Permalink
Browse files

Last fixes before uploading on git

  • Loading branch information...
m4rco- committed May 30, 2013
1 parent b4bc763 commit a680b70d2e6d998c3fc6678e23880e80998914fa
View
@@ -3,11 +3,39 @@
A malware/botnet analysis framework written in Ruby.
+##Introduction
+
+Dorothy2 is a framework created for mass malware analysis. Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed.
+However, static binary analysis and system behavior analysis will be shortly introduced in the next version.
+
+Dorothy2 is a continuation of my degree's final project (Dorothy: inside the Storm [1] ) that I presented on Feb 2009.
+The main framework's structure remained almost the same, and it has been fully detailed in my degree's final project or in this short paper [2]. More information about the whole project can be found on the Italian Honeyproject website [3].
+
+
+The framework is manly composed by four big elements that can be even executed separately:
+
+* The Dorothy analysis engine (this gem)
+* The Network analysis module (included in this module, but still not working perfectly at the time of this writing)
+* The Webgui (Coded in Rails by Andrea Valerio, and not yet included in this gem)
+* The Java Dorothy Drone (Mainly coded by Patrizia Martemucci and Domenico Chiarito, but not part of this gem and not publicly available.)
+
+The first three modules are (or will be soon) publicly released under GPL 2/3 license as tribute to the the Honeynet Project Alliance[4].
+All the information generated by the framework - i.e. binary info, timestamps, dissected network analysis - are stored into a postgres DB (Dorothive) in order to be used for further analysis.
+A no-SQL database (CouchDB) is also used to mass strore all the traffic dumps thanks to the pcapr/xtractr[5] technology.
+
+I started to code this project in late 2009 while learning Ruby at the same time. Since then, I´ve been changing/improving it as long as my Ruby coding skills were improving. Because of that, you may find some parts of code not-really-tidy :)
+
+[1] https://www.honeynet.it/wp-content/uploads/Dorothy/The_Dorothy_Project.pdf
+[2] http://www.honeynet.it/wp-content/uploads/Dorothy/EC2ND-Dorothy.pdf
+[3] http://www.honeynet.it
+[4] http://www.honeynet.org
+[5] https://code.google.com/p/pcapr/wiki/Xtractr
+
##Requirements
>WARNING:
-The current version of Dorothy, is based on VMWare ESX5. ESXi is not supported due to its limitations in using the
-VMWare API.
+The current version of Dorothy only utilizes VMWare ESX5 as its Virtual Sandbox Module (VSM). Thus, the free version of ESXi is not supported due to its limitations in using the
+vSphere 5 API.
However, the overall framework could be easily customized in order to use another virtualization engine. Dorothy2 is
very modular,and any customization or modification is very welcome.
@@ -24,7 +52,7 @@ Dorothy needs the following software (not expressly in the same host) in order t
## Installation
-It is raccommended to follow this step2step process:
+It is recommended to follow this step2step process:
1. Set your ESX environment
* Sample setup
@@ -42,21 +70,17 @@ It is raccommended to follow this step2step process:
2. Configure two separate virtual networks, one dedicated exclusively to the SandBoxes (See Sample Setups)
3. Configure the Windows VMs used for sandboxing
- * Create a test_ping.bat file into C:\ folder, with the following content:
-
- ping -n 1 google.com
->This file will be used for checking if the VM has internet access. You can substitute "google.com" with whatever host you like. Just a suggestion: use hostnames instead of IP addresses. The aim of this test doesn't care if the DNS is not resolving, or the IP addresses is unreachable. It cares only if *everything* works.
* Disable Windows firewall (preferred)
* VMWare Tools must be installed in the Windows guest system.
* Configure a static IP
- * After configuring everythingon the Guest OS, create a snapshot of the sandbox VM from vSphere console. Dorothy will use it when reverting the VM after a binary execution.
+ * After configuring everything on the Guest OS, create a snapshot of the sandbox VM from vSphere console. Dorothy will use it when reverting the VM after a binary execution.
-3. Configure the unix VM used by the NAM
