dorothy2 0.0.1

data/lib/dorothy2/vtotal.rb

@@ -0,0 +1,84 @@
+# Copyright (C) 2010-2013 marco riccardi.
+# This file is part of Dorothy - http://www.honeynet.it/dorothy
+# See the file 'LICENSE' for copying permission.
+
+module Dorothy
+
+class Vtotal < VirusTotal::VirusTotal
+	attr_writer :api_key
+	attr_reader :rate
+	attr_reader :filehash
+	attr_reader :scanid
+	attr_reader :family
+	attr_reader :permalink
+	attr_reader :updated
+	attr_reader :version
+	attr_reader :vendor 
+	attr_reader :detected 
+	
+	
+	def initialize()
+		@api_key = VTAPIKEY
+	end
+	
+	
+	def analyze_file(file)
+		f = File.open(file, 'r')
+		begin
+			results = RestClient.post 'https://www.virustotal.com/vtapi/v2/file/scan' , { :key => @api_key, :file => f}
+			parsed = JSON.parse(results)
+			LOGGER.info "VTOTAL]", " Ok, received with scan id " + parsed["scan_id"] if parsed["response_code"]
+			#puts "[VTOTAL] ".yellow + parsed["verbose_msg"]
+			@scanid = parsed["scan_id"] 
+			rescue
+			LOGGER.error "VTOTAL", "An error accurred while quering Virustotal"
+			LOGGER.debug "DEBUG", "#{$!}"
+		end
+		return @scanid 
+	end
+	
+	
+	def get_report(id)
+		begin
+			report = RestClient.post 'https://www.virustotal.com/vtapi/v2/file/report' , { :resource => id.to_s, :key => @api_key }
+			rescue
+			LOGGER.error "VTOTAL", "An error accurred while quering Virustotal"
+			LOGGER.debug "DEBUG", "#{$!}"
+		end
+		
+		if !report.empty?
+			
+			parsed = JSON.parse(report)
+			
+			if (parsed["response_code"] == 1 )
+				if (parsed["scans"]["McAfee"]["detected"] == true ) 
+					@rate = parsed["positives"].to_s + "/" + parsed["total"].to_s
+					@family = parsed["scans"]["McAfee"]["result"]
+					@permalink = (parsed["permalink"] != "-" ? parsed["permalink"] : "null")
+					@vendor = "McAfee" #TODO Move to config file!
+					@updated = (parsed["scans"]["McAfee"]["update"] != "-" ? parsed["scans"]["McAfee"]["update"] : "null")
+					@version = (parsed["scans"]["McAfee"]["version"] != "-" ? parsed["scans"]["McAfee"]["version"] : "null")
+					@detected = true
+					else #not detected by McAfee
+					@rate = parsed["positives"].to_s + "/" + parsed["total"].to_s
+					@family = "Unknown"
+					@permalink = "null"
+					@vendor = "McAfee" #TODO Move to config file!
+					@updated = "null" 
+					@version = "null"
+					@detected = false
+				end
+				else
+				LOGGER.error "VTOTAL", parsed["verbose_msg"]
+				return false
+			end
+			else
+			LOGGER.error "VTOTAL", "No data received "
+			return false			
+		end
+		return parsed
+	end
+	
+end
+
+end

data/lib/dorothy2.rb

@@ -0,0 +1,470 @@
+# Copyright (C) 2010-2013 marco riccardi.
+# This file is part of Dorothy - http://www.honeynet.it/dorothy
+# See the file 'LICENSE' for copying permission.
+
+##for irb debug:
+##from $home, irb and :
+##load 'lib/dorothy2.rb'; include Dorothy; LOGGER = DoroLogger.new(STDOUT, "weekly"); DoroSettings.load!('etc/dorothy.yml')
+#$LOAD_PATH.unshift '/opt/local/lib/ruby/gems/1.8/gems/ruby-filemagic-0.4.2/lib'
+
+require 'net/ssh'
+require 'net/scp'
+require 'trollop'
+require 'fileutils'
+require 'rest_client'
+require 'mime/types'
+require 'colored'
+require 'logger'
+require 'pg'
+require 'filemagic'
+require 'rbvmomi'
+require 'timeout'
+require 'virustotal'
+require 'ftools' #deprecated at ruby 1.9 !!!
