RubyGems - dorothy2 - Versions diffs - 0.0.1 - Mend

dorothy2 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

data/.gitignore +21 -0
data/Gemfile +4 -0
data/LICENSE +644 -0
data/README.md +231 -0
data/Rakefile +1 -0
data/bin/dorothy_start +176 -0
data/bin/dorothy_stop +28 -0
data/bin/dparser_start +66 -0
data/bin/dparser_stop +23 -0
data/dorothy2.gemspec +30 -0
data/etc/ddl/dorothive.ddl +1803 -0
data/etc/dorothy copy.yml.example +39 -0
data/etc/sandboxes.yml.example +20 -0
data/etc/sources.yml.example +32 -0
data/lib/doroParser.rb +518 -0
data/lib/dorothy2/BFM.rb +156 -0
data/lib/dorothy2/MAM.rb +239 -0
data/lib/dorothy2/Settings.rb +35 -0
data/lib/dorothy2/deep_symbolize.rb +67 -0
data/lib/dorothy2/do-init.rb +296 -0
data/lib/dorothy2/do-logger.rb +43 -0
data/lib/dorothy2/do-parsers.rb +468 -0
data/lib/dorothy2/do-utils.rb +223 -0
data/lib/dorothy2/environment.rb +29 -0
data/lib/dorothy2/version.rb +3 -0
data/lib/dorothy2/vtotal.rb +84 -0
data/lib/dorothy2.rb +470 -0
data/share/img/Dorothy-Basic.pdf +0 -0
data/share/img/Setup-Advanced.pdf +0 -0
data/share/img/The_big_picture.pdf +0 -0
data/test/tc_dorothy_full.rb +95 -0
data/var/log/parser.log +0 -0
metadata +260 -0

data/lib/dorothy2/BFM.rb ADDED Viewed

@@ -0,0 +1,156 @@
+# Copyright (C) 2010-2013 marco riccardi.
+# This file is part of Dorothy - http://www.honeynet.it/dorothy
+# See the file 'LICENSE' for copying permission.
+###########################
+###BINARY FETCHER MODULE###
+###					          	###
+###########################
+module Dorothy
+  class DorothyFetcher
+    attr_reader :bins
+    def initialize(source)  #source struct: Hash, {:dir => "#{HOME}/bins/honeypot", :typeid=> 0 ..}
+      ndownloaded = 0
+      @bins = []
+      #case source.honeypot1[:type]
+      case source["type"]
+        when "ssh" then
+          LOGGER.info "BFM", " Fetching trojan from > Honeypot"
+          #file = "/opt/dionaea/var/dionaea/binaries/"
+          #puts "Start to download malware"
+          files = []
+          begin
+            Net::SSH.start(source["ip"], source["user"], :password => source["pass"], :port => source["port"]) do |ssh|
+              ssh.scp.download!(source["remotedir"],source["localdir"], :recursive => true) do |ch, name, sent, total|
+                unless files.include? "#{source["localdir"]}/" + File.basename(name)
+                  ndownloaded += 1
+                  files.push "#{source["localdir"]}/" + File.basename(name)
+                  #			puts ""
+                end
+                #		print "#{File.basename(name)}: #{sent}/#{total}\r"
+                #		$stdout.flush
+              end
+              LOGGER.info "BFM", "#{ndownloaded} files downloaded"
+            end
+          rescue => e
+            LOGGER.error "BFM", "An error occurred while downloading malwares from honeypot sensor: " + $!
+            LOGGER.error "BFM", "Error: #{$!}, #{e.inspect}, #{e.backtrace}"
+          end
+          #DIRTY WORKAROUND for scp-ing only files without directory
+          FileUtils.mv(Dir.glob(source["localdir"] + "/binaries/*"), source["localdir"])
+          Dir.rmdir(source["localdir"] + "/binaries")
+          begin
+            unless DoroSettings.env[:testmode]
+              Net::SSH.start(source["ip"], source["user"], :password => source["pass"], :port => source["port"]) do |ssh|
+                ssh.exec "mv #{source["remotedir"]}/* #{source["remotedir"]}/../analyzed "
+              end
+            end
+          rescue
+            LOGGER.error "BFM", "An error occurred while erasing parsed malwares in the honeypot sensor: " + $!
+          end
+          files.each do |f|
+            next unless load_malw(f, source[skey][:typeid])
+          end
+        when "system" then
+          LOGGER.info "BFM", "Fetching trojan from > filesystem: " + source["localdir"]
+          empty = true
+          Dir.foreach(source["localdir"]) do |file|
+            bin = source["localdir"] + "/" + file
+            next if File.directory?(bin) || !load_malw(bin,source["typeid"])
+            empty = false
+          end
+          LOGGER.warn "BFM", "There are no files to analyze in the selected source" if empty
+        else
+          LOGGER.fatal "BFM", "Source #{skey} is not yet configured"
+      end
+    end
+    private
+    def load_malw(f, typeid, sourceinfo = nil)
+      filename = File.basename f
+      bin = Loadmalw.new(f)
+      if bin.size == 0  || bin.sha.empty?
+        LOGGER.warn "BFM", "Warning - Empty file #{filename}, deleting and skipping.."
+        FileUtils.rm bin.binpath
+        return false
+      end
+      samplevalues = [bin.sha, bin.size, bin.dbtype, bin.dir_bin, filename, bin.md5, bin.type ]
+      sighvalues = [bin.sha, typeid, bin.ctime, "null"]
+      begin
+        updatedb(samplevalues, sighvalues)
+      rescue => e
+        LOGGER.error "DB", $!
+        LOGGER.debug "DB", e.inspect
+        return false
+      end
+      #FileUtils.rm(bin.binpath)
+      @bins.push bin
+    end
+    def updatedb(samplevalues, sighvalues, airisvalues=nil)
+      db = Insertdb.new
+      db.begin_t
+      unless db.select("samples", "hash", samplevalues[0]).one?  #is bin.sha already present in my db?
+        raise "A DB error occurred" unless db.insert("samples", samplevalues)             #no it isn't, insert it
+      else                                                          #yes it is, don't insert in sample table
+        date = db.select("sightings", "sample", samplevalues[0]).first["date"]
+        LOGGER.warn "BFM", " The binary #{samplevalues[0]} has been already added on #{date}"
+      end
+      raise "A DB error occurred" unless db.insert("sightings", sighvalues)
+      # explanation: I don't want to insert/analyze the same malware but I do want to
+      # insert the sighting value anyway ("the malware X has been downloaded 1 time but
+      # has been spoted 32 times")
+      db.commit
+      db.close
+      true
+    end
+  end
+end

