dorothy2 1.2.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. checksums.yaml +8 -8
  2. data/CHANGELOG +39 -14
  3. data/README.md +80 -62
  4. data/UPDATE +6 -14
  5. data/bin/dorothy2 +472 -0
  6. data/dorothy2.gemspec +22 -16
  7. data/etc/ddl/dorothive.ddl +619 -373
  8. data/etc/sources.yml.example +27 -2
  9. data/lib/doroGUI.rb +232 -0
  10. data/lib/doroParser.rb +34 -78
  11. data/lib/dorothy2.rb +288 -248
  12. data/lib/dorothy2/BFM.rb +114 -61
  13. data/lib/dorothy2/DEM.rb +3 -1
  14. data/lib/dorothy2/NAM.rb +2 -2
  15. data/lib/dorothy2/Settings.rb +2 -1
  16. data/lib/dorothy2/VSM.rb +2 -1
  17. data/lib/dorothy2/deep_symbolize.rb +2 -7
  18. data/lib/dorothy2/do-init.rb +286 -19
  19. data/lib/dorothy2/do-logger.rb +1 -1
  20. data/lib/dorothy2/do-utils.rb +382 -33
  21. data/lib/dorothy2/version.rb +1 -1
  22. data/lib/dorothy2/vtotal.rb +30 -20
  23. data/lib/mu/xtractr.rb +11 -11
  24. data/lib/mu/xtractr/stream.rb +1 -1
  25. data/lib/www/public/reset.css +153 -0
  26. data/lib/www/public/style.css +65 -0
  27. data/lib/www/views/analyses.erb +28 -0
  28. data/lib/www/views/email.erb +63 -0
  29. data/lib/www/views/flows.erb +30 -0
  30. data/lib/www/views/layout.erb +27 -0
  31. data/lib/www/views/profile.erb +49 -0
  32. data/lib/www/views/queue.erb +28 -0
  33. data/lib/www/views/resume.erb +135 -0
  34. data/lib/www/views/resume.erb~ +88 -0
  35. data/lib/www/views/samples.erb +20 -0
  36. data/lib/www/views/upload.erb +154 -0
  37. data/share/img/The_big_picture.pdf +0 -0
  38. data/test/tc_dorothy_full.rb +3 -0
  39. metadata +169 -70
  40. data/TODO +0 -27
  41. data/bin/dorothy_start +0 -225
  42. data/bin/dorothy_stop +0 -28
  43. data/bin/dparser_start +0 -94
  44. data/bin/dparser_stop +0 -31
  45. data/etc/dorothy copy.yml.example +0 -39
  46. data/etc/extensions.yml +0 -41
  47. data/share/update-dorothive.sql +0 -19
@@ -1,3 +1,3 @@
1
1
  module Dorothy
2
- VERSION = "1.2.0"
2
+ VERSION = "2.0.0"
3
3
  end
@@ -4,25 +4,32 @@
4
4
 
5
5
  module Dorothy
6
6
 
7
- class Vtotal < VirusTotal::VirusTotal
8
- attr_writer :api_key
9
- attr_reader :rate
10
- attr_reader :filehash
11
- attr_reader :scanid
12
- attr_reader :family
13
- attr_reader :permalink
14
- attr_reader :updated
15
- attr_reader :version
16
- attr_reader :vendor
17
- attr_reader :detected
18
-
19
-
20
- def initialize()
21
- @api_key = VTAPIKEY
22
- end
23
-
24
-
25
- def analyze_file(file)
7
+ module Vtotal
8
+ extend self
9
+
10
+ def check_hash(hash)
11
+ @api_key = DoroSettings.virustotal[:vtapikey]
12
+
13
+ scans = Uirusu::VTFile.query_report(@api_key, hash)
14
+ if (scans["response_code"] == 1 )
15
+
16
+ positive = ( scans["positives"] > 0 ? true : false )
17
+ @rate = scans["positives"].to_s + "/" + scans["total"].to_s
18
+ @permalink = (scans["permalink"] != "-" ? scans["permalink"] : "null")
19
+ @result_date = scans["scan_date"]
20
+ @results = scans["scans"]
21
+
22
+
23
+ return {:rate => @rate, :link => @permalink, :date => @result_date, :results => @results, :positive => positive}
24
+
25
+ else
26
+ LOGGER.error "VTOTAL", scans["verbose_msg"]
27
+ return false
28
+ end
29
+ end
30
+
31
+
32
+ def analyse_file(file)
26
33
  f = File.open(file, 'r')
27
34
  begin
28
35
  results = RestClient.post 'https://www.virustotal.com/vtapi/v2/file/scan' , { :key => @api_key, :file => f}
@@ -35,7 +42,10 @@ class Vtotal < VirusTotal::VirusTotal
35
42