- * Configure two NICs on the virtual machine, one of the two will be used for the network sniffing purpose. Assign one NIC to the sandbox dedicated virtual network, and the other NIC the the other one.
+3. Configure the unix VM dedicated to the NAM
+ * Configure the NIC on the virtual machine that will be used for the network sniffing purpose (NAM).
>The vSwitch where the vNIC resides must allow the promisc mode, to enable it from vSphere:
- >Configuration->Networking->Proprieties on the vistualSwitch used for the analysis->Double click on the virtual network userd for the analysis->Securiry->Tick "Promiscuous Mode", then select "Accept" from the list menu.
+ >Configuration->Networking->Proprieties on the vistualSwitch used for the analysis->Double click on the virtual network used for the analysis->Securiry->Tick "Promiscuous Mode", then select "Accept" from the list menu.
* Install tcpdump and sudo
@@ -71,8 +95,6 @@ It is raccommended to follow this step2step process:
add the following line:
dorothy ALL = NOPASSWD: /usr/sbin/tcpdump, /bin/kill
- * Configure the NIC connected to the sandbox's network in promisc mode
-
#### * Sample Setups
1. Basic setup
> In the following example, the Dorothy gem is installed in the same host where Dorothive (the DB) resides.
@@ -82,11 +104,11 @@ It is raccommended to follow this step2step process:
2. Advanced setup
> This setup is recommended if Dorothy is going to be installed in a Corporate environment.
-> By levaraging a private VPN, all the sandbox traffics exits from the Corporate network with an external IP addresses.
+> By leveraging a private VPN, all the sandbox traffics exits from the Corporate network with an external IP addresses.
>![dorothy.basicsetup](http://www.honeynet.it/wp-content/uploads/2011/04/Setup-Advanced.pdf)
-### 2. Install the required sofware
+### 2. Install the required software
1. Install postgres
@@ -152,16 +174,35 @@ The first time you execute Dorothy, it will ask you to fill those information in
--verbose, -v: Enable verbose mode
--infoflow, -i: Print the analysis flow
--source, -s <s>: Choose a source (from the ones defined in etc/sources.yml)
- --daemon, -d: Stay in the backround, by constantly pooling datasources
+ --daemon, -d: Stay in the background, by constantly pooling datasources
--SandboxUpdate, -S: Update Dorothive with the new Sandbox file
--DorothiveInit, -D: (RE)Install the Dorothy Database (Dorothive)
--help, -h: Show this message
>Example
- ./dorothy_start -v -s malwarefolder
- ./dorothy_stop
+ $dorothy_start -v -s malwarefolder
+ $dorothy_stop
+
+###6. Debugging problems
+
+I recognize that setting up Dorothy is not the easiest task of the world.
+By considering that the whole framework consists in the union of several 3rd pats, it is very likely that one of them will fail during the process.
+Below there are some tips about how understand the root-cause of your crash.
+
+1. Execute the Dorothy UnitTest (tc_dorothy_full.rb) that resides in its gem home directory
+
+ >Example
+
+ $cd /opt/local/lib/ruby/gems/1.8/gems/dorothy2-0.0.1/test/
+ $ruby tc_dorothy_full.rb
+
+2. Set the verbose flag (-v) while executing dorothy
+
+> $dorothy_start -v -s malwarefolder
+
+3. Drop an email to info at honeynet.it with the output of your errors :)
------------------------------------------
@@ -172,3 +213,19 @@ The first time you execute Dorothy, it will ask you to fill those information in
3. Commit your changes (`git commit -am 'Add some feature'`)
4. Push to the branch (`git push origin my-new-feature`)
5. Create new Pull Request
+
+Every contribution is more than welcome!
+For any help, please don't hesitate in contacting us at :
+info at honeynet.it
+
+## License
+
+Dorothy is copyrighted by Marco Riccardi and is licensed under the
+following GNU General Public License version 3.
+
+ GNU GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
View
@@ -1,6 +1,6 @@
#!/usr/bin/env ruby
-# Copyright (C) 2013 marco riccardi.
+# Copyright (C) 2010-2013 marco riccardi.
# This file is part of Dorothy - http://www.honeynet.it/dorothy
# See the file 'LICENSE' for copying permission.
View
@@ -1,4 +1,4 @@
-# Copyright (C) 2013 marco riccardi.
+# Copyright (C) 2010-2013 marco riccardi.
# This file is part of Dorothy - http://www.honeynet.it/dorothy
# See the file 'LICENSE' for copying permission.
Oops, something went wrong.

0 comments on commit a680b70

Please sign in to comment.