dorothy2 1.2.0 → 2.0.0

data/lib/dorothy2/version.rb

@@ -1,3 +1,3 @@
 module Dorothy
-  VERSION = "1.2.0"
+  VERSION = "2.0.0"
 end

data/lib/dorothy2/vtotal.rb

@@ -4,25 +4,32 @@
 
 module Dorothy
 
-class Vtotal < VirusTotal::VirusTotal
-	attr_writer :api_key
-	attr_reader :rate
-	attr_reader :filehash
-	attr_reader :scanid
-	attr_reader :family
-	attr_reader :permalink
-	attr_reader :updated
-	attr_reader :version
-	attr_reader :vendor 
-	attr_reader :detected 
-	
-	
-	def initialize()
-		@api_key = VTAPIKEY
-	end
-	
-	
-	def analyze_file(file)
+module Vtotal
+  extend self
+
+  def check_hash(hash)
+    @api_key = DoroSettings.virustotal[:vtapikey]
+
+    scans = Uirusu::VTFile.query_report(@api_key, hash)
+    if (scans["response_code"] == 1 )
+
+      positive = ( scans["positives"] > 0 ? true : false  )
+      @rate = scans["positives"].to_s + "/" + scans["total"].to_s
+      @permalink = (scans["permalink"] != "-" ? scans["permalink"] : "null")
+      @result_date = scans["scan_date"]
+      @results = scans["scans"]
+
+
+      return {:rate => @rate, :link => @permalink, :date => @result_date, :results => @results, :positive => positive}
+
+    else
+      LOGGER.error "VTOTAL", scans["verbose_msg"]
+      return false
+    end
+  end
+
+
+	def analyse_file(file)
 		f = File.open(file, 'r')
 		begin
 			results = RestClient.post 'https://www.virustotal.com/vtapi/v2/file/scan' , { :key => @api_key, :file => f}
@@ -35,7 +42,10 @@ class Vtotal < VirusTotal::VirusTotal
 			LOGGER.debug "DEBUG", "#{$!}"
 		end
 		return @scanid 
-	end
+  end
+
+
+
 	
 	
 	def get_report(id)

data/lib/mu/xtractr.rb

@@ -12,18 +12,18 @@
 # * http://www.mudynamics.com
 # * http://labs.mudynamics.com
 
-require 'mu/xtractr/about'
-require 'mu/xtractr/content'
-require 'mu/xtractr/field'
-require 'mu/xtractr/flow'
-require 'mu/xtractr/flows'
+require File.dirname(__FILE__) + '/xtractr/about'
+require File.dirname(__FILE__) + '/xtractr/content'
+require File.dirname(__FILE__) + '/xtractr/field'
+require File.dirname(__FILE__) + '/xtractr/flow'
+require File.dirname(__FILE__) + '/xtractr/flows'
 require File.dirname(__FILE__) + '/xtractr/host'   #overrides the gem one with the local (fixed for 1.9.3)
-require 'mu/xtractr/packet'
-require 'mu/xtractr/packets'
-require 'mu/xtractr/service'
-require 'mu/xtractr/stream'
-require 'mu/xtractr/term'
-require 'mu/xtractr/views'
+require File.dirname(__FILE__) + '/xtractr/packet'
+require File.dirname(__FILE__) + '/xtractr/packets'
+require File.dirname(__FILE__) + '/xtractr/service'
+require File.dirname(__FILE__) + '/xtractr/stream'
+require File.dirname(__FILE__) + '/xtractr/term'
+require File.dirname(__FILE__) + '/xtractr/views'
 
 module Mu # :nodoc:
 # = http://www.pcapr.net/static/image/favicon.png Mu::Xtractr

data/lib/mu/xtractr/stream.rb

@@ -129,4 +129,4 @@ end
 end # Xtractr
 end # Mu
 
-require 'mu/xtractr/stream/http'
+require File.dirname(__FILE__) + '/stream/http'