  LOGGER.debug "DEBUG", "#{$!}"
36
43
  end
37
44
  return @scanid
38
- end
45
+ end
46
+
47
+
48
+
39
49
 
40
50
 
41
51
  def get_report(id)
@@ -12,18 +12,18 @@
12
12
  # * http://www.mudynamics.com
13
13
  # * http://labs.mudynamics.com
14
14
 
15
- require 'mu/xtractr/about'
16
- require 'mu/xtractr/content'
17
- require 'mu/xtractr/field'
18
- require 'mu/xtractr/flow'
19
- require 'mu/xtractr/flows'
15
+ require File.dirname(__FILE__) + '/xtractr/about'
16
+ require File.dirname(__FILE__) + '/xtractr/content'
17
+ require File.dirname(__FILE__) + '/xtractr/field'
18
+ require File.dirname(__FILE__) + '/xtractr/flow'
19
+ require File.dirname(__FILE__) + '/xtractr/flows'
20
20
  require File.dirname(__FILE__) + '/xtractr/host' #overrides the gem one with the local (fixed for 1.9.3)
21
- require 'mu/xtractr/packet'
22
- require 'mu/xtractr/packets'
23
- require 'mu/xtractr/service'
24
- require 'mu/xtractr/stream'
25
- require 'mu/xtractr/term'
26
- require 'mu/xtractr/views'
21
+ require File.dirname(__FILE__) + '/xtractr/packet'
22
+ require File.dirname(__FILE__) + '/xtractr/packets'
23
+ require File.dirname(__FILE__) + '/xtractr/service'
24
+ require File.dirname(__FILE__) + '/xtractr/stream'
25
+ require File.dirname(__FILE__) + '/xtractr/term'
26
+ require File.dirname(__FILE__) + '/xtractr/views'
27
27
 
28
28
  module Mu # :nodoc:
29
29
  # = http://www.pcapr.net/static/image/favicon.png Mu::Xtractr
@@ -129,4 +129,4 @@ end
129
129
  end # Xtractr
130
130
  end # Mu
131
131
 
132
- require 'mu/xtractr/stream/http'
132
+ require File.dirname(__FILE__) + '/stream/http'
@@ -0,0 +1,153 @@
1
+ /*
2
+ HTML5 ✰ Boilerplate
3
+
4
+ style.css contains a reset, font normalization and some base styles.
5
+
6
+ credit is left where credit is due.
7
+ much inspiration was taken from these projects:
8
+ yui.yahooapis.com/2.8.1/build/base/base.css
9
+ camendesign.com/design/
10
+ praegnanz.de/weblog/htmlcssjs-kickstart
11
+ */
12
+
13
+ /*
14
+ html5doctor.com Reset Stylesheet (Eric Meyer's Reset Reloaded + HTML5 baseline)
15
+ v1.6.1 2010-09-17 | Authors: Eric Meyer & Richard Clark
16
+ html5doctor.com/html-5-reset-stylesheet/
17
+ */
18
+
19
+ html, body, div, span, object, iframe,
20
+ h1, h2, h3, h4, h5, h6, p, blockquote, pre,
21
+ abbr, address, cite, code, del, dfn, em, img, ins, kbd, q, samp,
22
+ small, strong, sub, sup, var, b, i, dl, dt, dd, ol, ul, li,
23
+ fieldset, form, label, legend,
24
+ table, caption, tbody, tfoot, thead, tr, th, td,
25
+ article, aside, canvas, details, figcaption, figure,
26
+ footer, header, hgroup, menu, nav, section, summary,
27
+ time, mark, audio, video {
28
+ margin:0;
29
+ padding:0;
30
+ border:0;
31
+ font-size:100%;
32
+ font: inherit;
33
+ vertical-align:baseline;
34
+ }
35
+
36
+ article, aside, details, figcaption, figure,
37
+ footer, header, hgroup, menu, nav, section {
38
+ display:block;
39
+ }
40
+
41
+ blockquote, q { quotes:none; }
42
+
43
+ blockquote:before, blockquote:after,
44
+ q:before, q:after { content:''; content:none; }
45
+
46
+ ins { background-color:#ff9; color:#000; text-decoration:none; }
47
+
48
+ mark { background-color:#ff9; color:#000; font-style:italic; font-weight:bold; }
49
+
50
+ del { text-decoration: line-through; }
51
+
52
+ abbr[title], dfn[title] { border-bottom:1px dotted; cursor:help; }
53
+
54
+ table { border-collapse:collapse; border-spacing:0; }
55
+
56
