dorothy2 1.2.0 → 2.0.0

data/bin/dorothy_start

@@ -1,225 +0,0 @@
-#!/usr/bin/env ruby
-
-# Copyright (C) 2010-2013 marco riccardi.
-# This file is part of Dorothy - http://www.honeynet.it/
-# See the file 'LICENSE' for copying permission.
-
-require 'rubygems'
-require 'trollop'
-require 'dorothy2'          #comment for testing/developmnet
-
-#load '../lib/dorothy2.rb'  #uncomment for testing/developmnet
-
-include Dorothy
-
-
-opts = Trollop.options do
-  banner <<-EOS
-
-   ####################################################
-   ##                                                ##
-   ##  The Dorothy Malware Analysis Framework 2.0    ##
-   ##                                                ##
-   ####################################################
-
-        marco.riccardi@honeynet.it
-	www.honeynet.it/dorothy
-
-
-	Usage:
-  dorothy_start [options]
-	where [options] are:
-  EOS
-
-  opt :Version, "Print the current version."
-  opt :verbose, "Enable verbose mode"
-  opt :infoflow, "Print the analysis flow"
-  opt :baseline, "Create a new process baseline"
-  opt :source, "Choose a source (from the ones defined in etc/sources.yml)", :type => :string
-  opt :daemon, "Stay in the backround, by constantly pooling datasources"
-  opt :manual, "Start everything, copy the file, and wait for me."
-  opt :SandboxUpdate, "Update Dorothive with the new Sandbox file"
-  opt :DorothiveInit, "(RE)Install the Dorothy Database (Dorothive)", :type => :string
-
-end
-
-if opts[:infoflow]
-  puts "
-	The Dorothy Malware Analysis Framework 2.0
-	---------------Execution Flow-------------
-	#0) Fetch new malwares
-	#1) Start VM
-	#2) Copy File to VM
-	#3) Start Sniffer
-	#4) Execute file into VM
-	#5) Make screenshot
-	#6) Wait X minutes (configure X in the conf file)
-  #7) Save the running processes
-	#8) Stop Sniffer
-	#9) Download Screenshot and trafficdump
-	#10) Compare the aquired process list with the one taken during the baseline run. Find the new spawned processes.
-  #11) Try to retreive malware info from VirusTotal
-	#12) Insert data into Dorothy-DB
-	------------------------------------------
-"
-
-  exit(0)
-end
-
-if opts[:Version]
-  puts "Dorothy ".yellow + Dorothy::VERSION
-  exit(0)
-end
-
-puts "
-
-   ####################################################
-   ##                                                ##
-   ##  The Dorothy Malware Analysis Framework 2.0    ##
-   ##                                                ##
-   ####################################################
-
-"
-
-#VARS
-HOME = File.expand_path("..",File.dirname(__FILE__))
-VERBOSE = (opts[:verbose] ? true : false)
-daemon = (opts[:daemon] ? true : false)
-MANUAL =  (opts[:manual] ? true : false)
-
-if MANUAL && daemon
-  "[Dorothy]".yellow + " Manual and Deamon modes can't be executed together"
-  exit(1)
-end
-
-
-#DEFAULT CONF FILES
-#conf = HOME + '/etc/dorothy.yml'
-
-conf = "#{File.expand_path("~")}/.dorothy.yml"
-
-
-#LOAD ENV
-if Util.exists?(conf)
-  DoroSettings.load!(conf)
-  else
-  DoroConfig.create
-  exit(0)
-  end
-
-
-#LOAD EXTENSION MGT FILE
-EXTENSIONS=YAML.load_file("#{DoroSettings.env[:home]}/etc/extensions.yml")
-
-
-
-#Logging
-logout = (daemon ? DoroSettings.env[:logfile] : STDOUT)
-LOGGER = DoroLogger.new(logout, DoroSettings.env[:logage])
-LOGGER.sev_threshold = DoroSettings.env[:loglevel]
-
-
-if opts[:baseline]