data/lib/www/public/reset.css

@@ -0,0 +1,153 @@
+/*
+	HTML5 ✰ Boilerplate
+
+	style.css contains a reset, font normalization and some base styles.
+
+	credit is left where credit is due.
+	much inspiration was taken from these projects:
+		yui.yahooapis.com/2.8.1/build/base/base.css
+		camendesign.com/design/
+		praegnanz.de/weblog/htmlcssjs-kickstart
+*/
+
+/*
+	html5doctor.com Reset Stylesheet (Eric Meyer's Reset Reloaded + HTML5 baseline)
+	v1.6.1 2010-09-17 | Authors: Eric Meyer & Richard Clark
+	html5doctor.com/html-5-reset-stylesheet/
+*/
+
+html, body, div, span, object, iframe,
+h1, h2, h3, h4, h5, h6, p, blockquote, pre,
+abbr, address, cite, code, del, dfn, em, img, ins, kbd, q, samp,
+small, strong, sub, sup, var, b, i, dl, dt, dd, ol, ul, li,
+fieldset, form, label, legend,
+table, caption, tbody, tfoot, thead, tr, th, td,
+article, aside, canvas, details, figcaption, figure,
+footer, header, hgroup, menu, nav, section, summary,
+time, mark, audio, video {
+    margin:0;
+    padding:0;
+    border:0;
+    font-size:100%;
+    font: inherit;
+    vertical-align:baseline;
+}
+
+article, aside, details, figcaption, figure,
+footer, header, hgroup, menu, nav, section {
+    display:block;
+}
+
+blockquote, q { quotes:none; }
+
+blockquote:before, blockquote:after,
+q:before, q:after { content:''; content:none; }
+
+ins { background-color:#ff9; color:#000; text-decoration:none; }
+
+mark { background-color:#ff9; color:#000; font-style:italic; font-weight:bold; }
+
+del { text-decoration: line-through; }
+
+abbr[title], dfn[title] { border-bottom:1px dotted; cursor:help; }
+
+table { border-collapse:collapse; border-spacing:0; }
+
+hr { display:block; height:1px; border:0; border-top:1px solid #ccc; margin:1em 0; padding:0; }
+
+input, select { vertical-align:middle; }
+
+/* END RESET CSS */
+
+/* font normalization inspired by  from the YUI Library's fonts.css: developer.yahoo.com/yui/ */
+body { font:13px/1.231 sans-serif; *font-size:small; } /* hack retained to preserve specificity */
+select, input, textarea, button { font:99% sans-serif; }
+
+/* normalize monospace sizing
+ * en.wikipedia.org/wiki/MediaWiki_talk:Common.css/Archive_11#Teletype_style_fix_for_Chrome */
+pre, code, kbd, samp { font-family: monospace, sans-serif; }
+
+/*
+ * minimal base styles
+ */
+
+body, select, input, textarea {
+    /* #444 looks better than black: twitter.com/H_FJ/statuses/11800719859 */
+    color: #444;
+    /* set your base font here, to apply evenly */
+    /* font-family: Georgia, serif;  */
+}
+
+/* headers (h1,h2,etc) have no default font-size or margin. define those yourself. */
+h1,h2,h3,h4,h5,h6 { font-weight: bold; }
+
+/* always force a scrollbar in non-IE: */
+html { overflow-y: scroll; }
+
+/* accessible focus treatment: people.opera.com/patrickl/experiments/keyboard/test */
+a:hover, a:active { outline: none; }
+
+a, a:active, a:visited { color: #607890; }
+a:hover { color: #036; }
+
+ul, ol { margin-left: 2em; }
+ol { list-style-type: decimal; }
+
+/* remove margins for navigation lists */
+nav ul, nav li { margin: 0; list-style:none; list-style-image: none; }
+
+small { font-size: 85%; }
+strong, th { font-weight: bold; }
+
+td { vertical-align: top; }
+
+/* set sub, sup without affecting line-height: gist.github.com/413930 */
+sub, sup { font-size: 75%; line-height: 0; position: relative; }
+sup { top: -0.5em; }
+sub { bottom: -0.25em; }
+
+pre {
+    /* www.pathf.com/blogs/2008/05/formatting-quoted-code-in-blog-posts-css21-white-space-pre-wrap/ */
+    white-space: pre; white-space: pre-wrap; white-space: pre-line; word-wrap: break-word;
+    padding: 15px;
+}
+
+textarea { overflow: auto; } /* www.sitepoint.com/blogs/2010/08/20/ie-remove-textarea-scrollbars/ */
+
+.ie6 legend, .ie7 legend { margin-left: -7px; } /* thnx ivannikolic! */
+
+/* align checkboxes, radios, text inputs with their label by: Thierry Koblentz tjkdesign.com/ez-css/css/base.css  */
+input[type="radio"] { vertical-align: text-bottom; }
+input[type="checkbox"] { vertical-align: bottom; }
+.ie7 input[type="checkbox"] { vertical-align: baseline; }
+.ie6 input { vertical-align: text-bottom; }
+
+/* hand cursor on clickable input elements */
+label, input[type="button"], input[type="submit"], input[type="image"], button { cursor: pointer; }
+
+/* webkit browsers add a 2px margin outside the chrome of form elements */
+button, input, select, textarea { margin: 0; }
+
+/* colors for form validity */
+input:valid, textarea:valid   {  }
+input:invalid, textarea:invalid {
+    border-radius: 1px; -moz-box-shadow: 0px 0px 5px red; -webkit-box-shadow: 0px 0px 5px red; box-shadow: 0px 0px 5px red;
+}
+.no-boxshadow input:invalid, .no-boxshadow textarea:invalid { background-color: #f0dddd; }
+
+/* These selection declarations have to be separate.
+	 No text-shadow: twitter.com/miketaylr/status/12228805301
+	 Also: hot pink. */
+::-moz-selection{ background: #FF5E99; color:#fff; text-shadow: none; }
+::selection { background:#FF5E99; color:#fff; text-shadow: none; }
+
+/*  j.mp/webkit-tap-highlight-color */
+a:link { -webkit-tap-highlight-color: #FF5E99; }
+
+/* make buttons play nice in IE:
+	 www.viget.com/inspire/styling-the-button-element-in-internet-explorer/ */
+button {  width: auto; overflow: visible; }
+
+/* bicubic resizing for non-native sized IMG:
+	 code.flickr.com/blog/2008/11/12/on-ui-quality-the-little-things-client-side-image-resizing/ */
+.ie7 img { -ms-interpolation-mode: bicubic; }

