Permalink
Browse files

Ready for the public release

dorothive fix
init_db fix (now it is possible to specify a ddl file)
other minus fixes
  • Loading branch information...
m4rco- committed Jun 6, 2013
1 parent 245119c commit 0a0364a7fb2b98b730d9c765e58abe79bb068bd8
Showing with 73 additions and 60 deletions.
  1. +18 −1 README.md
  2. +21 −0 TODO
  3. +9 −8 bin/dorothy_start
  4. +15 −3 bin/dparser_start
  5. +1 −30 etc/ddl/dorothive.ddl
  6. +5 −13 lib/dorothy2/BFM.rb
  7. +4 −5 lib/dorothy2/do-utils.rb
View
@@ -55,6 +55,11 @@ Dorothy needs the following software (not expressly in the same host) in order t
* [pcapr-local](https://github.com/mudynamics/pcapr-local ) (only used by doroParser)
* MaxMind libraries (only used by doroParser)
+Regarding the Operating System
+
+* Dorothy has been designed to run on any *nix system. So far it was successfully tested on OSX and Linux.
+* The virtual machines used as sandboxes are meant to be Windows based (successfully tested on XP)
+* Only pcapr-local strictly requires Linux, if you want to use a Mac for executing this gem (like I do), install it into the NAM (as this guide suggests)
## Installation
@@ -116,7 +121,7 @@ It is recommended to follow this step2step process:
#gem install pcapr-local
-* Start pcapr-local by using the dorothy's account and configure it. When prompted, insert the folder path used to store the network dumps
+* Start pcapr-local by using the dorothy's system account and configure it. When prompted, insert the folder path used to store the network dumps
$startpcapr
....
@@ -268,6 +273,18 @@ Below there are some tips about how understand the root-cause of your crash.
------------------------------------------
+## Acknowledgements
+
+Thanks to all the people who have contributed in making the Dorothy2 project up&running:
+
+* Marco C. (research)
+* Davide C. (Dorothive)
+* Andrea V. (WGUI)
+* Domenico C. - Patrizia P. (Dorothive/JDrone)
+* [All](https://www.honeynet.it/research) the graduating students from [UniMI](http://cdlonline.di.unimi.it/) who have contributed.
+* Sabrina P. (our students "headhunter" :)
+* Jorge C. and Nelson M. (betatesting/first release feedbacks)
+
## Contributing
1. Fork it
View
21 TODO
@@ -0,0 +1,21 @@
+##############
+#DOROTHY-TODO#
+##############
+
+-PORT TO Ruby 2.0
+-WGUI
+
+-BINARY STATIC ANALYSIS
+-ANALYZE SYSTEM CHANGES
+-SYSTEM ANALYSIS -VMWARE API: QueryChangedDiskAreas
+-LIST PROCESSES-> pm.ListProcessesInGuest(:vm => vm, :auth => auth).inspect
+
+-CODE- CATCH CTRL-C AND EXIT GRACEFULLY
+-INTERACTIVE CONSOLE FOR NETWORK ANALYSIS
+
+-REVIEW DOROTHIVE (binary fullpath?)
+
+-ADD EMAIL AS SOURCETYPE (use ruby mail gem for retreiving the emails, and parse them)
+
+-REPORT PLUGIN
+ -REPORT - MAEC
View
@@ -6,9 +6,9 @@
require 'rubygems'
require 'trollop'
-#require 'dorothy2' #comment for testing/developmnet
+require 'dorothy2' #comment for testing/developmnet
-load '../lib/dorothy2.rb' #uncomment for testing/developmnet
+#load '../lib/dorothy2.rb' #uncomment for testing/developmnet
include Dorothy
@@ -37,7 +37,7 @@ opts = Trollop.options do
opt :source, "Choose a source (from the ones defined in etc/sources.yml)", :type => :string
opt :daemon, "Stay in the backround, by constantly pooling datasources"
opt :SandboxUpdate, "Update Dorothive with the new Sandbox file"
- opt :DorothiveInit, "(RE)Install the Dorothy Database (Dorothive)"
+ opt :DorothiveInit, "(RE)Install the Dorothy Database (Dorothive)", :type => :string
end
@@ -103,6 +103,12 @@ end
sfile = home + '/etc/sources.yml'
sboxfile = home + '/etc/sandboxes.yml'
+if opts[:DorothiveInit]
+ Util.init_db(opts[:DorothiveInit])
+ puts "[Dorothy]".yellow + " Database loaded, now you can restart Dorothy!"
