dorothy2 1.1.0 → 1.2.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    YzVhOTZjZDZjMjNiMThjNGJhZWM5ZGFhZmMyNTViZjk3NTVhNzAyMA==
+  data.tar.gz: !binary |-
+    NWI4ODIzZGU1NTJhZDA5ZDIxYTJjNjE2Mzk4ZmI5MmFlOGNiMGRmOQ==
+SHA512:
+  metadata.gz: !binary |-
+    NWM0OTBlMDFjNmUwMTg4NjYzYWY3Zjc5NTdiOWRkYTUyOWM0YzY2Yjg0YzY3
+    MDg2YTFiOWZhZTU5YzEwODIzNzIxNzRmODcwMjBlODhhMTg3ZTk5YTJkYzYx
+    NGRmMGY5NjRhNzExYjJkMDg4ZWIyMWQyOWU2MzE2MDcyY2YxOWY=
+  data.tar.gz: !binary |-
+    ZGFmNWJiMDg2NmEwYTFjNzFjMWU0MGMxM2E5NGVlOTdjMWY1ZDJlZjBlYWVm
+    NWQxZmI4M2MzOWM0MzgyYzczNDNmNTgwY2I0ZTM2MGE5MTlhODg5NjA2ODcy
+    ZDgwZjA1NWNiOTc5NmY5NGVlZWIyYjQyNjMwZjEwM2JiMTVlM2U=

data/CHANGELOG

@@ -0,0 +1,14 @@
+Dorothy 1.2.0
+
+dorothy.yml
+     added sandbox’s network (needed by DEM)
+     added GeoIP.ISP 
+
+fix dparser
+     iconv deprecated
+     added GeoIP.ISP
+     removed lot of unused classes in DEM
+ 
+dorothive
+    samples.hash -> sample.sha256
+    traffic_dumps.hash -> traffic_dumps.sha256

data/README.md

@@ -50,7 +50,7 @@ very [modular](http://www.honeynet.it/wp-content/uploads/The_big_picture.pdf),an
 Dorothy needs the following software (not expressly in the same host) in order to be executed:
 
 * VMWare ESX >= 5.0  (tip: if you download ESXi, you can evaluate ESX for 30 days)
-* Ruby 1.8.7
+* Ruby 1.9.3
 * Postgres >= 9.0
 * At least one Windows virtual machine
 * One unix-like machine dedicated to the Network Analysis Engine(NAM) (tcpdump/ssh needed)
@@ -89,7 +89,7 @@ It is recommended to follow this step2step process:
  * Configure a static IP
  * After configuring everything on the Guest OS, create a snapshot of the sandbox VM from vSphere console. Dorothy will use it when reverting the VM after a binary execution.
 
-3. From vSphere, create a unix VM dedicated to the NAM
+4. From vSphere, create a unix VM dedicated to the NAM
 
 
 * Install tcpdump and sudo
@@ -113,7 +113,7 @@ It is recommended to follow this step2step process:
 
 * If you want to install pcapr on this machine (if you want to use dorohy from a MacOSX machine, you have to do it) install also these packages  (refer to this blog [post](https://github.com/pcapr-local/pcapr-local) for a detailed howto). However, if you are installing Dorothy into a Linux machine, I recommended you to install pcapr on the same machine where the Dorothy gem was installed.
 
-        #apt-get install ruby1.8 rubygems  tshark zip couchdb
+        #apt-get install ruby1.9.3 rubygems  tshark zip couchdb
 
 * Start the couchdb server
 
@@ -139,11 +139,15 @@ It is recommended to follow this step2step process:
 
         http//{ip-used-by-NAM}:8000
 
-4 From vSphere, configure the NIC on the virtual machine that will be used for the network sniffing purpose (NAM).
+5 From vSphere, configure the NIC on the virtual machine that will be used for the network sniffing purpose (NAM).
        >The vSwitch where the vNIC resides must allow the promisc mode, to enable it from vSphere:
 
        >Configuration->Networking->Proprieties on the vistualSwitch used for the analysis->Double click on the virtual network used for the analysis->Securiry->Tick "Promiscuous Mode", then select "Accept" from the list menu.
 
