/dionaea/binaries/"
+          #puts "Start to download malware"
+          files = []
+          begin
+            Net::SSH.start(source["ip"], source["user"], :password => source["pass"], :port => source["port"]) do |ssh|
+              ssh.scp.download!(source["remotedir"],source["localdir"], :recursive => true) do |ch, name, sent, total|
+                unless files.include? "#{source["localdir"]}/" + File.basename(name)
+                  ndownloaded += 1
+                  files.push "#{source["localdir"]}/" + File.basename(name)
+                  #			puts ""
+                end
+                #		print "#{File.basename(name)}: #{sent}/#{total}\r"
+                #		$stdout.flush
+              end
+              LOGGER.info "BFM", "#{ndownloaded} files downloaded"
+            end
+          rescue => e
+            LOGGER.error "BFM", "An error occurred while downloading malwares from honeypot sensor: " + $!
+            LOGGER.error "BFM", "Error: #{$!}, #{e.inspect}, #{e.backtrace}"
+          end
+          #DIRTY WORKAROUND for scp-ing only files without directory
+          FileUtils.mv(Dir.glob(source["localdir"] + "/binaries/*"), source["localdir"])
+          Dir.rmdir(source["localdir"] + "/binaries")
+          begin
+            unless DoroSettings.env[:testmode]
+              Net::SSH.start(source["ip"], source["user"], :password => source["pass"], :port => source["port"]) do |ssh|
+                ssh.exec "mv #{source["remotedir"]}/* #{source["remotedir"]}/../analyzed "
+              end
+            end
+          rescue
+            LOGGER.error "BFM", "An error occurred while erasing parsed malwares in the honeypot sensor: " + $!
+          end
+          files.each do |f|
+            next unless load_malw(f, source[skey][:typeid])
+          end
+        when "system" then
+          LOGGER.info "BFM", "Fetching trojan from > filesystem: " + source["localdir"]
+          empty = true
+          Dir.foreach(source["localdir"]) do |file|
+            bin = source["localdir"] + "/" + file
+            next if File.directory?(bin) || !load_malw(bin,source["typeid"])
+            empty = false
+          end
+          LOGGER.warn "BFM", "There are no files to analyze in the selected source" if empty
+        else
+          LOGGER.fatal "BFM", "Source #{skey} is not yet configured"
+      end
+    end
+    private
+    def load_malw(f, typeid, sourceinfo = nil)
+      filename = File.basename f
+      bin = Loadmalw.new(f)
+      if bin.size == 0  || bin.sha.empty?
+        LOGGER.warn "BFM", "Warning - Empty file #{filename}, deleting and skipping.."
+        FileUtils.rm bin.binpath
+        return false
+      end
+      samplevalues = [bin.sha, bin.size, bin.dbtype, bin.dir_bin, filename, bin.md5, bin.type ]
+      sighvalues = [bin.sha, typeid, bin.ctime, "null"]
+      begin
+        updatedb(samplevalues, sighvalues)
+      rescue => e
+        LOGGER.error "DB", $!
+        LOGGER.debug "DB", e.inspect
+        return false
+      end
+      #FileUtils.rm(bin.binpath)
+      @bins.push bin
+    end
+    def updatedb(samplevalues, sighvalues, airisvalues=nil)
+      db = Insertdb.new
+      db.begin_t
+      unless db.select("samples", "hash", samplevalues[0]).one?  #is bin.sha already present in my db?
+        raise "A DB error occurred" unless db.insert("samples", samplevalues)             #no it isn't, insert it
+      else                                                          #yes it is, don't insert in sample table
+        date = db.select("sightings", "sample", samplevalues[0]).first["date"]
+        LOGGER.warn "BFM", " The binary #{samplevalues[0]} has been already added on #{date}"
+      end
+      raise "A DB error occurred" unless db.insert("sightings", sighvalues)
+      # explanation: I don't want to insert/analyze the same malware but I do want to
+      # insert the sighting value anyway ("the malware X has been downloaded 1 time but
+      # has been spoted 32 times")
+      db.commit
+      db.close
+      true
+    end
+  end
+end

