dorothy2 1.2.0 → 2.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +8 -8
- data/CHANGELOG +39 -14
- data/README.md +80 -62
- data/UPDATE +6 -14
- data/bin/dorothy2 +472 -0
- data/dorothy2.gemspec +22 -16
- data/etc/ddl/dorothive.ddl +619 -373
- data/etc/sources.yml.example +27 -2
- data/lib/doroGUI.rb +232 -0
- data/lib/doroParser.rb +34 -78
- data/lib/dorothy2.rb +288 -248
- data/lib/dorothy2/BFM.rb +114 -61
- data/lib/dorothy2/DEM.rb +3 -1
- data/lib/dorothy2/NAM.rb +2 -2
- data/lib/dorothy2/Settings.rb +2 -1
- data/lib/dorothy2/VSM.rb +2 -1
- data/lib/dorothy2/deep_symbolize.rb +2 -7
- data/lib/dorothy2/do-init.rb +286 -19
- data/lib/dorothy2/do-logger.rb +1 -1
- data/lib/dorothy2/do-utils.rb +382 -33
- data/lib/dorothy2/version.rb +1 -1
- data/lib/dorothy2/vtotal.rb +30 -20
- data/lib/mu/xtractr.rb +11 -11
- data/lib/mu/xtractr/stream.rb +1 -1
- data/lib/www/public/reset.css +153 -0
- data/lib/www/public/style.css +65 -0
- data/lib/www/views/analyses.erb +28 -0
- data/lib/www/views/email.erb +63 -0
- data/lib/www/views/flows.erb +30 -0
- data/lib/www/views/layout.erb +27 -0
- data/lib/www/views/profile.erb +49 -0
- data/lib/www/views/queue.erb +28 -0
- data/lib/www/views/resume.erb +135 -0
- data/lib/www/views/resume.erb~ +88 -0
- data/lib/www/views/samples.erb +20 -0
- data/lib/www/views/upload.erb +154 -0
- data/share/img/The_big_picture.pdf +0 -0
- data/test/tc_dorothy_full.rb +3 -0
- metadata +169 -70
- data/TODO +0 -27
- data/bin/dorothy_start +0 -225
- data/bin/dorothy_stop +0 -28
- data/bin/dparser_start +0 -94
- data/bin/dparser_stop +0 -31
- data/etc/dorothy copy.yml.example +0 -39
- data/etc/extensions.yml +0 -41
- data/share/update-dorothive.sql +0 -19
data/lib/dorothy2/version.rb
CHANGED
data/lib/dorothy2/vtotal.rb
CHANGED
@@ -4,25 +4,32 @@
|
|
4
4
|
|
5
5
|
module Dorothy
|
6
6
|
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
7
|
+
module Vtotal
|
8
|
+
extend self
|
9
|
+
|
10
|
+
def check_hash(hash)
|
11
|
+
@api_key = DoroSettings.virustotal[:vtapikey]
|
12
|
+
|
13
|
+
scans = Uirusu::VTFile.query_report(@api_key, hash)
|
14
|
+
if (scans["response_code"] == 1 )
|
15
|
+
|
16
|
+
positive = ( scans["positives"] > 0 ? true : false )
|
17
|
+
@rate = scans["positives"].to_s + "/" + scans["total"].to_s
|
18
|
+
@permalink = (scans["permalink"] != "-" ? scans["permalink"] : "null")
|
19
|
+
@result_date = scans["scan_date"]
|
20
|
+
@results = scans["scans"]
|
21
|
+
|
22
|
+
|
23
|
+
return {:rate => @rate, :link => @permalink, :date => @result_date, :results => @results, :positive => positive}
|
24
|
+
|
25
|
+
else
|
26
|
+
LOGGER.error "VTOTAL", scans["verbose_msg"]
|
27
|
+
return false
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
|
32
|
+
def analyse_file(file)
|
26
33
|