+>WARNING:
+If you are virtualizing ESX from a Linux host machine, remember to give the right privileges to the network interface used by VM Player / Workstation in order [to allow](http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=287) promiscuous mode:
+
+       > chmod a+rw /dev/vmnet0
 
 #### * Sample Setups
 1. Basic setup
@@ -175,7 +179,7 @@ or
 
 3. Install the following packages
 
-        $sudo apt-get install ruby1.8 rubygems postgresql-server-dev-9.1 libxml2-dev  libxslt1-dev libmagic-dev
+        $sudo apt-get install ruby1.9.3 rubygems postgresql-server-dev-9.1 libxml2-dev  libxslt1-dev libmagic-dev
 
 >For OSX users: all the above software are available through mac ports. A tip for libmagic: use brew instead:
 >
@@ -277,7 +281,7 @@ Below there are some tips about how understand the root-cause of your crash.
 
  >Example
 
-    $cd /opt/local/lib/ruby/gems/1.8/gems/dorothy2-0.0.1/test/
+    $cd /opt/local/lib/ruby/gems/1.9.3/gems/dorothy2-0.0.1/test/
     $ruby tc_dorothy_full.rb
 
 2. Set the verbose flag (-v) while executing dorothy

data/TODO

@@ -16,7 +16,7 @@
 	-ListFileInGuest -> Create Files/Folder Baseline.
 
 -MANAGE SIG-INT WHILE MULTITHREAD 
--INTERACTIVE CONSOLE 10%
+-INTERACTIVE CONSOLE 90%
 -ADD VNC CLIENT SPAWN IN MANUAL MODE
 
 -REVIEW DOROTHIVE (binary fullpath?)

data/UPDATE

@@ -1,21 +1,19 @@
 #######################################
-#Updating from Dorothy 1.0.x to >= 1.0.9##
+#Updating from Dorothy 1.0.x to >= 1.2.0##
 #######################################
 
-Dorothy 1.0.9 introduces several features that improve the overall framework.
+Dorothy 1.2.0 introduces several features that improve the overall framework.
 Below, the recommended steps needed to update your Dorothy environment.
 
 a) Remove the Dorothy configuration file
     rm ~/.dorothy.yml
    And recreate it by restarting Dorothy. You will see that the init script will ask you more question than before.
 
-b) Since a new configuration file has been added in your Dorothy's etc/ folder (extension.yml), go and edit it
-   accordingly to your environment.
+b) The last version of Dorothy modified the dorothive schema in order to let dorothive compatible with Sinatra and Rails.
+The columns modified are the following:
+    samples.hash -> sample.sha256
+    traffic_dumps.hash -> traffic_dumps.sha256
+You can modify them manually if you have already a previous Dorothy version up and running, or drop the database and recreate it (-D) using the updated .ddl .
 
-c) From Dorothy home, execute the following SQL script in order to update the database schema. It will add the new table sys_procs.
-
-sudo -u postgres psql dorothive -f share/update_dorothive.sql
-
-That's all! You are ready to go!
 
 

data/bin/dorothy_start

@@ -216,9 +216,9 @@ begin
 rescue SignalException
    Dorothy.stop_running_analyses
 rescue => e
-  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " An error occurred: ".red + $!
-  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " For more information check the logfile" + $! if daemon
-  LOGGER.error "Dorothy", "An error occurred: " + $!
+  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " An error occurred: \n".red + e.inspect
+  puts "[" + "+".red + "] " +  "[Dorothy]".yellow + " For more information check the logfile \n" + e.inspect if daemon
+  LOGGER.error "Dorothy", "An error occurred: \n" + e.inspect
   LOGGER.debug "Dorothy", "#{e.inspect} --BACKTRACE:  #{e.backtrace}"
   LOGGER.info "Dorothy", "Dorothy has been stopped"
 end

data/bin/dparser_start

@@ -9,6 +9,7 @@ require 'trollop'
 require 'dorothy2'
 require 'doroParser'
 