-  puts "[" + "+".red + "] " +  "[DOROTHY]".yellow + "Creating a new process baseline."
-  Dorothy.run_baseline
-  puts "[" + "+".red + "] " +  "[WARNING]".red + "Baseline run finished."
-  exit(0)
-end
-
-
-
-home = DoroSettings.env[:home]
-#check homefolder
-unless Util.exists?(home)
-  DoroConfig.init_home(home)
-end
-
-sfile = home + '/etc/sources.yml'
-sboxfile = home + '/etc/sandboxes.yml'
-baseline_procs = home + '/etc/baseline_processes.yml'
-
-if opts[:DorothiveInit]
-  Util.init_db(opts[:DorothiveInit])
-  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " Database loaded, now you can restart Dorothy!"
-  exit(0)
-end
-
-#INIT DB Connector
-begin
-  db = Insertdb.new
-rescue => e
-  if e.inspect =~ /exist/
-    puts "[" + "+".red + "] " +  "WARNING".yellow + " The database doesn't exist yet. Press Enter to load the ddl into the DB"
-    gets
-    Util.init_db(DoroSettings.dorothive[:ddl])
-    exit(0)
-  else
-    puts "[" + "+".red + "] " +  "ERROR".red + " Can't connect to the database"
-    puts e
-    exit(0)
-  end
-end
-
-
-if opts[:SandboxUpdate]
-  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " Loading #{sboxfile} into Dorothive"
-  DoroConfig.init_sandbox(sboxfile)
-  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " Done."
-  exit(0)
-end
-
-if Util.exists?(sfile)
-  sources = YAML.load_file(sfile)
-  #check if all the source directories exist
-  sources.keys.each do |s|
-    unless Util.exists?("#{sources[s]["localdir"]}")
-      LOGGER.warn "INIT", "Warning, the source's localdir #{s} doesn't exist yet, I'm going to create it"
-      Dir.mkdir("#{sources[s]["localdir"]}")
-    end
-  end
-else
-  puts "[" + "+".red + "] " +  "[WARNING]".red + " A source file doesn't exist, please crate one into #{home}/etc. See the example file in #{HOME}/etc/sources.yml.example"
-  exit(0)
-end
-
-unless Util.exists?(sboxfile)
-  puts "[" + "+".red + "] " +  "[WARNING]".red + " There is no sandbox configured yet. Please do it now."
-  DoroConfig.create_sandbox(sboxfile)
-  DoroConfig.init_sandbox(sboxfile)
-end
-
-unless Util.exists?(baseline_procs)
-  puts "[" + "+".red + "] " +  "[WARNING]".red + " There is no process-baseline file yet, Dorothy is going to create one."
-  Dorothy.run_baseline
-  puts "[" + "+".red + "] " +  "[WARNING]".red + " Baseline run finished."
-  exit(0)
-end
-
-BASELINE_PROCS = YAML.load_file(baseline_procs)
-
-#Check DB sandbox data
-if db.table_empty?("sandboxes")
-  puts "[" + "+".red + "] " +  "[WARNING]".red + " No sandbox found in Dorothive, the DB will be filled with " + sboxfile
-  DoroConfig.init_sandbox(sboxfile)
-end
-
-if opts[:source] && !sources.key?(opts[:source])
-  puts "[" + "+".red + "] " +  "[WARNING]".red + " The selected source is not yet configured.\nThe available sources are: "
-  puts "[" + "+".red + "] " +  sources.keys
-  exit(0)
-end
-
-db.close
-
-begin
-  Dorothy.start sources[opts[:source]], daemon
-rescue SignalException
-   Dorothy.stop_running_analyses
-rescue => e
-  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " An error occurred: \n".red + e.inspect
-  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " For more information check the logfile \n" + e.inspect if daemon
-  LOGGER.error "Dorothy", "An error occurred: \n" + e.inspect
-  LOGGER.debug "Dorothy", "#{e.inspect} --BACKTRACE:  #{e.backtrace}"
-  LOGGER.info "Dorothy", "Dorothy has been stopped"
-end
-