f = File.open(file, 'r')
|
27
34
|
begin
|
28
35
|
results = RestClient.post 'https://www.virustotal.com/vtapi/v2/file/scan' , { :key => @api_key, :file => f}
|
@@ -35,7 +42,10 @@ class Vtotal < VirusTotal::VirusTotal
|
|
35
42
|
LOGGER.debug "DEBUG", "#{$!}"
|
36
43
|
end
|
37
44
|
return @scanid
|
38
|
-
|
45
|
+
end
|
46
|
+
|
47
|
+
|
48
|
+
|
39
49
|
|
40
50
|
|
41
51
|
def get_report(id)
|
data/lib/mu/xtractr.rb
CHANGED
@@ -12,18 +12,18 @@
|
|
12
12
|
# * http://www.mudynamics.com
|
13
13
|
# * http://labs.mudynamics.com
|
14
14
|
|
15
|
-
require '
|
16
|
-
require '
|
17
|
-
require '
|
18
|
-
require '
|
19
|
-
require '
|
15
|
+
require File.dirname(__FILE__) + '/xtractr/about'
|
16
|
+
require File.dirname(__FILE__) + '/xtractr/content'
|
17
|
+
require File.dirname(__FILE__) + '/xtractr/field'
|
18
|
+
require File.dirname(__FILE__) + '/xtractr/flow'
|
19
|
+
require File.dirname(__FILE__) + '/xtractr/flows'
|
20
20
|
require File.dirname(__FILE__) + '/xtractr/host' #overrides the gem one with the local (fixed for 1.9.3)
|
21
|
-
require '
|
22
|
-
require '
|
23
|
-
require '
|
24
|
-
require '
|
25
|
-
require '
|
26
|
-
require '
|
21
|
+
require File.dirname(__FILE__) + '/xtractr/packet'
|
22
|
+
require File.dirname(__FILE__) + '/xtractr/packets'
|
23
|
+
require File.dirname(__FILE__) + '/xtractr/service'
|
24
|
+
require File.dirname(__FILE__) + '/xtractr/stream'
|
25
|
+
require File.dirname(__FILE__) + '/xtractr/term'
|
26
|
+
require File.dirname(__FILE__) + '/xtractr/views'
|
27
27
|
|
28
28
|
module Mu # :nodoc:
|
29
29
|
# = http://www.pcapr.net/static/image/favicon.png Mu::Xtractr
|
data/lib/mu/xtractr/stream.rb
CHANGED
@@ -0,0 +1,153 @@
|
|
1
|
+
/*
|
2
|
+
HTML5 ✰ Boilerplate
|
3
|
+
|
4
|
+
style.css contains a reset, font normalization and some base styles.
|
5
|
+
|
6
|
+
credit is left where credit is due.
|
7
|
+
much inspiration was taken from these projects:
|
8
|
+
yui.yahooapis.com/2.8.1/build/base/base.css
|
9
|
+
camendesign.com/design/
|
10
|
+
praegnanz.de/weblog/htmlcssjs-kickstart
|
11
|
+
*/
|
12
|
+
|
13
|
+
/*
|
14
|
+
html5doctor.com Reset Stylesheet (Eric Meyer's Reset Reloaded + HTML5 baseline)
|
15
|
+
v1.6.1 2010-09-17 | Authors: Eric Meyer & Richard Clark
|
16
|
+
html5doctor.com/html-5-reset-stylesheet/
|
17
|
+
*/
|
18
|
+
|
19
|
+
html, body, div, span, object, iframe,
|
20
|
+
h1, h2, h3, h4, h5, h6, p, blockquote, pre,
|
21
|
+
abbr, address, cite, code, del, dfn, em, img, ins, kbd, q, samp,
|
22
|
+
small, strong, sub, sup, var, b, i, dl, dt, dd, ol, ul, li,
|
23
|
+
fieldset, form, label, legend,
|
24
|
+
table, caption, tbody, tfoot, thead, tr, th, td,
|
25
|
+
article, aside, canvas, details, figcaption, figure,
|
26
|
+
footer, header, hgroup, menu, nav, section, summary,