data/lib/dorothy2/MAM.rb ADDED Viewed

@@ -0,0 +1,239 @@
+# Copyright (C) 2010-2013 marco riccardi.
+# This file is part of Dorothy - http://www.honeynet.it/dorothy
+# See the file 'LICENSE' for copying permission.
+module Dorothy
+  class Doro_VSM
+    #Creates a new instance for communicating with ESX through the vSpere5's API
+    class ESX
+      def initialize(server,user,pass,vmname,guestuser,guestpass)
+        begin
+          vim = RbVmomi::VIM.connect(:host => server , :user => user, :password=> pass, :insecure => true)
+        rescue Timeout::Error
+          raise "Fail to connect to the ESXi server #{server} - TimeOut (Are you sure that is the right address?)"
+        end
+        @server = server
+        dc = vim.serviceInstance.find_datacenter
+        @vm = dc.find_vm(vmname)
+        raise "Virtual Machine #{vmname} not present within ESX!!" if @vm.nil?
+        om = vim.serviceContent.guestOperationsManager
+        am = om.authManager
+        @pm = om.processManager
+        @fm = om.fileManager
+        #AUTHENTICATION
+        guestauth = {:interactiveSession => false, :username => guestuser, :password => guestpass}
+        @auth=RbVmomi::VIM::NamePasswordAuthentication(guestauth)
+        abort if am.ValidateCredentialsInGuest(:vm => @vm, :auth => @auth) != nil
+      end
+      def revert_vm
+        @vm.RevertToCurrentSnapshot_Task
+      end
+      def copy_file(filename,file)
+        filepath = "C:\\#{filename}" #put md5 hash
+        begin
+          url = @fm.InitiateFileTransferToGuest(:vm => @vm, :auth=> @auth, :guestFilePath=> filepath, :fileSize => file.size, :fileAttributes => '', :overwrite => true).sub('*:443', @server)
+          RestClient.put(url, file)
+        rescue RbVmomi::Fault
+          LOGGER.error "VSM", "Fail to copy the file #{file} to #{@vm}: #{$!}"
+          abort
+        end
+      end
+      def exec_file(filename, arguments="")
+        filepath = "C:\\#{filename}"
+        if File.extname(filename) == ".dll"
+          cmd = { :programPath => "C:\\windows\\system32\\rundll32.exe", :arguments => filepath}
+          LOGGER.info "VSM", ".:: Executing dll #{filename}"
+        else
+          cmd = { :programPath => filepath, :arguments => arguments }
+        end
+        pid = @pm.StartProgramInGuest(:vm => @vm , :auth => @auth, :spec => cmd )
+        pid.to_i
+      end
+      def check_internet
+         exec_file("windows\\system32\\ping.exe", "-n 1 www.google.com")  #make www.google.com customizable, move to doroconf
+      end
+      def get_status(pid)
+        p = @pm.ListProcessesInGuest(:vm => @vm , :auth => @auth, :pids => Array(pid) ).inspect
+        status = (p =~ /exitCode=>([0-9])/ ? $1.to_i : nil )
+        return status
+      end
+      def screenshot
+        a = @vm.CreateScreenshot_Task.wait_for_completion.split(" ")
+        ds = @vm.datastore.find { |ds| ds.name  == a[0].delete("[]")}
+        screenpath = "/vmfs/volumes/" + a[0].delete("[]") + "/" + a[1]
+        return screenpath
+      end
+    end
+    #TODO. Example of how a new VSM´s structure should look like
+    class VirtualBox
+      def initialize
+      end
+      def revert_vm
+      end
+      def copy_file
+      end
+      def exec_file
+      end
+      def check_internet