+ exit(0)
+end
+
#INIT DB Connector
begin
db = Insertdb.new
@@ -120,11 +126,6 @@ rescue => e
end
-if opts[:DorothiveInit]
- Util.init_db
- exit(0)
-end
-
if opts[:SandboxUpdate]
puts "[Dorothy]".yellow + " Loading #{sboxfile} into Dorothive"
DoroConfig.init_sandbox(sboxfile)
View
@@ -7,9 +7,9 @@
require 'rubygems'
require 'trollop'
require 'dorothy2'
-#require 'doroParser'
+require 'doroParser'
-load '../lib/doroParser.rb'
+#load '../lib/doroParser.rb'
include Dorothy
include DoroParser
@@ -63,11 +63,23 @@ LOGGER_PARSER.sev_threshold = DoroSettings.env[:loglevel]
LOGGER = DoroLogger.new(logout, DoroSettings.env[:logage])
LOGGER.sev_threshold = DoroSettings.env[:loglevel]
+begin
+
+rescue
+ exit(1)
+
+end
+
+
+
begin
DoroParser.start(daemon)
rescue => e
puts "[PARSER]".yellow + " An error occurred: ".red + $!
- puts "[PARSER]".yellow + " For more information check the logfile" + $! if daemon
+ if daemon
+ puts "[PARSER]".yellow + " For more information check the logfile" + $!
+ puts "[PARSER]".yellow + "Dorothy-Parser has been stopped"
+ end
LOGGER_PARSER.error "Parser", "An error occurred: " + $!
LOGGER_PARSER.debug "Parser", "#{e.inspect} --BACKTRACE: #{e.backtrace}"
LOGGER_PARSER.info "Parser", "Dorothy-Parser has been stopped"
View
@@ -128,26 +128,6 @@ CREATE TYPE layer7_protocols AS ENUM (
ALTER TYPE dorothy.layer7_protocols OWNER TO postgres;
---
--- Name: sample_type; Type: TYPE; Schema: dorothy; Owner: postgres
---
-
-CREATE TYPE sample_type AS ENUM (
- 'mz',
- 'pe',
- 'elf'
-);
-
-
-ALTER TYPE dorothy.sample_type OWNER TO postgres;
-
---
--- Name: TYPE sample_type; Type: COMMENT; Schema: dorothy; Owner: postgres
---
-
-COMMENT ON TYPE sample_type IS 'Sample file type';
-
-
--
-- Name: sanbox_type; Type: TYPE; Schema: dorothy; Owner: postgres
--
@@ -245,7 +225,6 @@ SELECT pg_catalog.setval('analyses_id_seq', 1, true);
CREATE TABLE samples (
hash character(64) NOT NULL,
size integer NOT NULL,
- type sample_type,
path character(256),
filename character(256),
md5 character(64),
@@ -276,14 +255,6 @@ COMMENT ON COLUMN samples.hash IS 'SHA256 checksum hash';
COMMENT ON COLUMN samples.size IS 'Sample size';
-
---
--- Name: COLUMN samples.type; Type: COMMENT; Schema: dorothy; Owner: postgres
---
-
-COMMENT ON COLUMN samples.type IS 'Sample type';
-
-
--
-- Name: CONSTRAINT size_notneg ON samples; Type: COMMENT; Schema: dorothy; Owner: postgres
--
@@ -1323,7 +1294,7 @@ COPY roles (id, type, comment) FROM stdin;
-- Data for Name: samples; Type: TABLE DATA; Schema: dorothy; Owner: postgres
--
-COPY samples (hash, size, type, path, filename, md5, long_type) FROM stdin;
+COPY samples (hash, size, path, filename, md5, long_type) FROM stdin;
\.
View
@@ -7,15 +7,15 @@
###BINARY FETCHER MODULE###
### ###
###########################
-
+#The BFM module is in charge of retreiving the binary from the sources configured in the sources.yml file.