+ hr { display:block; height:1px; border:0; border-top:1px solid #ccc; margin:1em 0; padding:0; }
57
+
58
+ input, select { vertical-align:middle; }
59
+
60
+ /* END RESET CSS */
61
+
62
+ /* font normalization inspired by from the YUI Library's fonts.css: developer.yahoo.com/yui/ */
63
+ body { font:13px/1.231 sans-serif; *font-size:small; } /* hack retained to preserve specificity */
64
+ select, input, textarea, button { font:99% sans-serif; }
65
+
66
+ /* normalize monospace sizing
67
+ * en.wikipedia.org/wiki/MediaWiki_talk:Common.css/Archive_11#Teletype_style_fix_for_Chrome */
68
+ pre, code, kbd, samp { font-family: monospace, sans-serif; }
69
+
70
+ /*
71
+ * minimal base styles
72
+ */
73
+
74
+ body, select, input, textarea {
75
+ /* #444 looks better than black: twitter.com/H_FJ/statuses/11800719859 */
76
+ color: #444;
77
+ /* set your base font here, to apply evenly */
78
+ /* font-family: Georgia, serif; */
79
+ }
80
+
81
+ /* headers (h1,h2,etc) have no default font-size or margin. define those yourself. */
82
+ h1,h2,h3,h4,h5,h6 { font-weight: bold; }
83
+
84
+ /* always force a scrollbar in non-IE: */
85
+ html { overflow-y: scroll; }
86
+
87
+ /* accessible focus treatment: people.opera.com/patrickl/experiments/keyboard/test */
88
+ a:hover, a:active { outline: none; }
89
+
90
+ a, a:active, a:visited { color: #607890; }
91
+ a:hover { color: #036; }
92
+
93
+ ul, ol { margin-left: 2em; }
94
+ ol { list-style-type: decimal; }
95
+
96
+ /* remove margins for navigation lists */
97
+ nav ul, nav li { margin: 0; list-style:none; list-style-image: none; }
98
+
99
+ small { font-size: 85%; }
100
+ strong, th { font-weight: bold; }
101
+
102
+ td { vertical-align: top; }
103
+
104
+ /* set sub, sup without affecting line-height: gist.github.com/413930 */
105
+ sub, sup { font-size: 75%; line-height: 0; position: relative; }
106
+ sup { top: -0.5em; }
107
+ sub { bottom: -0.25em; }
108
+
109
+ pre {
110
+ /* www.pathf.com/blogs/2008/05/formatting-quoted-code-in-blog-posts-css21-white-space-pre-wrap/ */
111
+ white-space: pre; white-space: pre-wrap; white-space: pre-line; word-wrap: break-word;
112
+ padding: 15px;
113
+ }
114
+
115
+ textarea { overflow: auto; } /* www.sitepoint.com/blogs/2010/08/20/ie-remove-textarea-scrollbars/ */
116
+
117
+ .ie6 legend, .ie7 legend { margin-left: -7px; } /* thnx ivannikolic! */
118
+
119
+ /* align checkboxes, radios, text inputs with their label by: Thierry Koblentz tjkdesign.com/ez-css/css/base.css */
120
+ input[type="radio"] { vertical-align: text-bottom; }
121
+ input[type="checkbox"] { vertical-align: bottom; }
122
+ .ie7 input[type="checkbox"] { vertical-align: baseline; }
123
+ .ie6 input { vertical-align: text-bottom; }
124
+
125
+ /* hand cursor on clickable input elements */
126
+ label, input[type="button"], input[type="submit"], input[type="image"], button { cursor: pointer; }
127
+
128
+ /* webkit browsers add a 2px margin outside the chrome of form elements */
129
+ button, input, select, textarea { margin: 0; }
130
+
131
+ /* colors for form validity */
132
+ input:valid, textarea:valid { }
133
+ input:invalid, textarea:invalid {
134
+ border-radius: 1px; -moz-box-shadow: 0px 0px 5px red; -webkit-box-shadow: 0px 0px 5px red; box-shadow: 0px 0px 5px red;
135
+ }
136
+ .no-boxshadow input:invalid, .no-boxshadow textarea:invalid { background-color: #f0dddd; }
137
+
138
+ /* These selection declarations have to be separate.