+#load '../lib/dorothy2.rb'
 #load '../lib/doroParser.rb'
 
 include Dorothy
@@ -63,28 +64,30 @@ LOGGER_PARSER.sev_threshold = DoroSettings.env[:loglevel]
 LOGGER = DoroLogger.new(logout, DoroSettings.env[:logage])
 LOGGER.sev_threshold = DoroSettings.env[:loglevel]
 
-if system "sh -c 'type startpcapr > /dev/null 2>&1'"
-  pcapr_conf = "#{File.expand_path("~")}/.pcapr_local/config"
-  unless Util.exists?(pcapr_conf)
-    puts "[WARNING]".red + " Pcapr conf not found at #{File.expand_path("~")}/.pcapr_local/config "
-    puts "[WARNING]".red + " Although you have configured Dorothy in order to look for a *local* Pcapr instance,it seems that it is not configured yet,so please run \"startpcapr\" and configure it."
+if DoroSettings.pcapr[:local]=="true"
+  if system "sh -c 'type startpcapr > /dev/null 2>&1'"
+    pcapr_conf = "#{File.expand_path("~")}/.pcapr_local/config"
+    unless Util.exists?(pcapr_conf)
+      puts "[WARNING]".red + " Pcapr conf not found at #{File.expand_path("~")}/.pcapr_local/config "
+      puts "[WARNING]".red + " Although you have configured Dorothy in order to look for a *local* Pcapr instance,it seems that it is not configured yet,so please run \"startpcapr\" and configure it."
+      exit(1)
+    end
+  else
+    puts "[WARNING]".red + " Although you have configured Dorothy in order to look for a *local* Pcapr instance, it seems *NOT INSTALLED* in your system.\n\t Please install it by typing \"sudo gem install pcapr-local\. Then set Pcapr to scan #{DoroSettings.env[:analysis_dir]}"
     exit(1)
   end
-else
-  puts "[WARNING]".red + "Although you have configured Dorothy in order to look for a *local* Pcapr instance, it seems *NOT INSTALLED* in your system.\n\t Please install it by typing \"sudo gem install pcapr-local\. Then set Pcapr to scan #{DoroSettings.env[:analysis_dir]}"
-  exit(1)
 end
 
 
 begin
   DoroParser.start(daemon)
 rescue => e
-  puts "[PARSER]".yellow + " An error occurred: ".red + $!
+  puts "[PARSER]".yellow + " An error occurred: ".red + e.inspect
   if daemon
-    puts "[PARSER]".yellow + " For more information check the logfile" + $!
+    puts "[PARSER]".yellow + " For more information check the logfile" + e.inspect
     puts "[PARSER]".yellow + "Dorothy-Parser has been stopped"
   end
-  LOGGER_PARSER.error "Parser", "An error occurred: " + $!
+  LOGGER_PARSER.error "Parser", "An error occurred: " + e.inspect
   LOGGER_PARSER.debug "Parser", "#{e.inspect} --BACKTRACE: #{e.backtrace}"
   LOGGER_PARSER.info "Parser", "Dorothy-Parser has been stopped"
 end

data/bin/dparser_stop

@@ -11,6 +11,9 @@ require 'dorothy2'
 require 'doroParser'
 
 #load '../lib/doroParser.rb'
+#load '../lib/dorothy2.rb'
+
+
 
 include Dorothy
 include DoroParser

data/dorothy2.gemspec

@@ -16,6 +16,7 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.extra_rdoc_files = ["README.md"]
   gem.require_paths = ["lib"]
+  gem.required_ruby_version = '>= 1.9.3'
   gem.add_dependency(%q<net-scp>, [">= 1.0.4"])
   gem.add_dependency(%q<net-ssh>, [">= 2.2.1"])
   gem.add_dependency(%q<trollop>, [">= 1.16.2"])
@@ -31,6 +32,6 @@ Gem::Specification.new do |gem|
   gem.add_dependency(%q<net-dns>, [">= 0.8.0"])
   gem.add_dependency(%q<geoip>, [">= 1.2.1"])
   gem.add_dependency(%q<tmail>, [">= 1.2.7.1"])
-  gem.post_install_message = 'If you are upgrating from a previous version, read the UPDATE file!'
+  gem.post_install_message = '\n WARING: If you are upgrating from a previous version, read the UPDATE file!\n'
 end
 