data/lib/www/public/style.css

@@ -0,0 +1,65 @@
+section {
+    width: 800px;
+    margin: 20px auto;
+}
+h1 {
+    color: #3d3e43;
+    font-size:250%;
+}
+table {
+    width: 100%;
+}
+th {
+    text-align: center;
+}
+tr {
+    border-bottom: 1px solid #ddd;
+}
+
+tr:nth-child(odd) {
+    background-color: #dedede;
+}
+tr:hover {
+    background: #fffb8b;
+}
+td {
+    padding: 10px 5px;
+    text-align: center;
+}
+
+
+input {
+    background: #fefefe;
+    box-shadow: inset 0 0 6px #aaa;
+    padding: 6px;
+    border: none;
+    width: 90%;
+    margin: 4px;
+}
+input:focus {
+    outline: none;
+    box-shadow: inset 0 0 6px rgb(17, 148, 211);
+    -webkit-transition: 0.2s all;
+    background: rgba(17, 148, 211, 0.05);
+}
+input[type=submit] {
+    background-color: #1194d3;
+    background-image: -webkit-gradient(linear, left top, left bottom, from(rgb(17, 148, 211)), to(rgb(59, 95, 142)));
+    background-image: -webkit-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
+    background-image: -moz-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
+    background-image: -o-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
+    background-image: -ms-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
+    background-image: linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
+    filter: progid:DXImageTransform.Microsoft.gradient(GradientType=0,StartColorStr='#1194d3', EndColorStr='#3b5f8e');
+    padding: 6px 9px;
+    border-radius: 3px;
+    color: #fff;
+    text-shadow: 1px 1px 1px #0a3d52;
+    border: none;
+    width: 30%;
+}
+input[type=submit]:hover {
+    background: #0a3d52;
+}
+.floatleft { float: left; }
+.floatright { float: right; }