|
27
|
+
time, mark, audio, video {
|
28
|
+
margin:0;
|
29
|
+
padding:0;
|
30
|
+
border:0;
|
31
|
+
font-size:100%;
|
32
|
+
font: inherit;
|
33
|
+
vertical-align:baseline;
|
34
|
+
}
|
35
|
+
|
36
|
+
article, aside, details, figcaption, figure,
|
37
|
+
footer, header, hgroup, menu, nav, section {
|
38
|
+
display:block;
|
39
|
+
}
|
40
|
+
|
41
|
+
blockquote, q { quotes:none; }
|
42
|
+
|
43
|
+
blockquote:before, blockquote:after,
|
44
|
+
q:before, q:after { content:''; content:none; }
|
45
|
+
|
46
|
+
ins { background-color:#ff9; color:#000; text-decoration:none; }
|
47
|
+
|
48
|
+
mark { background-color:#ff9; color:#000; font-style:italic; font-weight:bold; }
|
49
|
+
|
50
|
+
del { text-decoration: line-through; }
|
51
|
+
|
52
|
+
abbr[title], dfn[title] { border-bottom:1px dotted; cursor:help; }
|
53
|
+
|
54
|
+
table { border-collapse:collapse; border-spacing:0; }
|
55
|
+
|
56
|
+
hr { display:block; height:1px; border:0; border-top:1px solid #ccc; margin:1em 0; padding:0; }
|
57
|
+
|
58
|
+
input, select { vertical-align:middle; }
|
59
|
+
|
60
|
+
/* END RESET CSS */
|
61
|
+
|
62
|
+
/* font normalization inspired by from the YUI Library's fonts.css: developer.yahoo.com/yui/ */
|
63
|
+
body { font:13px/1.231 sans-serif; *font-size:small; } /* hack retained to preserve specificity */
|
64
|
+
select, input, textarea, button { font:99% sans-serif; }
|
65
|
+
|
66
|
+
/* normalize monospace sizing
|
67
|
+
* en.wikipedia.org/wiki/MediaWiki_talk:Common.css/Archive_11#Teletype_style_fix_for_Chrome */
|
68
|
+
pre, code, kbd, samp { font-family: monospace, sans-serif; }
|
69
|
+
|
70
|
+
/*
|
71
|
+
* minimal base styles
|
72
|
+
*/
|
73
|
+
|
74
|
+
body, select, input, textarea {
|
75
|
+
/* #444 looks better than black: twitter.com/H_FJ/statuses/11800719859 */
|
76
|
+
color: #444;
|
77
|
+
/* set your base font here, to apply evenly */
|
78
|
+
/* font-family: Georgia, serif; */
|
79
|
+
}
|
80
|
+
|
81
|
+
/* headers (h1,h2,etc) have no default font-size or margin. define those yourself. */
|
82
|
+
h1,h2,h3,h4,h5,h6 { font-weight: bold; }
|
83
|
+
|
84
|
+
/* always force a scrollbar in non-IE: */
|
85
|
+
html { overflow-y: scroll; }
|
86
|
+
|
87
|
+
/* accessible focus treatment: people.opera.com/patrickl/experiments/keyboard/test */
|
88
|
+
a:hover, a:active { outline: none; }
|
89
|
+
|
90
|
+
a, a:active, a:visited { color: #607890; }
|
91
|
+
a:hover { color: #036; }
|
92
|
+
|
93
|
+
ul, ol { margin-left: 2em; }
|
94
|
+
ol { list-style-type: decimal; }
|
95
|
+
|
96
|
+
/* remove margins for navigation lists */
|
97
|
+
nav ul, nav li { margin: 0; list-style:none; list-style-image: none; }
|
98
|
+
|
99
|
+
small { font-size: 85%; }
|
100
|
+
strong, th { font-weight: bold; }