+require 'filemagic'
+require 'md5'
+
+require File.dirname(__FILE__) + '/dorothy2/do-init'
+require File.dirname(__FILE__) + '/dorothy2/Settings'
+require File.dirname(__FILE__) + '/dorothy2/deep_symbolize'
+
+require File.dirname(__FILE__) + '/dorothy2/environment'
+
+require File.dirname(__FILE__) + '/dorothy2/vtotal'
+require File.dirname(__FILE__) + '/dorothy2/MAM'
+require File.dirname(__FILE__) + '/dorothy2/BFM'
+require File.dirname(__FILE__) + '/dorothy2/do-utils'
+require File.dirname(__FILE__) + '/dorothy2/do-logger'
+
+module Dorothy
+
+  def get_time
+    time = Time.new
+    time.utc.strftime("%Y-%m-%d %H:%M:%S")
+  end
+
+
+  def start_analysis(bins)
+    bins.each do |bin|
+      next unless check_support(bin)
+      scan(bin) unless DoroSettings.env[:testmode]   #avoid to stress VT if we are just testing
+      @analysis_threads << Thread.new(bin.filename){
+        db = Insertdb.new
+        sleep 30 while !(guestvm = db.find_vm)  #guestvm struct: array ["sandbox id", "sandbox name", "ipaddress", "user", "password"]
+        analyze(bin, guestvm)
+        db.free_vm(guestvm[0])
+        db.close
+      }
+    end
+  end
+
+
+  def check_support(bin)
+    if bin.extension == ".exe" || bin.extension == ".bat"
+      true
+    else
+      LOGGER.warn("SANDBOX", "File #{bin.filename} actually not supported, skipping\n" + "	Filtype: #{bin.type}") # if VERBOSE
+      dir_not_supported = File.dirname(bin.binpath) + "/not_supported"
+      Dir.mkdir(dir_not_supported) unless Utils.exists?(dir_not_supported)
+      FileUtils.cp(bin.binpath,dir_not_supported) #mv?
+      FileUtils.rm(bin.binpath) ## mv?
+      return false
+    end
+  end
+
+###ANALYZE THE SOURCE
+  def analyze(bin, guestvm)
+
+    #RESERVING AN ANALYSIS ID
+    db = Insertdb.new
+    anal_id = db.get_anal_id
+
+
+
+    #source.each do |sname, sinfo|
+
+    #Dir.chdir(sinfo[:dir])
+
+    #set home vars
+    sample_home = DoroSettings.env[:analysis_dir] + "/#{anal_id}"
+    bin.dir_bin = "#{sample_home}/bin/"
+    bin.dir_pcap = "#{sample_home}/pcap/"
+    bin.dir_screens = "#{sample_home}/screens/"
+    bin.dir_downloads = "#{sample_home}/downloads/"
+
+
+    LOGGER.info "SANDBOX", "VM#{guestvm[0]} ".yellow + "[" + "#{anal_id}".red + "]" + " Analyzing binary #{bin.filename}"
+
+    begin
+      #crate dir structure in analisys home
+      unless File.directory?(sample_home)
+        LOGGER.info "VSM","VM#{guestvm[0]} ".yellow + "Creating DIRS"
+        Dir.mkdir sample_home
+        Dir.mkdir bin.dir_bin
+        Dir.mkdir bin.dir_pcap
+        Dir.mkdir bin.dir_screens
+        Dir.mkdir bin.dir_downloads
+
+        if VERBOSE
+          LOGGER.debug "VSM", sample_home
+          LOGGER.debug "VSM",bin.dir_bin
+          LOGGER.debug "VSM",bin.dir_pcap
+          LOGGER.debug "VSM",bin.dir_screens
+        end
+
+      else
+        LOGGER.warn "SANDBOX","Malware #{bin.md5} sample_home already present, WTF!? Skipping.."
+        #print "\n"
+        return false
+      end
+
+
+
+      FileUtils.cp(bin.binpath,bin.dir_bin)  # mv?