data/etc/ddl/dorothive.ddl

@@ -223,7 +223,7 @@ SELECT pg_catalog.setval('analyses_id_seq', 1, true);
 --
 
 CREATE TABLE samples (
-    hash character(64) NOT NULL,
+    sha256 character(64) NOT NULL,
     size integer NOT NULL,
     path character(256),
     filename character(256),
@@ -246,7 +246,7 @@ COMMENT ON TABLE samples IS 'Acquired samples';
 -- Name: COLUMN samples.hash; Type: COMMENT; Schema: dorothy; Owner: postgres
 --
 
-COMMENT ON COLUMN samples.hash IS 'SHA256 checksum hash';
+COMMENT ON COLUMN samples.sha256 IS 'SHA256 checksum hash';
 
 
 --
@@ -267,7 +267,7 @@ COMMENT ON CONSTRAINT size_notneg ON samples IS 'Sample size must not be negativ
 --
 
 CREATE TABLE traffic_dumps (
-    hash character(64) NOT NULL,
+    sha256 character(64) NOT NULL,
     size integer NOT NULL,
     pcapr_id character(32),
     "binary" character varying,
@@ -281,7 +281,7 @@ ALTER TABLE dorothy.traffic_dumps OWNER TO postgres;
 -- Name: COLUMN traffic_dumps.hash; Type: COMMENT; Schema: dorothy; Owner: postgres
 --
 
-COMMENT ON COLUMN traffic_dumps.hash IS 'SHA256 checksum hash';
+COMMENT ON COLUMN traffic_dumps.sha256 IS 'SHA256 checksum hash';
 
 
 --
@@ -289,7 +289,7 @@ COMMENT ON COLUMN traffic_dumps.hash IS 'SHA256 checksum hash';
 --
 
 CREATE VIEW analysis_resume_view AS
-    SELECT analyses.id, samples.filename, samples.md5, samples.long_type, analyses.date, traffic_dumps.parsed FROM traffic_dumps, samples, analyses WHERE ((analyses.sample = samples.hash) AND (analyses.traffic_dump = traffic_dumps.hash)) ORDER BY analyses.id DESC;
+    SELECT analyses.id, samples.filename, samples.md5, samples.long_type, analyses.date, traffic_dumps.parsed FROM traffic_dumps, samples, analyses WHERE ((analyses.sample = samples.sha256) AND (analyses.traffic_dump = traffic_dumps.sha256)) ORDER BY analyses.id DESC;
 
 
 ALTER TABLE dorothy.analysis_resume_view OWNER TO postgres;
@@ -545,7 +545,7 @@ ALTER TABLE dorothy.roles OWNER TO postgres;
 --
 
 CREATE VIEW ccprofile_view3 AS
-    SELECT DISTINCT host_ips.id AS hostid, host_ips.ip, flows.dstport, traffic_dumps.hash, irc_data.id, roles.type, dns_data.name, irc_data.data FROM roles, host_roles, host_ips, dns_data, flows, irc_data, traffic_dumps WHERE (((((((((roles.id = host_roles.role) AND (host_roles.host_ip = host_ips.ip)) AND (dns_data.id = host_ips.dns_name)) AND (flows.dest = host_ips.ip)) AND (flows.traffic_dump = traffic_dumps.hash)) AND (irc_data.flow = flows.id)) AND (irc_data.incoming = false)) AND (host_ips.is_online = true)) AND ((roles.type)::text = 'cc-irc'::text)) ORDER BY irc_data.id, host_ips.id, host_ips.ip, flows.dstport, traffic_dumps.hash, roles.type, dns_data.name, irc_data.data;
+    SELECT DISTINCT host_ips.id AS hostid, host_ips.ip, flows.dstport, traffic_dumps.sha256, irc_data.id, roles.type, dns_data.name, irc_data.data FROM roles, host_roles, host_ips, dns_data, flows, irc_data, traffic_dumps WHERE (((((((((roles.id = host_roles.role) AND (host_roles.host_ip = host_ips.ip)) AND (dns_data.id = host_ips.dns_name)) AND (flows.dest = host_ips.ip)) AND (flows.traffic_dump = traffic_dumps.sha256)) AND (irc_data.flow = flows.id)) AND (irc_data.incoming = false)) AND (host_ips.is_online = true)) AND ((roles.type)::text = 'cc-irc'::text)) ORDER BY irc_data.id, host_ips.id, host_ips.ip, flows.dstport, traffic_dumps.sha256, roles.type, dns_data.name, irc_data.data;
 