|
101
|
+
|
102
|
+
td { vertical-align: top; }
|
103
|
+
|
104
|
+
/* set sub, sup without affecting line-height: gist.github.com/413930 */
|
105
|
+
sub, sup { font-size: 75%; line-height: 0; position: relative; }
|
106
|
+
sup { top: -0.5em; }
|
107
|
+
sub { bottom: -0.25em; }
|
108
|
+
|
109
|
+
pre {
|
110
|
+
/* www.pathf.com/blogs/2008/05/formatting-quoted-code-in-blog-posts-css21-white-space-pre-wrap/ */
|
111
|
+
white-space: pre; white-space: pre-wrap; white-space: pre-line; word-wrap: break-word;
|
112
|
+
padding: 15px;
|
113
|
+
}
|
114
|
+
|
115
|
+
textarea { overflow: auto; } /* www.sitepoint.com/blogs/2010/08/20/ie-remove-textarea-scrollbars/ */
|
116
|
+
|
117
|
+
.ie6 legend, .ie7 legend { margin-left: -7px; } /* thnx ivannikolic! */
|
118
|
+
|
119
|
+
/* align checkboxes, radios, text inputs with their label by: Thierry Koblentz tjkdesign.com/ez-css/css/base.css */
|
120
|
+
input[type="radio"] { vertical-align: text-bottom; }
|
121
|
+
input[type="checkbox"] { vertical-align: bottom; }
|
122
|
+
.ie7 input[type="checkbox"] { vertical-align: baseline; }
|
123
|
+
.ie6 input { vertical-align: text-bottom; }
|
124
|
+
|
125
|
+
/* hand cursor on clickable input elements */
|
126
|
+
label, input[type="button"], input[type="submit"], input[type="image"], button { cursor: pointer; }
|
127
|
+
|
128
|
+
/* webkit browsers add a 2px margin outside the chrome of form elements */
|
129
|
+
button, input, select, textarea { margin: 0; }
|
130
|
+
|
131
|
+
/* colors for form validity */
|
132
|
+
input:valid, textarea:valid { }
|
133
|
+
input:invalid, textarea:invalid {
|
134
|
+
border-radius: 1px; -moz-box-shadow: 0px 0px 5px red; -webkit-box-shadow: 0px 0px 5px red; box-shadow: 0px 0px 5px red;
|
135
|
+
}
|
136
|
+
.no-boxshadow input:invalid, .no-boxshadow textarea:invalid { background-color: #f0dddd; }
|
137
|
+
|
138
|
+
/* These selection declarations have to be separate.
|
139
|
+
No text-shadow: twitter.com/miketaylr/status/12228805301
|
140
|
+
Also: hot pink. */
|
141
|
+
::-moz-selection{ background: #FF5E99; color:#fff; text-shadow: none; }
|
142
|
+
::selection { background:#FF5E99; color:#fff; text-shadow: none; }
|
143
|
+
|
144
|
+
/* j.mp/webkit-tap-highlight-color */
|
145
|
+
a:link { -webkit-tap-highlight-color: #FF5E99; }
|
146
|
+
|
147
|
+
/* make buttons play nice in IE:
|
148
|
+
www.viget.com/inspire/styling-the-button-element-in-internet-explorer/ */
|
149
|
+
button { width: auto; overflow: visible; }
|
150
|
+
|
151
|
+
/* bicubic resizing for non-native sized IMG:
|
152
|
+
code.flickr.com/blog/2008/11/12/on-ui-quality-the-little-things-client-side-image-resizing/ */
|
153
|
+
.ie7 img { -ms-interpolation-mode: bicubic; }
|
@@ -0,0 +1,65 @@
|
|
1
|
+
section {
|
2
|