+
+
+      #Creating a new VSM object for managing the SandBox VM
+      LOGGER.info "VSM","VM#{guestvm[0]} ".yellow + "Connecting to ESX Server #{DoroSettings.esx[:host]}"
+
+      vsm = Doro_VSM::ESX.new(DoroSettings.esx[:host],DoroSettings.esx[:user],DoroSettings.esx[:pass],guestvm[1], guestvm[3], guestvm[4])
+
+      #Copy File to VM
+      r = 0
+
+      begin
+        vsm.check_internet
+      rescue
+        if r <= 2
+          r = r+1
+          LOGGER.warn "SANDBOX","VM#{guestvm[0]}".yellow + " GUESTOS Connection problem to Internet, retry n. #{r}/3"
+          sleep 20
+          retry
+        end
+        LOGGER.error "SANDBOX", "VM#{guestvm[0]}".yellow + " Guest system is not able to connect to internet"
+        r = 0
+        retry
+      end
+
+
+
+      LOGGER.info "VSM","VM#{guestvm[0]} ".yellow + "Copying #{bin.md5} to VM"
+
+      filecontent = File.open(bin.binpath, "rb") { |byte| byte.read } #load filebinary
+      vsm.copy_file("#{bin.md5}#{bin.extension}",filecontent)
+
+      #Start Sniffer
+      dumpname = bin.md5
+      pid = @nam.start_sniffer(guestvm[2],DoroSettings.nam[:interface], dumpname, DoroSettings.nam[:pcaphome]) #dumpname = vmfile.pcap
+      LOGGER.info "NAM","VM#{guestvm[0]} ".yellow + "Start sniffing module"
+      LOGGER.debug "NAM","VM#{guestvm[0]} ".yellow + "Tcpdump instance #{pid} started" if VERBOSE
+
+      sleep 5
+
+      begin
+        #Execute File into VM
+        LOGGER.info "VSM","VM#{guestvm[0]} ".yellow + "Executing #{bin.md5} File into VM"
+
+        guestpid = vsm.exec_file("#{bin.md5}#{bin.extension}")
+
+        LOGGER.debug "VSM","VM#{guestvm[0]} ".yellow + "Program executed with PID #{guestpid}" if VERBOSE
+
+
+        LOGGER.info "VSM","VM#{guestvm[0]}".yellow + " Sleeping #{DoroSettings.sandbox[:sleeptime]} seconds".yellow
+
+        #wait n seconds
+
+        (1..DoroSettings.sandbox[:sleeptime]).each do |i|
+          @screenshot1 = vsm.screenshot if i == DoroSettings.sandbox[:screen1time]
+          @screenshot2 = vsm.screenshot if i == DoroSettings.sandbox[:screen2time]
+          #t = "."*i
+          #print "VM#{guestvm[0]}Sleeping #{SLEEPTIME} seconds".yellow  + " #{t}\r"
+          #print "VM#{guestvm[0]}Sleeping #{SLEEPTIME} seconds".yellow + " #{t}" + " [Done]\n".green if i == SLEEPTIME
+          sleep 1
+          $stdout.flush
+        end
+
+
+
+        #Stopt Sniffer
+        LOGGER.info "NAM", "VM#{guestvm[0]} ".yellow + "Stopping sniffing module " + pid.to_s
+        @nam.stop_sniffer(pid)
+
+        #Stop/Revert VM
+        LOGGER.info "VSM","VM#{guestvm[0]} ".yellow + "Reverting VM"
+        vsm.revert_vm
+
+        sleep 5
+
+      rescue => e
+
+        LOGGER.error "SANDBOX", "VM#{guestvm[0]} - An error occourred while executing the file into the vm:\n  #{$!}"
+
+        LOGGER.debug "SANDBOX" , "#{$!}\n #{e.inspect} \n #{e.backtrace}" if VERBOSE
+
+        LOGGER.warn "SANDBOX", "VM#{guestvm[0]} ".red + "[RECOVER] Stopping sniffing module ".yellow + pid.to_s
+        @nam.stop_sniffer(pid)
+
+        LOGGER.warn "SANDBOX", "VM#{guestvm[0]} ".red + "[RECOVER] Reverting VM".yellow
+        vsm.revert_vm
+        sleep 5
+
+        LOGGER.warn "SANDBOX", "VM#{guestvm[0]} ".red + "[RECOVER] Recovering finished, skipping to next binaries".yellow
+        FileUtils.rm_r(sample_home)
+        return false
+
+      end
+
+
+      #Downloading PCAP
+      LOGGER.info "NAM", "VM#{guestvm[0]} ".yellow + "Downloading #{dumpname}.pcap to #{bin.dir_pcap}"
+      #t = DoroSettings.nam[:pcaphome] + "/" + dumpname + ".pcap"