139
+ No text-shadow: twitter.com/miketaylr/status/12228805301
140
+ Also: hot pink. */
141
+ ::-moz-selection{ background: #FF5E99; color:#fff; text-shadow: none; }
142
+ ::selection { background:#FF5E99; color:#fff; text-shadow: none; }
143
+
144
+ /* j.mp/webkit-tap-highlight-color */
145
+ a:link { -webkit-tap-highlight-color: #FF5E99; }
146
+
147
+ /* make buttons play nice in IE:
148
+ www.viget.com/inspire/styling-the-button-element-in-internet-explorer/ */
149
+ button { width: auto; overflow: visible; }
150
+
151
+ /* bicubic resizing for non-native sized IMG:
152
+ code.flickr.com/blog/2008/11/12/on-ui-quality-the-little-things-client-side-image-resizing/ */
153
+ .ie7 img { -ms-interpolation-mode: bicubic; }
@@ -0,0 +1,65 @@
1
+ section {
2
+ width: 800px;
3
+ margin: 20px auto;
4
+ }
5
+ h1 {
6
+ color: #3d3e43;
7
+ font-size:250%;
8
+ }
9
+ table {
10
+ width: 100%;
11
+ }
12
+ th {
13
+ text-align: center;
14
+ }
15
+ tr {
16
+ border-bottom: 1px solid #ddd;
17
+ }
18
+
19
+ tr:nth-child(odd) {
20
+ background-color: #dedede;
21
+ }
22
+ tr:hover {
23
+ background: #fffb8b;
24
+ }
25
+ td {
26
+ padding: 10px 5px;
27
+ text-align: center;
28
+ }
29
+
30
+
31
+ input {
32
+ background: #fefefe;
33
+ box-shadow: inset 0 0 6px #aaa;
34
+ padding: 6px;
35
+ border: none;
36
+ width: 90%;
37
+ margin: 4px;
38
+ }
39
+ input:focus {
40
+ outline: none;
41
+ box-shadow: inset 0 0 6px rgb(17, 148, 211);
42
+ -webkit-transition: 0.2s all;
43
+ background: rgba(17, 148, 211, 0.05);
44
+ }
45
+ input[type=submit] {
46
+ background-color: #1194d3;
47
+ background-image: -webkit-gradient(linear, left top, left bottom, from(rgb(17, 148, 211)), to(rgb(59, 95, 142)));
48
+ background-image: -webkit-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
49
+ background-image: -moz-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
50
+ background-image: -o-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
51
+ background-image: -ms-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
52
+ background-image: linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
53
+ filter: progid:DXImageTransform.Microsoft.gradient(GradientType=0,StartColorStr='#1194d3', EndColorStr='#3b5f8e');
54
+ padding: 6px 9px;
55
+ border-radius: 3px;
56
+ color: #fff;
57
+ text-shadow: 1px 1px 1px #0a3d52;
58
+ border: none;
59
+ width: 30%;
60
+ }
61
+ input[type=submit]:hover {
62
+ background: #0a3d52;
63
+ }
64
+ .floatleft { float: left; }
65
+ .floatright { float: right; }
@@ -0,0 +1,28 @@
1
+ <h1>Analyses</h1>
2
+
3
+ <table border="1" align="center">
4
+ <tr>
5
+ <th>ID</th>
6
+ <th>Date</th>
7
+ <th>Filename</th>
8
+ <th>SHA256</th>
9
+ <th>Source</th>
10
+ <th>Sandbox</th>
11
+ <th>Source_email</th>
12
+ </tr>
13
+ <% @analyses.each do |anal| %>