 
 ALTER TABLE dorothy.ccprofile_view3 OWNER TO postgres;
@@ -1079,21 +1079,16 @@ SELECT pg_catalog.setval('whois_id_seq', 1, false);
 -- Name: sys_procs; Type: TABLE; Schema: dorothy; Owner: postgres; Tablespace:
 --
 
-CREATE TABLE dorothy.sys_procs
-(
-  analysis_id integer NOT NULL,
-  pid integer NOT NULL,
-  name character varying,
-  owner character varying,
-  "cmdLine" character varying,
-  "startTime" timestamp without time zone,
-  "endTime" timestamp without time zone,
-  "exitCode" integer,
-  CONSTRAINT "procs-pk" PRIMARY KEY (analysis_id , pid ),
-  CONSTRAINT "anal_id-fk" FOREIGN KEY (analysis_id)
-      REFERENCES dorothy.analyses (id) MATCH SIMPLE
-      ON UPDATE NO ACTION ON DELETE NO ACTION
-)
+CREATE TABLE sys_procs (
+    analysis_id integer NOT NULL,
+    pid integer NOT NULL,
+    name character varying,
+    owner character varying,
+    "cmdLine" character varying,
+    "startTime" timestamp without time zone,
+    "endTime" timestamp without time zone,
+    "exitCode" integer
+);
 
 
 ALTER TABLE dorothy.sys_procs OWNER TO postgres;
@@ -1320,7 +1315,7 @@ COPY roles (id, type, comment) FROM stdin;
 -- Data for Name: samples; Type: TABLE DATA; Schema: dorothy; Owner: postgres
 --
 
-COPY samples (hash, size, path, filename, md5, long_type) FROM stdin;
+COPY samples (sha256, size, path, filename, md5, long_type) FROM stdin;
 \.
 
 
@@ -1355,7 +1350,7 @@ COPY sightings (sample, sensor, date, traffic_dump) FROM stdin;
 -- Data for Name: traffic_dumps; Type: TABLE DATA; Schema: dorothy; Owner: postgres
 --
 
-COPY traffic_dumps (hash, size, pcapr_id, "binary", parsed) FROM stdin;
+COPY traffic_dumps (sha256, size, pcapr_id, "binary", parsed) FROM stdin;
 EMPTYPCAP	0	ffff	ffff	true
 \.
 
@@ -1420,7 +1415,7 @@ ALTER TABLE ONLY geoinfo
 --
 
 ALTER TABLE ONLY samples
-    ADD CONSTRAINT hash PRIMARY KEY (hash);
+    ADD CONSTRAINT sha256 PRIMARY KEY (sha256);
 
 
 --
@@ -1486,6 +1481,12 @@ ALTER TABLE ONLY host_ips
 ALTER TABLE ONLY irc_data
     ADD CONSTRAINT pk_irc PRIMARY KEY (id);
 
+--
+-- Name: procs-pk; Type: CONSTRAINT; Schema: dorothy; Owner: postgres; Tablespace:
+--
+
+ALTER TABLE ONLY sys_procs
+    ADD CONSTRAINT "procs-pk" PRIMARY KEY (analysis_id, pid);
 
 --
 -- Name: reports_pkey; Type: CONSTRAINT; Schema: dorothy; Owner: postgres; Tablespace: 
@@ -1523,7 +1524,7 @@ ALTER TABLE ONLY sensors
 --
 
 ALTER TABLE ONLY traffic_dumps
-    ADD CONSTRAINT traffic_dumps_pkey PRIMARY KEY (hash);
+    ADD CONSTRAINT traffic_dumps_pkey PRIMARY KEY (sha256);
 