data/bin/dorothy_stop

@@ -1,28 +0,0 @@
-#!/usr/bin/env ruby
-
-# Copyright (C) 2013 marco riccardi.
-# This file is part of Dorothy - http://www.honeynet.it/dorothy
-# See the file 'LICENSE' for copying permission.
-
-
-
-require 'rubygems'
-require 'trollop'
-require 'dorothy2'
-
-#load '../lib/dorothy2.rb'
-
-include Dorothy
-
-conf = "#{File.expand_path("~")}/.dorothy.yml"
-DoroSettings.load!(conf)
-
-#Logging
-
-LOGGER = DoroLogger.new(DoroSettings.env[:logfile], DoroSettings.env[:logage])
-LOGGER.sev_threshold = DoroSettings.env[:loglevel]
-
-
-Dorothy.stop
-
-

data/bin/dparser_start

@@ -1,94 +0,0 @@
-#!/usr/bin/env ruby
-
-# Copyright (C) 2013 marco riccardi.
-# This file is part of Dorothy - http://www.honeynet.it/
-# See the file 'LICENSE' for copying permission.
-
-require 'rubygems'
-require 'trollop'
-require 'dorothy2'
-require 'doroParser'
-
-#load '../lib/dorothy2.rb'
-#load '../lib/doroParser.rb'
-
-include Dorothy
-include DoroParser
-
-
-
-opts = Trollop.options do
-  banner <<-EOS
-
-   ####################################################
-   ##                                                ##
-   ##  The Dorothy Malware Analysis Framework 2.0    ##
-   ##                                                ##
-   ####################################################
-
-        marco.riccardi@honeynet.it
-	www.honeynet.it/dorothy
-
-
-	Usage:
-  dparser_start [options]
-	where [options] are:
-  EOS
-
-  opt :verbose, "Enable verbose mode"
-  opt :nonetbios, "Hide Netbios communication"
-  opt :daemon, "Stay in the backroud, by constantly pooling datasources"
-
-end
-
-def get_time
-  time = Time.new
-  return time.utc.strftime("%Y-%m-%d %H:%M:%S")
-end
-
-
-NONETBIOS = opts[:nonetbios] ? true : false
-VERBOSE = opts[:verbose] ? true : false
-daemon = opts[:daemon] ? true : false
-
-
-
-conf = "#{File.expand_path("~")}/.dorothy.yml"
-DoroSettings.load!(conf)
-
-#Logging
-logout = (daemon ? DoroSettings.env[:logfile_parser] : STDOUT)
-LOGGER_PARSER = DoroLogger.new(logout, DoroSettings.env[:logage])
-LOGGER_PARSER.sev_threshold = DoroSettings.env[:loglevel]
-
-LOGGER = DoroLogger.new(logout, DoroSettings.env[:logage])
-LOGGER.sev_threshold = DoroSettings.env[:loglevel]
-
-if DoroSettings.pcapr[:local]=="true"
-  if system "sh -c 'type startpcapr > /dev/null 2>&1'"
-    pcapr_conf = "#{File.expand_path("~")}/.pcapr_local/config"
-    unless Util.exists?(pcapr_conf)
-      puts "[WARNING]".red + " Pcapr conf not found at #{File.expand_path("~")}/.pcapr_local/config "
-      puts "[WARNING]".red + " Although you have configured Dorothy in order to look for a *local* Pcapr instance,it seems that it is not configured yet,so please run \"startpcapr\" and configure it."
-      exit(1)
-    end
-  else
-    puts "[WARNING]".red + " Although you have configured Dorothy in order to look for a *local* Pcapr instance, it seems *NOT INSTALLED* in your system.\n\t Please install it by typing \"sudo gem install pcapr-local\. Then set Pcapr to scan #{DoroSettings.env[:analysis_dir]}"
-    exit(1)
-  end
-end
-
-
-begin
-  DoroParser.start(daemon)
-rescue => e
-  puts "[PARSER]".yellow + " An error occurred: ".red + e.inspect
-  if daemon
-    puts "[PARSER]".yellow + " For more information check the logfile" + e.inspect
-    puts "[PARSER]".yellow + "Dorothy-Parser has been stopped"
-  end
-  LOGGER_PARSER.error "Parser", "An error occurred: " + e.inspect
-  LOGGER_PARSER.debug "Parser", "#{e.inspect} --BACKTRACE: #{e.backtrace}"
-  LOGGER_PARSER.info "Parser", "Dorothy-Parser has been stopped"
-end
-

