dorothy2 1.2.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +8 -8
- data/CHANGELOG +39 -14
- data/README.md +80 -62
- data/UPDATE +6 -14
- data/bin/dorothy2 +472 -0
- data/dorothy2.gemspec +22 -16
- data/etc/ddl/dorothive.ddl +619 -373
- data/etc/sources.yml.example +27 -2
- data/lib/doroGUI.rb +232 -0
- data/lib/doroParser.rb +34 -78
- data/lib/dorothy2.rb +288 -248
- data/lib/dorothy2/BFM.rb +114 -61
- data/lib/dorothy2/DEM.rb +3 -1
- data/lib/dorothy2/NAM.rb +2 -2
- data/lib/dorothy2/Settings.rb +2 -1
- data/lib/dorothy2/VSM.rb +2 -1
- data/lib/dorothy2/deep_symbolize.rb +2 -7
- data/lib/dorothy2/do-init.rb +286 -19
- data/lib/dorothy2/do-logger.rb +1 -1
- data/lib/dorothy2/do-utils.rb +382 -33
- data/lib/dorothy2/version.rb +1 -1
- data/lib/dorothy2/vtotal.rb +30 -20
- data/lib/mu/xtractr.rb +11 -11
- data/lib/mu/xtractr/stream.rb +1 -1
- data/lib/www/public/reset.css +153 -0
- data/lib/www/public/style.css +65 -0
- data/lib/www/views/analyses.erb +28 -0
- data/lib/www/views/email.erb +63 -0
- data/lib/www/views/flows.erb +30 -0
- data/lib/www/views/layout.erb +27 -0
- data/lib/www/views/profile.erb +49 -0
- data/lib/www/views/queue.erb +28 -0
- data/lib/www/views/resume.erb +135 -0
- data/lib/www/views/resume.erb~ +88 -0
- data/lib/www/views/samples.erb +20 -0
- data/lib/www/views/upload.erb +154 -0
- data/share/img/The_big_picture.pdf +0 -0
- data/test/tc_dorothy_full.rb +3 -0
- metadata +169 -70
- data/TODO +0 -27
- data/bin/dorothy_start +0 -225
- data/bin/dorothy_stop +0 -28
- data/bin/dparser_start +0 -94
- data/bin/dparser_stop +0 -31
- data/etc/dorothy copy.yml.example +0 -39
- data/etc/extensions.yml +0 -41
- data/share/update-dorothive.sql +0 -19
data/lib/dorothy2/version.rb
CHANGED
data/lib/dorothy2/vtotal.rb
CHANGED
@@ -4,25 +4,32 @@
|
|
4
4
|
|
5
5
|
module Dorothy
|
6
6
|
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
7
|
+
module Vtotal
|
8
|
+
extend self
|
9
|
+
|
10
|
+
def check_hash(hash)
|
11
|
+
@api_key = DoroSettings.virustotal[:vtapikey]
|
12
|
+
|
13
|
+
scans = Uirusu::VTFile.query_report(@api_key, hash)
|
14
|
+
if (scans["response_code"] == 1 )
|
15
|
+
|
16
|
+
positive = ( scans["positives"] > 0 ? true : false )
|
17
|
+
@rate = scans["positives"].to_s + "/" + scans["total"].to_s
|
18
|
+
@permalink = (scans["permalink"] != "-" ? scans["permalink"] : "null")
|
19
|
+
@result_date = scans["scan_date"]
|
20
|
+
@results = scans["scans"]
|
21
|
+
|
22
|
+
|
23
|
+
return {:rate => @rate, :link => @permalink, :date => @result_date, :results => @results, :positive => positive}
|
24
|
+
|
25
|
+
else
|
26
|
+
LOGGER.error "VTOTAL", scans["verbose_msg"]
|
27
|
+
return false
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
|
32
|
+
def analyse_file(file)
|
26
33
|