data/lib/dorothy2/MAM.rb ADDED Viewed

@@ -0,0 +1,239 @@
+# Copyright (C) 2010-2013 marco riccardi.
+# This file is part of Dorothy - http://www.honeynet.it/dorothy
+# See the file 'LICENSE' for copying permission.
+module Dorothy
+  class Doro_VSM
+    #Creates a new instance for communicating with ESX through the vSpere5's API
+    class ESX
+      def initialize(server,user,pass,vmname,guestuser,guestpass)
+        begin
+          vim = RbVmomi::VIM.connect(:host => server , :user => user, :password=> pass, :insecure => true)
+        rescue Timeout::Error
+          raise "Fail to connect to the ESXi server #{server} - TimeOut (Are you sure that is the right address?)"
+        end
+        @server = server
+        dc = vim.serviceInstance.find_datacenter
+        @vm = dc.find_vm(vmname)
+        raise "Virtual Machine #{vmname} not present within ESX!!" if @vm.nil?
+        om = vim.serviceContent.guestOperationsManager
+        am = om.authManager
+        @pm = om.processManager
+        @fm = om.fileManager
+        #AUTHENTICATION
+        guestauth = {:interactiveSession => false, :username => guestuser, :password => guestpass}
+        @auth=RbVmomi::VIM::NamePasswordAuthentication(guestauth)
+        abort if am.ValidateCredentialsInGuest(:vm => @vm, :auth => @auth) != nil
+      end
+      def revert_vm
+        @vm.RevertToCurrentSnapshot_Task
+      end
+      def copy_file(filename,file)
+        filepath = "C:\\#{filename}" #put md5 hash
+        begin
+          url = @fm.InitiateFileTransferToGuest(:vm => @vm, :auth=> @auth, :guestFilePath=> filepath, :fileSize => file.size, :fileAttributes => '', :overwrite => true).sub('*:443', @server)
+          RestClient.put(url, file)
+        rescue RbVmomi::Fault
+          LOGGER.error "VSM", "Fail to copy the file #{file} to #{@vm}: #{$!}"
+          abort
+        end
+      end
+      def exec_file(filename, arguments="")
+        filepath = "C:\\#{filename}"
+        if File.extname(filename) == ".dll"
+          cmd = { :programPath => "C:\\windows\\system32\\rundll32.exe", :arguments => filepath}
+          LOGGER.info "VSM", ".:: Executing dll #{filename}"
+        else
+          cmd = { :programPath => filepath, :arguments => arguments }
+        end
+        pid = @pm.StartProgramInGuest(:vm => @vm , :auth => @auth, :spec => cmd )
+        pid.to_i
+      end
+      def check_internet
+         exec_file("windows\\system32\\ping.exe", "-n 1 www.google.com")  #make www.google.com customizable, move to doroconf
+      end
+      def get_status(pid)
+        p = @pm.ListProcessesInGuest(:vm => @vm , :auth => @auth, :pids => Array(pid) ).inspect
+        status = (p =~ /exitCode=>([0-9])/ ? $1.to_i : nil )
+        return status
+      end
+      def screenshot
+        a = @vm.CreateScreenshot_Task.wait_for_completion.split(" ")
+        ds = @vm.datastore.find { |ds| ds.name  == a[0].delete("[]")}
+        screenpath = "/vmfs/volumes/" + a[0].delete("[]") + "/" + a[1]
+        return screenpath
+      end
+    end
+    #TODO. Example of how a new VSM´s structure should look like
+    class VirtualBox
+      def initialize
+      end
+      def revert_vm
+      end
+      def copy_file
+      end
+      def exec_file
+      end
+      def check_internet
+      end
+      def get_status
+      end
+      def screenshot
+      end
+    end
+  end
+  class Loadmalw
+    attr_reader :pcaprid
+    attr_reader :type
+    attr_reader :dbtype
+    attr_accessor :sha
+    attr_reader :md5
+    attr_reader :binpath
+    attr_reader :filename
+    attr_reader :ctime
+    attr_reader :size
+    attr_reader :pcapsize
+    attr_reader :extension
+    attr_accessor :sourceinfo   #used for storing info about where the binary come from (if needed)
+    #	attr_accessor :dir_home
+    attr_accessor :dir_pcap
+    attr_accessor :dir_bin
+    attr_accessor :dir_screens
+    attr_accessor :dir_downloads
+    def initialize(file)
+      fm = FileMagic.new
+      sha = Digest::SHA2.new
+      md5 = Digest::MD5.new
+      @binpath = file
+      @filename = File.basename file
+      @extension = File.extname file
+      @dbtype = "null"  #TODO: remove type column in sample table
+      File.open(file, 'rb') do |fh1|
+        while buffer1 = fh1.read(1024)
+          @sha = sha << buffer1
+          @md5 = md5 << buffer1
+        end
+      end
+      @sha = @sha.to_s
+      @md5 = @md5.to_s
+      @sourceinfo = nil
+      timetmp = File.ctime(file)
+      @ctime= timetmp.strftime("%m/%d/%y %H:%M:%S")
+      @type = fm.file(file)
+      if @extension.empty?    #no extension, trying to put the right one..
+        case @type
+          when /^PE32/ then
+            @extension = (@type =~ /DLL/ ? ".dll" : ".exe")
+          when /^MS-DOS/ then
+            @extension = ".bat"
+          when /^HTML/ then
+            @extension = ".html"
+          else
+            @extension = nil
+        end
+      end
+      @size = File.size(file)
+      #  @dir_pcap = "#{ANALYSIS_DIR}/#{@md5}/pcap/"
+      #  @dir_bin = "#{ANALYSIS_DIR}/#{@md5}/bin/"
+      #  @dir_screens = "#{ANALYSIS_DIR}/#{@md5}/screens/"
+      #  @dir_downloads = "#{ANALYSIS_DIR}/#{@md5}/downloads/"
+    end
+    def self.calc_pcaprid(file, size)
+      #t = file.split('/')
+      #dumpname = t[t.length - 1]
+      @pcaprid = Digest::MD5.new
+      @pcaprid << "#{file}:#{size}"
+      @pcaprid =@pcaprid.dup.to_s
+    end
+  end
+  class Doro_NAM
+    #Create a dotothy user in the NSM machine, and add this line to the sudoers :
+    #   dorothy  ALL = NOPASSWD: /usr/sbin/tcpdump, /bin/kill
+    #
+    def initialize(namdata)
+      @server = namdata[:host]
+      @user= namdata[:user]
+      @pass= namdata[:pass]
+      @port = namdata[:port]
+    end
+    def start_sniffer(vmaddress, interface, name, pcaphome)
+      Net::SSH.start(@server, @user, :password => @pass, :port =>@port) do |@ssh|
+        # @ssh.exec "nohup sudo tcpdump -i eth0 -s 1514 -w ~/pcaps/#{name}.pcap host #{vmaddress} > blah.log 2>&1 & "
+        @ssh.exec "nohup sudo tcpdump -i #{interface} -s 1514 -w #{pcaphome}/#{name}.pcap host #{vmaddress} > log.tmp 2>&1 & "
+        t = @ssh.exec!"ps aux |grep #{vmaddress}|grep -v grep|grep -v bash"
+        pid = t.split(" ")[1]
+        return pid.to_i
+      end
+    end
+    def stop_sniffer(pid)
+      Net::SSH.start(@server, @user, :password => @pass, :port =>@port) do |ssh|
+        ssh.exec "sudo kill -2 #{pid}"
+        #LOGGER.info "[NAM]".yellow + "Tcpdump instance #{pid} stopped"
+      end
+    end
+  end
+end