+      Ssh.download(DoroSettings.nam[:host], DoroSettings.nam[:user],DoroSettings.nam[:pass], DoroSettings.nam[:pcaphome] + "/" + dumpname + ".pcap", bin.dir_pcap)
+
+      #Downloading Screenshots from esx
+      LOGGER.info "NAM", "VM#{guestvm[0]} ".yellow + "Downloading Screenshots"
+      Ssh.download(DoroSettings.esx[:host],DoroSettings.esx[:user], DoroSettings.esx[:pass], @screenshot1, bin.dir_screens)
+      Ssh.download(DoroSettings.esx[:host],DoroSettings.esx[:user], DoroSettings.esx[:pass], @screenshot2, bin.dir_screens)
+
+      #Put them to 644
+      File.chmod(0644, bin.dir_screens + File.basename(@screenshot1), bin.dir_screens + File.basename(@screenshot2) )
+
+      #####################
+      #UPDATE DOROTHIBE DB#
+      #####################
+
+      pcapfile =  bin.dir_pcap + dumpname + ".pcap"
+      dump = Loadmalw.new(pcapfile)
+
+      pcaprpath = bin.md5 + "/pcap/" + dump.filename
+      pcaprid = Loadmalw.calc_pcaprid(pcaprpath, dump.size)
+
+      LOGGER.debug "NAM", "VM#{guestvm[0]} ".yellow + "Pcaprid: " + pcaprid if VERBOSE
+
+      empty_pcap = false
+
+      if dump.size <= 30
+        LOGGER.warn "NAM", "VM#{guestvm[0]} WARNING - EMPTY PCAP FILE!!!! ::.."
+        #FileUtils.rm_r(sample_home)
+        empty_pcap = true
+      end
+
+      dumpvalues = [dump.sha, dump.size, pcaprid, pcapfile, 'false']
+      dump.sha = "EMPTYPCAP" if empty_pcap
+      analysis_values = [anal_id, bin.sha, guestvm[0], dump.sha, get_time]
+
+      if pcaprid.nil? || bin.dir_pcap.nil? || bin.sha.nil? || bin.md5.nil?
+        LOGGER.error "SANDBOX", "VM#{guestvm[0]} Can't retrieve the required information"
+        FileUtils.rm_r(sample_home)
+        return false
+      end
+
+
+      LOGGER.debug "DB", "VM#{guestvm[0]} Database insert phase" if VERBOSE
+
+      db = Insertdb.new
+      db.begin_t  #needed for rollbacks
+
+      unless empty_pcap
+        unless db.insert("traffic_dumps", dumpvalues)
+          LOGGER.fatal "DB", "VM#{guestvm[0]} Error while inserting data into table traffic_dumps. Skipping binary #{bin.md5}"
+          FileUtils.rm_r(sample_home)
+          return false
+        end
+      end
+
+
+
+      unless db.insert("analyses", analysis_values)
+        LOGGER.fatal "DB", "VM#{guestvm[0]} Error while inserting data into table analyses. Skipping binary #{bin.md5}"
+        FileUtils.rm_r(sample_home)
+        return false
+      end
+
+      #TODO ADD RT CODE
+
+      db.commit
+      db.close
+
+      LOGGER.info "VSM", "VM#{guestvm[0]} ".yellow + "Removing file from /bins directory"
+      FileUtils.rm(bin.binpath)
+      LOGGER.info "VSM", "VM#{guestvm[0]} ".yellow + "Process compleated successfully"
+
+    rescue => e
+
+      LOGGER.error "SANDBOX", "VM#{guestvm[0]} An error occurred while analyzing #{bin.filename}, skipping\n"
+      LOGGER.debug "Dorothy" , "#{$!}\n #{e.inspect} \n #{e.backtrace}" if VERBOSE
+
+      FileUtils.rm_r(sample_home)
+      db.rollback unless db.nil?  #rollback in case there is a transaction on going
+      return false
+    end
+
+
+
+
+
+  end
+
+########################
+## VTOTAL SCAN		####
+########################
+  private
+  def scan(bin)
+    #puts "TOTAL", "Forking for VTOTAL"
+    @vtotal_threads << Thread.new(bin.sha) {
+      LOGGER.info "VTOTAL", "Scanning file #{bin.md5}".yellow
+
+      vt = Vtotal.new
+      id = vt.analyze_file(bin.binpath)
+
+      LOGGER.debug "VTOTAL", "Sleeping"
+
+      sleep 15
+
+      until vt.get_report(id)
+        LOGGER.info "VTOTAL", "Waiting a while and keep retring..."