f = File.open(file, 'r')
|
27
34
|
begin
|
28
35
|
results = RestClient.post 'https://www.virustotal.com/vtapi/v2/file/scan' , { :key => @api_key, :file => f}
|
@@ -35,7 +42,10 @@ class Vtotal < VirusTotal::VirusTotal
|
|
35
42
|
LOGGER.debug "DEBUG", "#{$!}"
|
36
43
|
end
|
37
44
|
return @scanid
|
38
|
-
|
45
|
+
end
|
46
|
+
|
47
|
+
|
48
|
+
|
39
49
|
|
40
50
|
|
41
51
|
def get_report(id)
|
data/lib/mu/xtractr.rb
CHANGED
@@ -12,18 +12,18 @@
|
|
12
12
|
# * http://www.mudynamics.com
|
13
13
|
# * http://labs.mudynamics.com
|
14
14
|
|
15
|
-
require '
|
16
|
-
require '
|
17
|
-
require '
|
18
|
-
require '
|
19
|
-
require '
|
15
|
+
require File.dirname(__FILE__) + '/xtractr/about'
|
16
|
+
require File.dirname(__FILE__) + '/xtractr/content'
|
17
|
+
require File.dirname(__FILE__) + '/xtractr/field'
|
18
|
+
require File.dirname(__FILE__) + '/xtractr/flow'
|
19
|
+
require File.dirname(__FILE__) + '/xtractr/flows'
|
20
20
|
require File.dirname(__FILE__) + '/xtractr/host' #overrides the gem one with the local (fixed for 1.9.3)
|
21
|
-
require '
|
22
|
-
require '
|
23
|
-
require '
|
24
|
-
require '
|
25
|
-
require '
|
26
|
-
require '
|
21
|
+
require File.dirname(__FILE__) + '/xtractr/packet'
|
22
|
+
require File.dirname(__FILE__) + '/xtractr/packets'
|
23
|
+
require File.dirname(__FILE__) + '/xtractr/service'
|
24
|
+
require File.dirname(__FILE__) + '/xtractr/stream'
|
25
|
+
require File.dirname(__FILE__) + '/xtractr/term'
|
26
|
+
require File.dirname(__FILE__) + '/xtractr/views'
|
27
27
|
|
28
28
|
module Mu # :nodoc:
|
29
29
|
# = http://www.pcapr.net/static/image/favicon.png Mu::Xtractr
|
data/lib/mu/xtractr/stream.rb
CHANGED
@@ -0,0 +1,153 @@
|
|
1
|
+
/*
|
2
|
+
HTML5 ✰ Boilerplate
|
3
|
+
|
4
|
+
style.css contains a reset, font normalization and some base styles.
|
5
|
+
|
6
|
+
credit is left where credit is due.
|
7
|
+
much inspiration was taken from these projects:
|
8
|
+
yui.yahooapis.com/2.8.1/build/base/base.css
|
9
|
+
camendesign.com/design/
|
10
|
+
praegnanz.de/weblog/htmlcssjs-kickstart
|
11
|
+
*/
|
12
|
+
|
13
|
+
/*
|
14
|
+
html5doctor.com Reset Stylesheet (Eric Meyer's Reset Reloaded + HTML5 baseline)
|
15
|
+
v1.6.1 2010-09-17 | Authors: Eric Meyer & Richard Clark
|
16
|
+
html5doctor.com/html-5-reset-stylesheet/
|
17
|
+
*/
|
18
|
+
|
19
|
+
html, body, div, span, object, iframe,
|
20
|
+
h1, h2, h3, h4, h5, h6, p, blockquote, pre,
|
21
|
+
abbr, address, cite, code, del, dfn, em, img, ins, kbd, q, samp,
|
22
|
+
small, strong, sub, sup, var, b, i, dl, dt, dd, ol, ul, li,
|
23
|
+
fieldset, form, label, legend,
|
24
|
+
table, caption, tbody, tfoot, thead, tr, th, td,
|
25
|
+
article, aside, canvas, details, figcaption, figure,
|
26
|
+
footer, header, hgroup, menu, nav, section, summary,