+      end
+      def get_status
+      end
+      def screenshot
+      end
+    end
+  end
+  class Loadmalw
+    attr_reader :pcaprid
+    attr_reader :type
+    attr_reader :dbtype
+    attr_accessor :sha
+    attr_reader :md5
+    attr_reader :binpath
+    attr_reader :filename
+    attr_reader :ctime
+    attr_reader :size
+    attr_reader :pcapsize
+    attr_reader :extension
+    attr_accessor :sourceinfo   #used for storing info about where the binary come from (if needed)
+    #	attr_accessor :dir_home
+    attr_accessor :dir_pcap
+    attr_accessor :dir_bin
+    attr_accessor :dir_screens
+    attr_accessor :dir_downloads
+    def initialize(file)
+      fm = FileMagic.new
+      sha = Digest::SHA2.new
+      md5 = Digest::MD5.new
+      @binpath = file
+      @filename = File.basename file
+      @extension = File.extname file
+      @dbtype = "null"  #TODO: remove type column in sample table
+      File.open(file, 'rb') do |fh1|
+        while buffer1 = fh1.read(1024)
+          @sha = sha << buffer1
+          @md5 = md5 << buffer1
+        end
+      end
+      @sha = @sha.to_s
+      @md5 = @md5.to_s
+      @sourceinfo = nil
+      timetmp = File.ctime(file)
+      @ctime= timetmp.strftime("%m/%d/%y %H:%M:%S")
+      @type = fm.file(file)
+      if @extension.empty?    #no extension, trying to put the right one..
+        case @type
+          when /^PE32/ then
+            @extension = (@type =~ /DLL/ ? ".dll" : ".exe")
+          when /^MS-DOS/ then
+            @extension = ".bat"
+          when /^HTML/ then
+            @extension = ".html"
+          else
+            @extension = nil
+        end
+      end
+      @size = File.size(file)
+      #  @dir_pcap = "#{ANALYSIS_DIR}/#{@md5}/pcap/"
+      #  @dir_bin = "#{ANALYSIS_DIR}/#{@md5}/bin/"
+      #  @dir_screens = "#{ANALYSIS_DIR}/#{@md5}/screens/"
+      #  @dir_downloads = "#{ANALYSIS_DIR}/#{@md5}/downloads/"
+    end
+    def self.calc_pcaprid(file, size)
+      #t = file.split('/')
+      #dumpname = t[t.length - 1]
+      @pcaprid = Digest::MD5.new
+      @pcaprid << "#{file}:#{size}"
+      @pcaprid =@pcaprid.dup.to_s
+    end
+  end
+  class Doro_NAM
+    #Create a dotothy user in the NSM machine, and add this line to the sudoers :
+    #   dorothy  ALL = NOPASSWD: /usr/sbin/tcpdump, /bin/kill
+    #
+    def initialize(namdata)
+      @server = namdata[:host]
+      @user= namdata[:user]
+      @pass= namdata[:pass]
+      @port = namdata[:port]
+    end
+    def start_sniffer(vmaddress, interface, name, pcaphome)
+      Net::SSH.start(@server, @user, :password => @pass, :port =>@port) do |@ssh|
+        # @ssh.exec "nohup sudo tcpdump -i eth0 -s 1514 -w ~/pcaps/#{name}.pcap host #{vmaddress} > blah.log 2>&1 & "
+        @ssh.exec "nohup sudo tcpdump -i #{interface} -s 1514 -w #{pcaphome}/#{name}.pcap host #{vmaddress} > log.tmp 2>&1 & "
+        t = @ssh.exec!"ps aux |grep #{vmaddress}|grep -v grep|grep -v bash"
+        pid = t.split(" ")[1]
+        return pid.to_i
+      end
+    end
+    def stop_sniffer(pid)
+      Net::SSH.start(@server, @user, :password => @pass, :port =>@port) do |ssh|
+        ssh.exec "sudo kill -2 #{pid}"
+        #LOGGER.info "[NAM]".yellow + "Tcpdump instance #{pid} stopped"
+      end
+    end
+  end
+end