 
 --
@@ -1639,6 +1640,12 @@ CREATE INDEX fki_shash ON reports USING btree (sample);
 
 CREATE INDEX fki_tdumps ON analyses USING btree (traffic_dump);
 
+--
+-- Name: anal_id-fk; Type: FK CONSTRAINT; Schema: dorothy; Owner: postgres
+--
+
+ALTER TABLE ONLY sys_procs
+    ADD CONSTRAINT "anal_id-fk" FOREIGN KEY (analysis_id) REFERENCES analyses(id);
 
 --
 -- Name: dest_ip; Type: FK CONSTRAINT; Schema: dorothy; Owner: postgres
@@ -1661,7 +1668,7 @@ ALTER TABLE ONLY host_ips
 --
 
 ALTER TABLE ONLY flows
-    ADD CONSTRAINT dumps FOREIGN KEY (traffic_dump) REFERENCES traffic_dumps(hash);
+    ADD CONSTRAINT dumps FOREIGN KEY (traffic_dump) REFERENCES traffic_dumps(sha256);
 
 
 --
@@ -1669,7 +1676,7 @@ ALTER TABLE ONLY flows
 --
 
 ALTER TABLE ONLY malwares
-    ADD CONSTRAINT fk_bin FOREIGN KEY (bin) REFERENCES samples(hash);
+    ADD CONSTRAINT fk_bin FOREIGN KEY (bin) REFERENCES samples(sha256);
 
 
 --
@@ -1741,7 +1748,7 @@ ALTER TABLE ONLY host_roles
 --
 
 ALTER TABLE ONLY analyses
-    ADD CONSTRAINT samples FOREIGN KEY (sample) REFERENCES samples(hash);
+    ADD CONSTRAINT samples FOREIGN KEY (sample) REFERENCES samples(sha256);
 
 
 --
@@ -1749,7 +1756,7 @@ ALTER TABLE ONLY analyses
 --
 
 ALTER TABLE ONLY sightings
-    ADD CONSTRAINT samples FOREIGN KEY (sample) REFERENCES samples(hash);
+    ADD CONSTRAINT samples FOREIGN KEY (sample) REFERENCES samples(sha256);
 
 
 --
@@ -1765,7 +1772,7 @@ ALTER TABLE ONLY sightings
 --
 
 ALTER TABLE ONLY reports
-    ADD CONSTRAINT shash FOREIGN KEY (sample) REFERENCES samples(hash);
+    ADD CONSTRAINT shash FOREIGN KEY (sample) REFERENCES samples(sha256);
 
 
 --
@@ -1773,7 +1780,7 @@ ALTER TABLE ONLY reports
 --
 
 ALTER TABLE ONLY analyses
-    ADD CONSTRAINT tdumps FOREIGN KEY (traffic_dump) REFERENCES traffic_dumps(hash);
+    ADD CONSTRAINT tdumps FOREIGN KEY (traffic_dump) REFERENCES traffic_dumps(sha256);
 
 
 --
@@ -1797,4 +1804,3 @@ GRANT ALL ON SCHEMA dorothy TO PUBLIC;
 --
 -- PostgreSQL database dump complete
 --
-

data/etc/extensions.yml

@@ -12,6 +12,13 @@ exe:
   prog_path: C:\windows\system32\cmd.exe
   prog_args: /C
 
+
+bat:
+  prog_name: Windows CMD.exe
+  prog_path: C:\windows\system32\cmd.exe
+  prog_args: /C
+
+
 dll:
   prog_name: Windows Rundll32.exe
   prog_path: C:\windows\system32\rundll32.exe

data/lib/doroParser.rb

@@ -2,10 +2,8 @@
 # This file is part of Dorothy - http://www.honeynet.it/
 # See the file 'LICENSE' for copying permission.
 