|
27
|
+
time, mark, audio, video {
|
28
|
+
margin:0;
|
29
|
+
padding:0;
|
30
|
+
border:0;
|
31
|
+
font-size:100%;
|
32
|
+
font: inherit;
|
33
|
+
vertical-align:baseline;
|
34
|
+
}
|
35
|
+
|
36
|
+
article, aside, details, figcaption, figure,
|
37
|
+
footer, header, hgroup, menu, nav, section {
|
38
|
+
display:block;
|
39
|
+
}
|
40
|
+
|
41
|
+
blockquote, q { quotes:none; }
|
42
|
+
|
43
|
+
blockquote:before, blockquote:after,
|
44
|
+
q:before, q:after { content:''; content:none; }
|
45
|
+
|
46
|
+
ins { background-color:#ff9; color:#000; text-decoration:none; }
|
47
|
+
|
48
|
+
mark { background-color:#ff9; color:#000; font-style:italic; font-weight:bold; }
|
49
|
+
|
50
|
+
del { text-decoration: line-through; }
|
51
|
+
|
52
|
+
abbr[title], dfn[title] { border-bottom:1px dotted; cursor:help; }
|
53
|
+
|
54
|
+
table { border-collapse:collapse; border-spacing:0; }
|
55
|
+
|
56
|
+
hr { display:block; height:1px; border:0; border-top:1px solid #ccc; margin:1em 0; padding:0; }
|
57
|
+
|
58
|
+
input, select { vertical-align:middle; }
|
59
|
+
|
60
|
+
/* END RESET CSS */
|
61
|
+
|
62
|
+
/* font normalization inspired by from the YUI Library's fonts.css: developer.yahoo.com/yui/ */
|
63
|
+
body { font:13px/1.231 sans-serif; *font-size:small; } /* hack retained to preserve specificity */
|
64
|
+
select, input, textarea, button { font:99% sans-serif; }
|
65
|
+
|
66
|
+
/* normalize monospace sizing
|
67
|
+
* en.wikipedia.org/wiki/MediaWiki_talk:Common.css/Archive_11#Teletype_style_fix_for_Chrome */
|
68
|
+
pre, code, kbd, samp { font-family: monospace, sans-serif; }
|
69
|
+
|
70
|
+
/*
|
71
|
+
* minimal base styles
|
72
|
+
*/
|
73
|
+
|
74
|
+
body, select, input, textarea {
|
75
|
+
/* #444 looks better than black: twitter.com/H_FJ/statuses/11800719859 */
|
76
|
+
color: #444;
|
77
|
+
/* set your base font here, to apply evenly */
|
78
|
+
/* font-family: Georgia, serif; */
|
79
|
+
}
|
80
|
+
|
81
|
+
/* headers (h1,h2,etc) have no default font-size or margin. define those yourself. */
|
82
|
+
h1,h2,h3,h4,h5,h6 { font-weight: bold; }
|
83
|
+
|
84
|
+
/* always force a scrollbar in non-IE: */
|
85
|
+
html { overflow-y: scroll; }
|
86
|
+
|
87
|
+
/* accessible focus treatment: people.opera.com/patrickl/experiments/keyboard/test */
|
88
|
+
a:hover, a:active { outline: none; }
|
89
|
+
|
90
|
+
a, a:active, a:visited { color: #607890; }
|
91
|
+
a:hover { color: #036; }
|
92
|
+
|
93
|
+
ul, ol { margin-left: 2em; }
|
94
|
+
ol { list-style-type: decimal; }
|
95
|
+
|
96
|
+
/* remove margins for navigation lists */
|
97
|
+
nav ul, nav li { margin: 0; list-style:none; list-style-image: none; }
|
98
|
+
|
99
|
+
small { font-size: 85%; }
|
100
|
+
strong, th { font-weight: bold; }