data/lib/dorothy2/Settings.rb ADDED Viewed

@@ -0,0 +1,35 @@
+#Thx to morhekil :
+#http://speakmy.name/2011/05/29/simple-configuration-for-ruby-apps/
+module Dorothy
+  module DoroSettings
+    extend self
+    @_settings = {}
+    attr_reader :_settings
+    def load!(filename, options = {})
+      newsets = YAML::load_file(filename).deep_symbolize
+      newsets = newsets[options[:env].to_sym] if \
+                                               options[:env] && \
+                                               newsets[options[:env].to_sym]
+      deep_merge!(@_settings, newsets)
+    end
+    # Deep merging of hashes
+    # deep_merge by Stefan Rusterholz, see http://www.ruby-forum.com/topic/142809
+    def deep_merge!(target, data)
+      merger = proc{|key, v1, v2|
+        Hash === v1 && Hash === v2 ? v1.merge(v2, &merger) : v2 }
+      target.merge! data, &merger
+    end
+    def method_missing(name, *args, &block)
+      @_settings[name.to_sym] ||
+          fail(NoMethodError, "unknown configuration root #{name}", caller)
+    end
+  end
+end

data/lib/dorothy2/deep_symbolize.rb ADDED Viewed

@@ -0,0 +1,67 @@
+# Symbolizes all of hash's keys and subkeys.
+# Also allows for custom pre-processing of keys (e.g. downcasing, etc)
+# if the block is given:
+#
+# somehash.deep_symbolize { |key| key.downcase }
+#
+# Usage: either include it into global Hash class to make it available to
+# to all hashes, or extend only your own hash objects with this
+# module.
+# E.g.:
+# 1) class Hash; include DeepSymbolizable; end
+# 2) myhash.extend DeepSymbolizable
+module DeepSymbolizable
+  class Hash
+    include DeepSymbolizable
+  end
+  def deep_symbolize(&block)
+    method = self.class.to_s.downcase.to_sym
+    syms = DeepSymbolizable::Symbolizers
+    syms.respond_to?(method) ? syms.send(method, self, &block) : self
+  end
+  module Symbolizers
+    extend self
+    # the primary method - symbolizes keys of the given hash,
+    # preprocessing them with a block if one was given, and recursively
+    # going into all nested enumerables
+    def hash(hash, &block)
+      hash.inject({}) do |result, (key, value)|
+        # Recursively deep-symbolize subhashes
+        value = _recurse_(value, &block)
+        # Pre-process the key with a block if it was given
+        key = yield key if block_given?
+        # Symbolize the key string if it responds to to_sym
+        sym_key = key.to_sym rescue key
+        # write it back into the result and return the updated hash
+        result[sym_key] = value
+        result
+      end
+    end
+    # walking over arrays and symbolizing all nested elements
+    def array(ary, &block)
+      ary.map { |v| _recurse_(v, &block) }
+    end
+    # handling recursion - any Enumerable elements (except String)
+    # is being extended with the module, and then symbolized
+    def _recurse_(value, &block)
+      if value.is_a?(Enumerable) && !value.is_a?(String)
+        # support for a use case without extended core Hash
+        value.extend DeepSymbolizable unless value.class.include?(DeepSymbolizable)
+        value = value.deep_symbolize(&block)
+      end
+      value
+    end
+  end
+end
+class Hash; include DeepSymbolizable; end