+
width: 800px;
|
3
|
+
margin: 20px auto;
|
4
|
+
}
|
5
|
+
h1 {
|
6
|
+
color: #3d3e43;
|
7
|
+
font-size:250%;
|
8
|
+
}
|
9
|
+
table {
|
10
|
+
width: 100%;
|
11
|
+
}
|
12
|
+
th {
|
13
|
+
text-align: center;
|
14
|
+
}
|
15
|
+
tr {
|
16
|
+
border-bottom: 1px solid #ddd;
|
17
|
+
}
|
18
|
+
|
19
|
+
tr:nth-child(odd) {
|
20
|
+
background-color: #dedede;
|
21
|
+
}
|
22
|
+
tr:hover {
|
23
|
+
background: #fffb8b;
|
24
|
+
}
|
25
|
+
td {
|
26
|
+
padding: 10px 5px;
|
27
|
+
text-align: center;
|
28
|
+
}
|
29
|
+
|
30
|
+
|
31
|
+
input {
|
32
|
+
background: #fefefe;
|
33
|
+
box-shadow: inset 0 0 6px #aaa;
|
34
|
+
padding: 6px;
|
35
|
+
border: none;
|
36
|
+
width: 90%;
|
37
|
+
margin: 4px;
|
38
|
+
}
|
39
|
+
input:focus {
|
40
|
+
outline: none;
|
41
|
+
box-shadow: inset 0 0 6px rgb(17, 148, 211);
|
42
|
+
-webkit-transition: 0.2s all;
|
43
|
+
background: rgba(17, 148, 211, 0.05);
|
44
|
+
}
|
45
|
+
input[type=submit] {
|
46
|
+
background-color: #1194d3;
|
47
|
+
background-image: -webkit-gradient(linear, left top, left bottom, from(rgb(17, 148, 211)), to(rgb(59, 95, 142)));
|
48
|
+
background-image: -webkit-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
|
49
|
+
background-image: -moz-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
|
50
|
+
background-image: -o-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
|
51
|
+
background-image: -ms-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
|
52
|
+
background-image: linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
|
53
|
+
filter: progid:DXImageTransform.Microsoft.gradient(GradientType=0,StartColorStr='#1194d3', EndColorStr='#3b5f8e');
|
54
|
+
padding: 6px 9px;
|
55
|
+
border-radius: 3px;
|
56
|
+
color: #fff;
|
57
|
+
text-shadow: 1px 1px 1px #0a3d52;
|
58
|
+
border: none;
|
59
|
+
width: 30%;
|
60
|
+
}
|
61
|
+
input[type=submit]:hover {
|
62
|
+
background: #0a3d52;
|
63
|
+
}
|
64
|
+
.floatleft { float: left; }
|
65
|
+
.floatright { float: right; }
|
@@ -0,0 +1,28 @@
|
|
1
|
+
<h1>Analyses</h1>
|
2
|
+
|
3
|
+
<table border="1" align="center">
|
4
|
+
<tr>
|
5
|
+
<th>ID</th>
|
6
|
+
<th>Date</th>
|
7
|
+
<th>Filename</th>
|
8
|
+
<th>SHA256</th>
|
9
|
+
<th>Source</th>
|
10
|
+
<th>Sandbox</th>
|
11
|
+
<th>Source_email</th>
|
12
|
+
</tr>
|
13
|
+
<% @analyses.each do |anal| %>
|
14
|
+
<tr>
|
15
|
+
<td><a href="/resume/<%= anal.id %>"><%= anal.id %></a></td>
|
16
|
+
<td><%= anal.date %></td>
|
17
|
+
<td><%= @samples.where(:sha256 => anal.sample).first.filename %></td>
|
18
|
+
<td><%= anal.sample %></td>
|
19
|
+
<td><%= @queue.where(:id => anal.queue_id).first.source %></td>
|
20
|
+
<td><%= anal.sandbox %></td>
|
21
|
+
<td>
|
22
|
+
<% mailid = @sightings.where(:id => @queue.where( :id => anal.queue_id).first.sighting).first.src_email%>