|
101
|
+
|
102
|
+
td { vertical-align: top; }
|
103
|
+
|
104
|
+
/* set sub, sup without affecting line-height: gist.github.com/413930 */
|
105
|
+
sub, sup { font-size: 75%; line-height: 0; position: relative; }
|
106
|
+
sup { top: -0.5em; }
|
107
|
+
sub { bottom: -0.25em; }
|
108
|
+
|
109
|
+
pre {
|
110
|
+
/* www.pathf.com/blogs/2008/05/formatting-quoted-code-in-blog-posts-css21-white-space-pre-wrap/ */
|
111
|
+
white-space: pre; white-space: pre-wrap; white-space: pre-line; word-wrap: break-word;
|
112
|
+
padding: 15px;
|
113
|
+
}
|
114
|
+
|
115
|
+
textarea { overflow: auto; } /* www.sitepoint.com/blogs/2010/08/20/ie-remove-textarea-scrollbars/ */
|
116
|
+
|
117
|
+
.ie6 legend, .ie7 legend { margin-left: -7px; } /* thnx ivannikolic! */
|
118
|
+
|
119
|
+
/* align checkboxes, radios, text inputs with their label by: Thierry Koblentz tjkdesign.com/ez-css/css/base.css */
|
120
|
+
input[type="radio"] { vertical-align: text-bottom; }
|
121
|
+
input[type="checkbox"] { vertical-align: bottom; }
|
122
|
+
.ie7 input[type="checkbox"] { vertical-align: baseline; }
|
123
|
+
.ie6 input { vertical-align: text-bottom; }
|
124
|
+
|
125
|
+
/* hand cursor on clickable input elements */
|
126
|
+
label, input[type="button"], input[type="submit"], input[type="image"], button { cursor: pointer; }
|
127
|
+
|
128
|
+
/* webkit browsers add a 2px margin outside the chrome of form elements */
|
129
|
+
button, input, select, textarea { margin: 0; }
|
130
|
+
|
131
|
+
/* colors for form validity */
|
132
|
+
input:valid, textarea:valid { }
|
133
|
+
input:invalid, textarea:invalid {
|
134
|
+
border-radius: 1px; -moz-box-shadow: 0px 0px 5px red; -webkit-box-shadow: 0px 0px 5px red; box-shadow: 0px 0px 5px red;
|
135
|
+
}
|
136
|
+
.no-boxshadow input:invalid, .no-boxshadow textarea:invalid { background-color: #f0dddd; }
|
137
|
+
|
138
|
+
/* These selection declarations have to be separate.
|
139
|
+
No text-shadow: twitter.com/miketaylr/status/12228805301
|
140
|
+
Also: hot pink. */
|
141
|
+
::-moz-selection{ background: #FF5E99; color:#fff; text-shadow: none; }
|
142
|
+
::selection { background:#FF5E99; color:#fff; text-shadow: none; }
|
143
|
+
|
144
|
+
/* j.mp/webkit-tap-highlight-color */
|
145
|
+
a:link { -webkit-tap-highlight-color: #FF5E99; }
|
146
|
+
|
147
|
+
/* make buttons play nice in IE:
|
148
|
+
www.viget.com/inspire/styling-the-button-element-in-internet-explorer/ */
|
149
|
+
button { width: auto; overflow: visible; }
|
150
|
+
|
151
|
+
/* bicubic resizing for non-native sized IMG:
|
152
|
+
code.flickr.com/blog/2008/11/12/on-ui-quality-the-little-things-client-side-image-resizing/ */
|
153
|
+
.ie7 img { -ms-interpolation-mode: bicubic; }
|
@@ -0,0 +1,65 @@
|
|
1
|
+
section {
|
2
|
+