-#!/usr/local/bin/ruby
 
 #load 'lib/doroParser.rb'; include Dorothy; include DoroParser; LOGGER = DoroLogger.new(STDOUT, "weekly")
-
 #Install mu/xtractr from svn checkout http://pcapr.googlecode.com/svn/trunk/ pcapr-read-only
 
 
@@ -15,26 +13,21 @@
 ## Data Definition Module ##
 ############################
 
-
-require 'rubygems'
-require 'md5'
+require 'digest'
 require 'rbvmomi'
 require 'rest_client'
 require 'net/dns'
 require 'net/dns/packet'
 require 'ipaddr'
 require 'colored'
-require 'ftools'
-require 'filemagic'                                    #require 'pcaplet'
+require 'filemagic'
 require 'geoip'
 require 'pg'
-require 'iconv'
 require 'tmail'
 require 'ipaddr'
 require 'net/http'
 require 'json'
 
-require File.dirname(__FILE__) + '/dorothy2/environment'
 require File.dirname(__FILE__) + '/mu/xtractr'
 require File.dirname(__FILE__) + '/dorothy2/DEM'
 require File.dirname(__FILE__) + '/dorothy2/do-utils'
@@ -72,13 +65,13 @@ module DoroParser
     pcaps.each do |dump|
       #RETRIVE MALWARE FILE INFO
 
-      !dump['sample'].nil? && !dump['hash'].nil? && !dump['pcapr_id'].nil? or next
+      !dump['sample'].nil? && !dump['sha256'].nil? && !dump['pcapr_id'].nil? or next
 
       LOGGER_PARSER.info "PARSER", "Analyzing file: ".yellow + dump['sample']
       LOGGER_PARSER.info "PARSER", "Analyzing pcaprid: ".yellow + dump['pcapr_id'].gsub(/\s+/, "")
 
 
-      LOGGER_PARSER.debug "PARSER", "Analyzing dump: ".yellow + dump['hash'].gsub(/\s+/, "") if VERBOSE
+      LOGGER_PARSER.debug "PARSER", "Analyzing dump: ".yellow + dump['sha256'].gsub(/\s+/, "") if VERBOSE
 
       downloadir = "#{DoroSettings.env[:analysis_dir]}/#{dump['anal_id']}/downloads"
 
@@ -90,7 +83,7 @@ module DoroParser
 
       rescue => e
         LOGGER_PARSER.fatal "PARSER", "Can't connect to the PCAPR server."
-        LOGGER_PARSER.debug "PARSER", "#{$!}"
+        LOGGER_PARSER.debug "PARSER", "#{e.inspect}"
         LOGGER_PARSER.debug "PARSER", e.backtrace if VERBOSE
         return false
       end
@@ -184,7 +177,7 @@ module DoroParser
 
           #case TCP xtractr.flows('flow.service:SMTP').first.proto = 6
 
-          flowvals = [flow.src.address, flow.dst.address, flow.sport, flow.dport, flow.bytes, dump['hash'], flow.packets, "default", flow.proto, flow.service.name, title, "null", flow.duration, flow.time, flow.id ]
+          flowvals = [flow.src.address, flow.dst.address, flow.sport, flow.dport, flow.bytes, dump['sha256'], flow.packets, "default", flow.proto, flow.service.name, title, "null", flow.duration, flow.time, flow.id ]
 
           if	!@insertdb.insert("flows",flowvals)
             LOGGER_PARSER.info "PARSER", "Skipping flow #{flow.id}: #{flow.src.address} > #{flow.dst.address}"
@@ -390,7 +383,7 @@ module DoroParser
                     rescue => e
 
                       LOGGER_PARSER.error "DB", "Something went wrong while adding a DNS entry into the DB (packet malformed?) - The packet will be skipped"
-                      LOGGER_PARSER.debug "DB", "#{$!}" if VERBOSE
+                      LOGGER_PARSER.debug "DB", "#{e.inspect}" if VERBOSE
                       LOGGER_PARSER.debug "DB", e  if VERBOSE
                     end
 
@@ -420,7 +413,7 @@ module DoroParser
       #DEBUG
       #puts "save?" 
       #gets
-      @insertdb.set_analyzed(dump['hash'])
+      @insertdb.set_analyzed(dump['sha256'])
       @insertdb.commit
     end
   end