data/lib/dorothy2/Settings.rb ADDED Viewed

@@ -0,0 +1,35 @@
+#Thx to morhekil :
+#http://speakmy.name/2011/05/29/simple-configuration-for-ruby-apps/
+module Dorothy
+  module DoroSettings
+    extend self
+    @_settings = {}
+    attr_reader :_settings
+    def load!(filename, options = {})
+      newsets = YAML::load_file(filename).deep_symbolize
+      newsets = newsets[options[:env].to_sym] if \
+                                               options[:env] && \
+                                               newsets[options[:env].to_sym]
+      deep_merge!(@_settings, newsets)
+    end
+    # Deep merging of hashes
+    # deep_merge by Stefan Rusterholz, see http://www.ruby-forum.com/topic/142809
+    def deep_merge!(target, data)
+      merger = proc{|key, v1, v2|
+        Hash === v1 && Hash === v2 ? v1.merge(v2, &merger) : v2 }
+      target.merge! data, &merger
+    end
+    def method_missing(name, *args, &block)
+      @_settings[name.to_sym] ||
+          fail(NoMethodError, "unknown configuration root #{name}", caller)
+    end
+  end
+end

data/lib/dorothy2/deep_symbolize.rb ADDED Viewed

@@ -0,0 +1,67 @@
+# Symbolizes all of hash's keys and subkeys.
+# Also allows for custom pre-processing of keys (e.g. downcasing, etc)
+# if the block is given:
+#
+# somehash.deep_symbolize { |key| key.downcase }
+#
+# Usage: either include it into global Hash class to make it available to
+# to all hashes, or extend only your own hash objects with this
+# module.
+# E.g.:
+# 1) class Hash; include DeepSymbolizable; end
+# 2) myhash.extend DeepSymbolizable
+module DeepSymbolizable
+  class Hash
+    include DeepSymbolizable
+  end
+  def deep_symbolize(&block)
+    method = self.class.to_s.downcase.to_sym
+    syms = DeepSymbolizable::Symbolizers
+    syms.respond_to?(method) ? syms.send(method, self, &block) : self
+  end
+  module Symbolizers
+    extend self
+    # the primary method - symbolizes keys of the given hash,
+    # preprocessing them with a block if one was given, and recursively
+    # going into all nested enumerables
+    def hash(hash, &block)
+      hash.inject({}) do |result, (key, value)|
+        # Recursively deep-symbolize subhashes
+        value = _recurse_(value, &block)
+        # Pre-process the key with a block if it was given
+        key = yield key if block_given?
+        # Symbolize the key string if it responds to to_sym
+        sym_key = key.to_sym rescue key
+        # write it back into the result and return the updated hash
+        result[sym_key] = value
+        result
+      end
+    end
+    # walking over arrays and symbolizing all nested elements
+    def array(ary, &block)
+      ary.map { |v| _recurse_(v, &block) }
+    end
+    # handling recursion - any Enumerable elements (except String)
+    # is being extended with the module, and then symbolized
+    def _recurse_(value, &block)
+      if value.is_a?(Enumerable) && !value.is_a?(String)
+        # support for a use case without extended core Hash
+        value.extend DeepSymbolizable unless value.class.include?(DeepSymbolizable)
+        value = value.deep_symbolize(&block)
+      end
+      value
+    end
+  end
+end
+class Hash; include DeepSymbolizable; end