width: 800px;
|
3
|
+
margin: 20px auto;
|
4
|
+
}
|
5
|
+
h1 {
|
6
|
+
color: #3d3e43;
|
7
|
+
font-size:250%;
|
8
|
+
}
|
9
|
+
table {
|
10
|
+
width: 100%;
|
11
|
+
}
|
12
|
+
th {
|
13
|
+
text-align: center;
|
14
|
+
}
|
15
|
+
tr {
|
16
|
+
border-bottom: 1px solid #ddd;
|
17
|
+
}
|
18
|
+
|
19
|
+
tr:nth-child(odd) {
|
20
|
+
background-color: #dedede;
|
21
|
+
}
|
22
|
+
tr:hover {
|
23
|
+
background: #fffb8b;
|
24
|
+
}
|
25
|
+
td {
|
26
|
+
padding: 10px 5px;
|
27
|
+
text-align: center;
|
28
|
+
}
|
29
|
+
|
30
|
+
|
31
|
+
input {
|
32
|
+
background: #fefefe;
|
33
|
+
box-shadow: inset 0 0 6px #aaa;
|
34
|
+
padding: 6px;
|
35
|
+
border: none;
|
36
|
+
width: 90%;
|
37
|
+
margin: 4px;
|
38
|
+
}
|
39
|
+
input:focus {
|
40
|
+
outline: none;
|
41
|
+
box-shadow: inset 0 0 6px rgb(17, 148, 211);
|
42
|
+
-webkit-transition: 0.2s all;
|
43
|
+
background: rgba(17, 148, 211, 0.05);
|
44
|
+
}
|
45
|
+
input[type=submit] {
|
46
|
+
background-color: #1194d3;
|
47
|
+
background-image: -webkit-gradient(linear, left top, left bottom, from(rgb(17, 148, 211)), to(rgb(59, 95, 142)));
|
48
|
+
background-image: -webkit-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
|
49
|
+
background-image: -moz-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
|
50
|
+
background-image: -o-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
|
51
|
+
background-image: -ms-linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
|
52
|
+
background-image: linear-gradient(top, rgb(17, 148, 211), rgb(59, 95, 142));
|
53
|
+
filter: progid:DXImageTransform.Microsoft.gradient(GradientType=0,StartColorStr='#1194d3', EndColorStr='#3b5f8e');
|
54
|
+
padding: 6px 9px;
|
55
|
+
border-radius: 3px;
|
56
|
+
color: #fff;
|
57
|
+
text-shadow: 1px 1px 1px #0a3d52;
|
58
|
+
border: none;
|
59
|
+
width: 30%;
|
60
|
+
}
|
61
|
+
input[type=submit]:hover {
|
62
|
+
background: #0a3d52;
|
63
|
+
}
|
64
|
+
.floatleft { float: left; }
|
65
|
+
.floatright { float: right; }
|
@@ -0,0 +1,28 @@
|
|
1
|
+
<h1>Analyses</h1>
|
2
|
+
|
3
|
+
<table border="1" align="center">
|
4
|
+
<tr>
|
5
|
+
<th>ID</th>
|
6
|
+
<th>Date</th>
|
7
|
+
<th>Filename</th>
|
8
|
+
<th>SHA256</th>
|
9
|
+
<th>Source</th>
|
10
|
+
<th>Sandbox</th>
|
11
|
+
<th>Source_email</th>
|
12
|
+
</tr>
|
13
|
+
<% @analyses.each do |anal| %>
|
14
|
+
<tr>
|
15
|
+
<td><a href="/resume/<%= anal.id %>"><%= anal.id %></a></td>
|
16
|
+
<td><%= anal.date %></td>
|
17
|
+
<td><%= @samples.where(:sha256 => anal.sample).first.filename %></td>
|
18
|
+
<td><%= anal.sample %></td>
|
19
|
+
<td><%= @queue.where(:id => anal.queue_id).first.source %></td>
|
20
|
+
<td><%= anal.sandbox %></td>
|
21
|
+
<td>
|
22
|
+
<% mailid = @sightings.where(:id => @queue.where( :id => anal.queue_id).first.sighting).first.src_email%>