+#It receive the source hash, and return the downloaded binaries objects.
module Dorothy
-
class DorothyFetcher
attr_reader :bins
-
- def initialize(source) #source struct: Hash, {:dir => "#{HOME}/bins/honeypot", :typeid=> 0 ..}
+ #Source struct: Hash, {:dir => "#{HOME}/bins/honeypot", :typeid=> 0 ..}
+ def initialize(source)
ndownloaded = 0
@bins = []
@@ -26,7 +26,6 @@ def initialize(source) #source struct: Hash, {:dir => "#{HOME}/bins/honeypot",
when "ssh" then
LOGGER.info "BFM", " Fetching trojan from > Honeypot"
#file = "/opt/dionaea/var/dionaea/binaries/"
-
#puts "Start to download malware"
files = []
@@ -37,34 +36,29 @@ def initialize(source) #source struct: Hash, {:dir => "#{HOME}/bins/honeypot",
unless files.include? "#{source["localdir"]}/" + File.basename(name)
ndownloaded += 1
files.push "#{source["localdir"]}/" + File.basename(name)
- # puts ""
end
# print "#{File.basename(name)}: #{sent}/#{total}\r"
# $stdout.flush
end
LOGGER.info "BFM", "#{ndownloaded} files downloaded"
end
-
rescue => e
LOGGER.error "BFM", "An error occurred while downloading malwares from honeypot sensor: " + $!
LOGGER.error "BFM", "Error: #{$!}, #{e.inspect}, #{e.backtrace}"
end
#DIRTY WORKAROUND for scp-ing only files without directory
-
FileUtils.mv(Dir.glob(source["localdir"] + "/binaries/*"), source["localdir"])
Dir.rmdir(source["localdir"] + "/binaries")
begin
-
unless DoroSettings.env[:testmode]
Net::SSH.start(source["ip"], source["user"], :password => source["pass"], :port => source["port"]) do |ssh|
ssh.exec "mv #{source["remotedir"]}/* #{source["remotedir"]}/../analyzed "
end
end
-
rescue
LOGGER.error "BFM", "An error occurred while erasing parsed malwares in the honeypot sensor: " + $!
end
@@ -87,8 +81,6 @@ def initialize(source) #source struct: Hash, {:dir => "#{HOME}/bins/honeypot",
end
end
-
-
private
def load_malw(f, typeid, sourceinfo = nil)
@@ -100,7 +92,7 @@ def load_malw(f, typeid, sourceinfo = nil)
return false
end
- samplevalues = [bin.sha, bin.size, bin.dbtype, bin.dir_bin, filename, bin.md5, bin.type ]
+ samplevalues = [bin.sha, bin.size, bin.dir_bin, filename, bin.md5, bin.type ]
sighvalues = [bin.sha, typeid, bin.ctime, "null"]
begin
View
@@ -16,16 +16,16 @@ def exists?(file)
File.exist?(file)
end
- def init_db(force=false)
- LOGGER.warn "DB", "The database is going to be initialized, all the data present will be lost. Continue?(write yes)"
+ def init_db(ddl=DoroSettings.dorothive[:ddl], force=false)
+ LOGGER.warn "DB", "The database is going to be initialized with the file #{ddl}. If the Dorothive is already present, " + "all the its data will be lost".red + ". Continue?(write yes)"
answ = "yes"
answ = gets.chop unless force
if answ == "yes"
begin
#ugly, I know, but couldn't find a better and easier way..
- raise 'An error occurred' unless system "psql -h #{DoroSettings.dorothive[:dbhost]} -U #{DoroSettings.dorothive[:dbuser]} -f #{DoroSettings.dorothive[:ddl]}"
- LOGGER.info "DB", "Database correctly initialized."
+ raise 'An error occurred' unless system "psql -h #{DoroSettings.dorothive[:dbhost]} -U #{DoroSettings.dorothive[:dbuser]} -f #{ddl} 1> /dev/null"
+ LOGGER.info "DB", "Database correctly initialized. Now you can restart Dorothy!"
rescue => e
LOGGER.error "DB", $!
LOGGER.debug "DB", e.inspect
@@ -248,7 +248,6 @@ def initialize(file)
@binpath = file
@filename = File.basename file
@extension = File.extname file
- @dbtype = "null" #TODO: remove type column in sample table
File.open(file, 'rb') do |fh1|
while buffer1 = fh1.read(1024)

0 comments on commit 0a0364a

Please sign in to comment.