14
+ <tr>
15
+ <td><a href="/resume/<%= anal.id %>"><%= anal.id %></a></td>
16
+ <td><%= anal.date %></td>
17
+ <td><%= @samples.where(:sha256 => anal.sample).first.filename %></td>
18
+ <td><%= anal.sample %></td>
19
+ <td><%= @queue.where(:id => anal.queue_id).first.source %></td>
20
+ <td><%= anal.sandbox %></td>
21
+ <td>
22
+ <% mailid = @sightings.where(:id => @queue.where( :id => anal.queue_id).first.sighting).first.src_email%>
23
+ <a href="javascript:window.open('/email/view/<%= mailid %>','Email resume','width=600,height=400')"><%= mailid %></a>
24
+ </td>
25
+ </tr>
26
+ <% end %>
27
+ </table>
28
+
@@ -0,0 +1,63 @@
1
+ <h1>Email Resume</h1>
2
+
3
+ <table border="1" align="center">
4
+
5
+ <tr>
6
+ <td>Date:</td>
7
+ <td><%= @email.date %></td>
8
+ </tr>
9
+
10
+ <tr>
11
+ <td>From:</td>
12
+ <td><%= @email.from %></td>
13
+ </tr>
14
+
15
+ <tr>
16
+ <td>To:</td>
17
+ <td>
18
+ <% @receivers.where(:mail_field => 'to').each do |r| %>
19
+ <%= r.address %>
20
+ <% end %>
21
+ </td>
22
+ </tr>
23
+
24
+
25
+ <tr>
26
+ <td>Cc:</td>
27
+ <td>
28
+ <% @receivers.where(:mail_field => 'cc').each do |r| %>
29
+ <%= r.address %>
30
+ <% end %>
31
+ </td>
32
+ </tr>
33
+
34
+ <tr>
35
+ <td>Subject:</td>
36
+ <td><%= @email.subject %></td>
37
+ </tr>
38
+
39
+ <tr>
40
+ <td>Body SHA2:</td>
41
+ <td><%= @email.body_sha256 %></td>
42
+ </tr>
43
+
44
+ <tr>
45
+ <td>Message ID:</td>
46
+ <td><%= @email.message_id %></td>
47
+ </tr>
48
+
49
+ <tr>
50
+ <td>Raw email</td>
51
+ <td>[<a href="/email/download/<%= @email.id %>">Download</a>]</td>
52
+ </tr>
53
+
54
+ <% unless @email.forwarded_by.nil? %>
55
+ <tr>
56
+ <td>This email was included in</td>
57
+ <td><a href="javascript:window.open('/email/view/<%= @email.forwarded_by %>','Email resume','width=600,height=400')"><%= @email.forwarded_by %></a></td>
58
+ </tr>
59
+ <% end %>
60
+ </table>
61
+
62
+
63
+
@@ -0,0 +1,30 @@
1
+ <h1>Network Traffic Analysis</h1>
2
+
3
+ <table border="1">
4
+ <tr>
5
+ <th>ID</th>
6
+ <th>Time</th>
7
+ <th>Duration</th>
8
+ <th>Src Addr.</th>
9
+ <th>Src Port</th>
10
+ <th>Dst Addr</th>
11
+ <th>Dst Port</th>
12
+ <th>Service</th>
13
+ <th>Title</th>
14
+ <th>PCAP</th>
15
+ </tr>
16
+ <% @flows.each do |flow| %>
17
+ <tr>
18
+ <td><%= flow.relative_id %></td>
19
+ <td><%= flow.time %></td>
20
+ <td><%= flow.duration %></td>
21
+ <td><%= flow.source %></td>
22
+ <td><%= flow.srcport %></td>
23
+ <td><%= flow.dest %></td>
24
+ <td><%= flow.dstport %></td>
25
+ <td><%= flow.service %></td>
26
+ <td><%= flow.title %></td>
27
+ <td><a href="http://<%=DoroSettings.pcapr[:host]%>:<%=DoroSettings.pcapr[:port]%>/pcaps/1/pcap/<%=@net_dumps.first.pcapr_id%>/api/flow/<%=flow.relative_id%>/pcap">P</a></td>
28
+ </tr>
29
+ <% end %>
30
+ </table>