+        sleep 30
+      end
+
+      LOGGER.info("VTOTAL", "#{bin.md5} Detection Rate: #{vt.rate}")
+      LOGGER.info("VTOTAL", "#{bin.md5} Family by McAfee: #{vt.family}")
+
+      LOGGER.info "VTOTAL", "Updating DB"
+      vtvalues = [bin.sha, vt.family, vt.vendor, vt.version, vt.rate, vt.updated, vt.detected]
+      db = Insertdb.new
+      db.begin
+      begin
+        db.insert("malwares", vtvalues)
+        db.close
+      rescue
+        db.rollback
+        LOGGER.error "VTOTAL", "Error while inserting values in malware table"
+      end
+
+      #TODO upload evidence to RT
+    }
+
+  end
+
+
+
+#########################
+##			MAIN	        	#
+#########################
+
+  def self.start(source=nil, daemon=nil)
+
+    @db = Insertdb.new
+    daemon ||= false
+
+    puts "[Dorothy]".yellow +  " Process Started"
+
+
+    LOGGER.info "Dorothy", "Started".yellow
+
+    if daemon
+      check_pid_file DoroSettings.env[:pidfile]
+      puts "[Dorothy]".yellow + " Going in backround with pid #{Process.pid}"
+      puts "[Dorothy]".yellow + " Logging on #{DoroSettings.env[:logfile]}"
+      Process.daemon
+      create_pid_file DoroSettings.env[:pidfile]
+      LOGGER.info "Dorothy", "Going in backround with pid #{Process.pid}"
+    end
+
+    #Creating a new NAM object for managing the sniffer
+    @nam = Doro_NAM.new(DoroSettings.nam)
+
+    @vtotal_threads = []
+    @vtotal_threads = []
+    @analysis_threads = []
+
+    infinite = true
+
+    #be sure that all the vm are available by forcing their release
+    @db.vm_init
+
+    if source # a source has been specified
+      while infinite  #infinite loop
+        dfm = DorothyFetcher.new(source)
+        start_analysis(dfm.bins)
+        infinite = daemon #exit if wasn't set
+        wait_end
+        LOGGER.info "Dorothy", "SLEEPING" if daemon
+        sleep DoroSettings.env[:dtimeout] if daemon # Sleeping a while if -d wasn't set, then quit.
+      end
+    else  # no sources specified, analyze all of them
+      while infinite  #infinite loop
+        sources = YAML.load_file(DoroSettings.env[:home] + '/etc/sources.yml')
+        sources.keys.each do |sname|
+          dfm = DorothyFetcher.new(sources[sname])
+          start_analysis(dfm.bins)
+        end
+        infinite = daemon #exit if wasn't set
+        wait_end
+        LOGGER.info "Dorothy", "SLEEPING" if daemon
+        sleep DoroSettings.env[:dtimeout] if daemon # Sleeping a while if -d wasn't set, then quit.
+      end
+    end
+
+    @db.close
+
+  end
+
+  def wait_end
+
+    unless @vtotal_threads.empty?
+      @vtotal_threads.each { |aThread|  aThread.join}
+      LOGGER.info "VTOTAL","Process compleated successfully"
+    end
+
+    @analysis_threads.each { |aThread|  aThread.join }
+    LOGGER.info "Dorothy", "Process finished"
+
+  end
+
+  def check_pid_file file
+    if File.exist? file
+      # If we get Errno::ESRCH then process does not exist and
+      # we can safely cleanup the pid file.
+      pid = File.read(file).to_i
+      begin
+        Process.kill(0, pid)
+      rescue Errno::ESRCH
+        stale_pid = true
+      end
+
+      unless stale_pid
+        puts "[Dorothy]".yellow + " Dorothy is already running (pid=#{pid})"
+        exit(1)
+      end
+    end
+  end
+
+  def create_pid_file file
+    File.open(file, "w") { |f| f.puts Process.pid }
+
+    # Remove pid file during shutdown
+    at_exit do
+      Logger.info "Dorothy", "Shutting down." rescue nil
+      if File.exist? file
+        File.unlink file
+      end
+    end
+  end
+
+## Sends SIGTERM to process in pidfile. Server should trap this
+# and shutdown cleanly.
+  def self.stop
+    LOGGER.info "Dorothy", "Shutting down."