|
23
|
+
<a href="javascript:window.open('/email/view/<%= mailid %>','Email resume','width=600,height=400')"><%= mailid %></a>
|
24
|
+
</td>
|
25
|
+
</tr>
|
26
|
+
<% end %>
|
27
|
+
</table>
|
28
|
+
|
@@ -0,0 +1,63 @@
|
|
1
|
+
<h1>Email Resume</h1>
|
2
|
+
|
3
|
+
<table border="1" align="center">
|
4
|
+
|
5
|
+
<tr>
|
6
|
+
<td>Date:</td>
|
7
|
+
<td><%= @email.date %></td>
|
8
|
+
</tr>
|
9
|
+
|
10
|
+
<tr>
|
11
|
+
<td>From:</td>
|
12
|
+
<td><%= @email.from %></td>
|
13
|
+
</tr>
|
14
|
+
|
15
|
+
<tr>
|
16
|
+
<td>To:</td>
|
17
|
+
<td>
|
18
|
+
<% @receivers.where(:mail_field => 'to').each do |r| %>
|
19
|
+
<%= r.address %>
|
20
|
+
<% end %>
|
21
|
+
</td>
|
22
|
+
</tr>
|
23
|
+
|
24
|
+
|
25
|
+
<tr>
|
26
|
+
<td>Cc:</td>
|
27
|
+
<td>
|
28
|
+
<% @receivers.where(:mail_field => 'cc').each do |r| %>
|
29
|
+
<%= r.address %>
|
30
|
+
<% end %>
|
31
|
+
</td>
|
32
|
+
</tr>
|
33
|
+
|
34
|
+
<tr>
|
35
|
+
<td>Subject:</td>
|
36
|
+
<td><%= @email.subject %></td>
|
37
|
+
</tr>
|
38
|
+
|
39
|
+
<tr>
|
40
|
+
<td>Body SHA2:</td>
|
41
|
+
<td><%= @email.body_sha256 %></td>
|
42
|
+
</tr>
|
43
|
+
|
44
|
+
<tr>
|
45
|
+
<td>Message ID:</td>
|
46
|
+
<td><%= @email.message_id %></td>
|
47
|
+
</tr>
|
48
|
+
|
49
|
+
<tr>
|
50
|
+
<td>Raw email</td>
|
51
|
+
<td>[<a href="/email/download/<%= @email.id %>">Download</a>]</td>
|
52
|
+
</tr>
|
53
|
+
|
54
|
+
<% unless @email.forwarded_by.nil? %>
|
55
|
+
<tr>
|
56
|
+
<td>This email was included in</td>
|
57
|
+
<td><a href="javascript:window.open('/email/view/<%= @email.forwarded_by %>','Email resume','width=600,height=400')"><%= @email.forwarded_by %></a></td>
|
58
|
+
</tr>
|
59
|
+
<% end %>
|
60
|
+
</table>
|
61
|
+
|
62
|
+
|
63
|
+
|
@@ -0,0 +1,30 @@
|
|
1
|
+
<h1>Network Traffic Analysis</h1>
|
2
|
+
|
3
|
+
<table border="1">
|
4
|
+
<tr>
|
5
|
+
<th>ID</th>
|
6
|
+
<th>Time</th>
|
7
|
+
<th>Duration</th>
|
8
|
+
<th>Src Addr.</th>
|
9
|
+
<th>Src Port</th>
|
10
|
+
<th>Dst Addr</th>
|
11
|
+
<th>Dst Port</th>
|
12
|
+
<th>Service</th>
|
13
|
+
<th>Title</th>
|
14
|
+
<th>PCAP</th>
|
15
|
+
</tr>
|
16
|
+
<% @flows.each do |flow| %>
|
17
|
+
<tr>
|
18
|
+
<td><%= flow.relative_id %></td>
|
19
|
+
<td><%= flow.time %></td>
|
20
|
+
<td><%= flow.duration %></td>
|
21
|
+
<td><%= flow.source %></td>
|
22
|
+
<td><%= flow.srcport %></td>
|
23
|
+
<td><%= flow.dest %></td>
|
24
|
+
<td><%= flow.dstport %></td>
|
25
|
+
<td><%= flow.service %></td>
|
26
|
+
<td><%= flow.title %></td>
|
27
|
+
<td><a href="http://<%=DoroSettings.pcapr[:host]%>:<%=DoroSettings.pcapr[:port]%>/pcaps/1/pcap/<%=@net_dumps.first.pcapr_id%>/api/flow/<%=flow.relative_id%>/pcap">P</a></td>
|
28
|
+
</tr>
|
29
|
+
<% end %>
|
30
|
+
</table>
|