data/lib/www/views/analyses.erb

@@ -0,0 +1,28 @@
+<h1>Analyses</h1>
+
+<table border="1" align="center">
+  <tr>
+    <th>ID</th>
+    <th>Date</th>
+    <th>Filename</th>
+    <th>SHA256</th>
+    <th>Source</th>
+    <th>Sandbox</th>
+    <th>Source_email</th>
+  </tr>
+    <% @analyses.each do |anal| %>
+      <tr>
+        <td><a href="/resume/<%= anal.id %>"><%= anal.id %></a></td>
+        <td><%= anal.date %></td>
+        <td><%= @samples.where(:sha256 => anal.sample).first.filename %></td>
+        <td><%= anal.sample %></td>
+        <td><%= @queue.where(:id => anal.queue_id).first.source %></td>
+        <td><%= anal.sandbox %></td>
+        <td>
+          <%  mailid = @sightings.where(:id => @queue.where( :id => anal.queue_id).first.sighting).first.src_email%>
+          <a href="javascript:window.open('/email/view/<%= mailid %>','Email resume','width=600,height=400')"><%= mailid %></a>
+        </td>
+      </tr>
+    <% end %>
+</table>
+

data/lib/www/views/email.erb

@@ -0,0 +1,63 @@
+<h1>Email Resume</h1>
+
+<table border="1" align="center">
+
+  <tr>
+    <td>Date:</td>
+    <td><%= @email.date %></td>
+  </tr>
+
+  <tr>
+    <td>From:</td>
+    <td><%= @email.from %></td>
+  </tr>
+
+  <tr>
+    <td>To:</td>
+    <td>
+    <% @receivers.where(:mail_field => 'to').each do |r| %>
+    <%= r.address %>
+    <% end %>
+    </td>
+  </tr>
+
+
+  <tr>
+    <td>Cc:</td>
+    <td>
+    <% @receivers.where(:mail_field => 'cc').each do |r| %>
+        <%= r.address %>
+    <% end %>
+    </td>
+  </tr>
+
+  <tr>
+    <td>Subject:</td>
+    <td><%= @email.subject %></td>
+  </tr>
+
+  <tr>
+    <td>Body SHA2:</td>
+    <td><%= @email.body_sha256 %></td>
+  </tr>
+
+  <tr>
+    <td>Message ID:</td>
+    <td><%= @email.message_id %></td>
+  </tr>
+
+  <tr>
+    <td>Raw email</td>
+    <td>[<a href="/email/download/<%= @email.id %>">Download</a>]</td>
+  </tr>
+
+  <% unless @email.forwarded_by.nil? %>
+  <tr>
+    <td>This email was included in</td>
+    <td><a href="javascript:window.open('/email/view/<%= @email.forwarded_by %>','Email resume','width=600,height=400')"><%= @email.forwarded_by %></a></td>
+  </tr>
+  <% end %>
+</table>
+
+
+

data/lib/www/views/flows.erb

@@ -0,0 +1,30 @@
+<h1>Network Traffic Analysis</h1>
+
+<table border="1">
+  <tr>
+    <th>ID</th>
+    <th>Time</th>
+    <th>Duration</th>
+    <th>Src Addr.</th>
+    <th>Src Port</th>
+    <th>Dst Addr</th>
+    <th>Dst Port</th>
+    <th>Service</th>
+    <th>Title</th>
+    <th>PCAP</th>
+  </tr>
+  <% @flows.each do |flow| %>
+      <tr>
+        <td><%= flow.relative_id %></td>
+        <td><%= flow.time %></td>
+        <td><%= flow.duration %></td>
+        <td><%= flow.source %></td>
+        <td><%= flow.srcport %></td>
+        <td><%= flow.dest %></td>
+        <td><%= flow.dstport %></td>
+        <td><%= flow.service %></td>
+        <td><%= flow.title %></td>
+        <td><a href="http://<%=DoroSettings.pcapr[:host]%>:<%=DoroSettings.pcapr[:port]%>/pcaps/1/pcap/<%=@net_dumps.first.pcapr_id%>/api/flow/<%=flow.relative_id%>/pcap">P</a></td>
+      </tr>
+  <% end %>
+</table>