+    pid_file = DoroSettings.env[:pidfile]
+    if pid_file and File.exist? pid_file
+      pid = Integer(File.read(pid_file))
+      Process.kill(-15, -pid)
+      puts "[Dorothy]".yellow + " Process #{pid} terminated"
+      LOGGER.info "Dorothy", "Process #{pid} terminated"
+    else
+      puts "[Dorothy]".yellow +  " Can't find PID file, is Dorothy really running?"
+    end
+  end
+
+end

data/test/tc_dorothy_full.rb

@@ -0,0 +1,95 @@
+require 'rubygems'
+require "test/unit"
+require 'dorothy2'          #comment for testing/developmnet
+
+#load '../lib/dorothy2.rb'
+
+include Dorothy
+
+LOGGER = DoroLogger.new(STDOUT, "weekly")
+
+CONF = "#{File.expand_path("~")}/.dorothy.yml"
+
+#LOAD ENV
+if Util.exists?(CONF)
+  DoroSettings.load!(CONF)
+else
+  DoroConfig.create
+  exit(0)
+end
+
+class DoroTest < Test::Unit::TestCase
+
+  # Called before every test method runs. Can be used
+  # to set up fixture information.
+  def setup
+    DoroSettings.load!(CONF)
+     @db = Insertdb.new
+     guestvm = @db.find_vm
+     assert_nothing_raised { @vsm = Doro_VSM::ESX.new(DoroSettings.esx[:host],DoroSettings.esx[:user],DoroSettings.esx[:pass],guestvm[1], guestvm[3], guestvm[4]) }
+     @nam = Doro_NAM.new(DoroSettings.nam)
+  end
+
+  # Called after every test method runs. Can be used to tear
+  # down fixture information.
+
+  def teardown
+    @db.vm_init
+    @db.close
+  end
+
+  # Fake test
+  def test_db_A_connection
+    assert_kind_of(Dorothy::Insertdb, @db, "Problem, can't connect to DB")
+  end
+
+  def test_db_B_insert
+    randstring = (0...8).map{(65+rand(26)).chr}.join
+    values = [randstring, 16, "pe", "", "test.exe", "testtest", "test"]
+    assert_kind_of(PG::Result, @db.insert("samples", values), "Problem, can't insert data into the DB")
+  end
+
+#  def test_vsm
+#    guestvm = @db.find_vm
+#    assert_nothing_raised { @vsm = Doro_VSM::ESX.new(DoroSettings.esx[:host],DoroSettings.esx[:user],DoroSettings.esx[:pass],guestvm[1], guestvm[3], guestvm[4]) }
+#  end
+
+  def test_vsm_A_execute
+    assert_nothing_raised {@vsm.exec_file("windows\\system32\\calc.exe")}
+    assert_kind_of(Fixnum, @vsm.exec_file("windows\\system32\\calc.exe"))
+  end
+
+  def test_vsm_B_chk_internet
+    assert_nothing_raised {@vsm.check_internet}
+  end
+
+  def test_vsm_C_screenshot
+    assert_nothing_raised {@vsm.screenshot}
+  end
+
+  def test_vsm_D_copy_screenshot
+    screen = @vsm.screenshot
+    assert_nothing_raised {Ssh.download(DoroSettings.esx[:host],DoroSettings.esx[:user], DoroSettings.esx[:pass], screen, Dir.pwd)}
+  end
+
+  def test_vsm_E_revertvm
+    assert_nothing_raised {@vsm.revert_vm}
+  end
+
+  #NAM
+
+  def test_nam_A_start_stop
+    puts "NAM".yellow + " Starting sniffer on NAM"
+    assert_nothing_raised { @nampid = @nam.start_sniffer("localhost",DoroSettings.nam[:interface], "testpcap", DoroSettings.nam[:pcaphome])}
+    assert_kind_of(Fixnum, @nampid)
+    sleep 3
+    puts "NAM".yellow + " Stopping sniffer on NAM"
+    assert_nothing_raised {@nam.stop_sniffer(@nampid)}
+  end
+
+  def test_nam_C_copydump
+    assert_nothing_raised {Ssh.download(DoroSettings.nam[:host], DoroSettings.nam[:user],DoroSettings.nam[:pass], DoroSettings.nam[:pcaphome] + "/" + "testpcap.pcap", Dir.pwd)}
+  end
+
+
+end