data/bin/dparser_stop

@@ -1,31 +0,0 @@
-#!/usr/bin/env ruby
-
-# Copyright (C) 2013 marco riccardi.
-# This file is part of Dorothy - http://www.honeynet.it/dorothy
-# See the file 'LICENSE' for copying permission.
-
-
-require 'rubygems'
-require 'trollop'
-require 'dorothy2'
-require 'doroParser'
-
-#load '../lib/doroParser.rb'
-#load '../lib/dorothy2.rb'
-
-
-
-include Dorothy
-include DoroParser
-
-conf = "#{File.expand_path("~")}/.dorothy.yml"
-DoroSettings.load!(conf)
-
-
-#Logging
-LOGGER_PARSER = DoroLogger.new(STDOUT, 'weekly')
-
-LOGGER = DoroLogger.new(STDOUT, 'weekly')
-
-DoroParser.stop
-

data/etc/dorothy copy.yml.example

@@ -1,39 +0,0 @@
---- 
-dorothive: 
-  dbuser: postgres
-  dbpass: password
-  dbhost: localhost
-  dbname: dorothive
-  ddl: /Users/akira/Codes/dorothy-gem-try/dorothy2/etc/ddl/dorothive.ddl
-env: 
-  geoip: /Users/akira/Codes/dorothy-gem-try/dorothy2/etc/geo/GeoLiteCity.dat
-  geoasn: /Users/akira/Codes/dorothy-gem-try/dorothy2/etc/geo/GeoIPASNum.dat
-  loglevel: 0
-  testmode: true
-  dtimeout: 3600
-  logfile_parser: /Users/akira/Codes/dorothy-gem-try/dorothy2/var/log/parser.log
-  analysis_dir: /Users/akira/Codes/dorothy-gem-try/dorothy2/opt/analyzed
-  pidfile_parser: /Users/akira/Codes/dorothy-gem-try/dorothy2/var/doroParser.pid
-  pidfile: /Users/akira/Codes/dorothy-gem-try/dorothy2/var/dorothy.pid
-  logage: weekly
-  logfile: /Users/akira/Codes/dorothy-gem-try/dorothy2/var/log/dorothy.log
-  home: /Users/akira/Codes/dorothy-gem-try/dorothy2
-esx: 
-  user: "root"
-  pass: "Dorothy!?!"
-  host: "192.168.187.128"
-sandbox: 
-  screen1time: 1
-  sleeptime: 60
-  screen2time: 15
-nam: 
-  namuser: dorothy
-  pcaphome: ~/pcaps
-  nampass: ""
-  interface: eth0
-  namserver: ""
-virustotal: 
-  vtapikey: "c37baad50a42d7df3f91e957255a2c6a9deabe339c2ff44d4a637fff912def48"
-
-
-

data/etc/extensions.yml

@@ -1,41 +0,0 @@
-#############################################
-### DOROTHY EXTENSION MANAGER               #
-#############################################
-### Choose how do you want to open the the
-### binaries into the Sandbox VM.
-### You can add as much extensions as you
-### want.
-#############################################
----
-exe:
-  prog_name: Windows CMD.exe
-  prog_path: C:\windows\system32\cmd.exe
-  prog_args: /C
-
-
-bat:
-  prog_name: Windows CMD.exe
-  prog_path: C:\windows\system32\cmd.exe
-  prog_args: /C
-
-
-dll:
-  prog_name: Windows Rundll32.exe
-  prog_path: C:\windows\system32\rundll32.exe
-  prog_args:
-
-html:          # c:\Program Files\Internet Explorer\iexplore.exe" -new
-  prog_name: Microsoft Explorer IEXPLORE.EXE
-  prog_path: C:\windows\system32\cmd.exe
-  prog_args: /C start "C:\\Programmi\\Internet Explorer\\IEXPLORE.EXE"
-
-#doc:
-#  prog_name: Microsoft Word 2003
-#  prog_path:
-#  prog_args:
-
-#pdf:
-#  prog_name: Acrobat Reader Version 1.0
-#  prog_path:
-#  prog_args:
-