|
23
|
+
<a href="javascript:window.open('/email/view/<%= mailid %>','Email resume','width=600,height=400')"><%= mailid %></a>
|
24
|
+
</td>
|
25
|
+
</tr>
|
26
|
+
<% end %>
|
27
|
+
</table>
|
28
|
+
|
@@ -0,0 +1,63 @@
|
|
1
|
+
<h1>Email Resume</h1>
|
2
|
+
|
3
|
+
<table border="1" align="center">
|
4
|
+
|
5
|
+
<tr>
|
6
|
+
<td>Date:</td>
|
7
|
+
<td><%= @email.date %></td>
|
8
|
+
</tr>
|
9
|
+
|
10
|
+
<tr>
|
11
|
+
<td>From:</td>
|
12
|
+
<td><%= @email.from %></td>
|
13
|
+
</tr>
|
14
|
+
|
15
|
+
<tr>
|
16
|
+
<td>To:</td>
|
17
|
+
<td>
|
18
|
+
<% @receivers.where(:mail_field => 'to').each do |r| %>
|
19
|
+
<%= r.address %>
|
20
|
+
<% end %>
|
21
|
+
</td>
|
22
|
+
</tr>
|
23
|
+
|
24
|
+
|
25
|
+
<tr>
|
26
|
+
<td>Cc:</td>
|
27
|
+
<td>
|
28
|
+
<% @receivers.where(:mail_field => 'cc').each do |r| %>
|
29
|
+
<%= r.address %>
|
30
|
+
<% end %>
|
31
|
+
</td>
|
32
|
+
</tr>
|
33
|
+
|
34
|
+
<tr>
|
35
|
+
<td>Subject:</td>
|
36
|
+
<td><%= @email.subject %></td>
|
37
|
+
</tr>
|
38
|
+
|
39
|
+
<tr>
|
40
|
+
<td>Body SHA2:</td>
|
41
|
+
<td><%= @email.body_sha256 %></td>
|
42
|
+
</tr>
|
43
|
+
|
44
|
+
<tr>
|
45
|
+
<td>Message ID:</td>
|
46
|
+
<td><%= @email.message_id %></td>
|
47
|
+
</tr>
|
48
|
+
|
49
|
+
<tr>
|
50
|
+
<td>Raw email</td>
|
51
|
+
<td>[<a href="/email/download/<%= @email.id %>">Download</a>]</td>
|
52
|
+
</tr>
|
53
|
+
|
54
|
+
<% unless @email.forwarded_by.nil? %>
|
55
|
+
<tr>
|
56
|
+
<td>This email was included in</td>
|
57
|
+
<td><a href="javascript:window.open('/email/view/<%= @email.forwarded_by %>','Email resume','width=600,height=400')"><%= @email.forwarded_by %></a></td>
|
58
|
+
</tr>
|
59
|
+
<% end %>
|
60
|
+
</table>
|
61
|
+
|
62
|
+
|
63
|
+
|
@@ -0,0 +1,30 @@
|
|
1
|
+
<h1>Network Traffic Analysis</h1>
|
2
|
+
|
3
|
+
<table border="1">
|
4
|
+
<tr>
|
5
|
+
<th>ID</th>
|
6
|
+
<th>Time</th>
|
7
|
+
<th>Duration</th>
|
8
|
+
<th>Src Addr.</th>
|
9
|
+
<th>Src Port</th>
|
10
|
+
<th>Dst Addr</th>
|
11
|
+
<th>Dst Port</th>
|
12
|
+
<th>Service</th>
|
13
|
+
<th>Title</th>
|
14
|
+
<th>PCAP</th>
|
15
|
+
</tr>
|
16
|
+
<% @flows.each do |flow| %>
|
17
|
+
<tr>
|
18
|
+
<td><%= flow.relative_id %></td>
|
19
|
+
<td><%= flow.time %></td>
|
20
|
+
<td><%= flow.duration %></td>
|
21
|
+
<td><%= flow.source %></td>
|
22
|
+
<td><%= flow.srcport %></td>
|
23
|
+
<td><%= flow.dest %></td>
|
24
|
+
<td><%= flow.dstport %></td>
|
25
|
+
<td><%= flow.service %></td>
|
26
|
+
<td><%= flow.title %></td>
|
27
|
+
<td><a href="http://<%=DoroSettings.pcapr[:host]%>:<%=DoroSettings.pcapr[:port]%>/pcaps/1/pcap/<%=@net_dumps.first.pcapr_id%>/api/flow/<%=flow.relative_id%>/pcap">P</a></td>
|
28
|
+
</tr>
|
29
|
+
<% end %>
|
30
|
+
</table>
|