Class: DoroParser::Doroxtractr

Inherits:

Mu::Xtractr

• Object
• Mu::Xtractr
• DoroParser::Doroxtractr

Defined in:

lib/dorothy2/do-parsers.rb

Overview

PcaprLocal::Xtractr.new

Instance Method Summary

• #findconfget ⇒ Object

  Find the HTTP GET request made by the host (Zeus uses it to send stolen data to its dropzone) Is the first get request made to the C&C [!?].

• #findzeusdata(re, type, cc = '192.168.10.3') ⇒ Object

  Find the HTTP requests made by the host (Zeus uses it to send stolen data to its dropzone) The biggest post refers to the STATS one (by default is sent every 20 min) the smallest post refers to the LOG one (by default is sent every minute) the biggest GET refers to the Configuration file downloaded by the Zeus C&C.

• #flowcontent(id) ⇒ Object

  Retrieve the content of a specified flow-ID.

• #flowgrep(id, re) ⇒ Object
• #flowinfo(id) ⇒ Object
• #flowsummary(verbose = 0) ⇒ Object
• #streamdata(id) ⇒ Object
• #summaryhttp(fast = 0, v = 0) ⇒ Object
• #summaryhttpmethod(re, fast = 0) ⇒ Object
• #summaryport(port) ⇒ Object

Instance Method Details

#findconfget ⇒ Object

Find the HTTP GET request made by the host (Zeus uses it to send stolen data to its dropzone) Is the first get request made to the C&C [!?]

# File 'lib/dorothy2/do-parsers.rb', line 393

def findconfget
	self.flows("flow.service:HTTP flow.dst: #{cc}")
end

#findzeusdata(re, type, cc = '192.168.10.3') ⇒ Object

Find the HTTP requests made by the host (Zeus uses it to send stolen data to its dropzone) The biggest post refers to the STATS one (by default is sent every 20 min) the smallest post refers to the LOG one (by default is sent every minute) the biggest GET refers to the Configuration file downloaded by the Zeus C&C

# File 'lib/dorothy2/do-parsers.rb', line 374

def findzeusdata(re, type, cc='192.168.10.3')
	flowids = {}
	self.flows("flow.service:HTTP flow.dst: #{cc}").each do |flow|
		method = self.flows("flow.id:#{flow.id}").values('http.request.method')[0].value
		flowids[flow.id] = flow.stream.flow.contents.first.body.length if method =~ /#{Regexp.escape(re)}/
	end
	if type == "ping"
		return flowids.sort {|a,b| a[1]<=>b[1]}.first
		elsif type == "stat" || type == "conf"
		return flowids.sort {|a,b| a[1]<=>b[1]}.last
		else
		puts "Error, choose one argument from: ping, stat, conf"
		return 1
	end
end

#flowcontent(id) ⇒ Object

Retrieve the content of a specified flow-ID

# File 'lib/dorothy2/do-parsers.rb', line 456

def flowcontent(id)
	body = ""
	self.flows("flow.id:#{id}").each do |flow|
		flow.contents.each do |c|
			body << c.body
		end
	end
	return body
end

#flowgrep(id, re) ⇒ Object

# File 'lib/dorothy2/do-parsers.rb', line 428

def flowgrep(id, re)
	self.flows("flow.id:#{id}").each do |f|
		@t = false	
		f.stream.each do |mex|
			if mex.bytes =~ /#{re}/
				puts "#{f.id}: > #{f.dst.address} - #{$1}" 
				@t = true
			end
		end
	end
	return @t
end

#flowinfo(id) ⇒ Object

# File 'lib/dorothy2/do-parsers.rb', line 364

def flowinfo(id)
	f = self.flows("flow.id:#{id}").first.inspect
	f << self.flows("flow.id:#{id}").first.time.to_s
	return f
end

#flowsummary(verbose = 0) ⇒ Object

# File 'lib/dorothy2/do-parsers.rb', line 408

def flowsummary(verbose=0)
	self.flows.each { |flow|
		flowdeep = self.flows("flow.id:#{flow.id}")
		if verbose == 1
			puts "#{flow.id}: #{flow.time} : #{flow.src.address} > #{flow.dst.address} - #{flow.packets} - #{flow.bytes} - #{flow.duration} - #{flow.title}" 
			else
			puts "| #{flow.id}: #{flow.src.address} > #{flow.service.name} > #{flow.dst.address} : #{flow.title}"
		end
	}
end

#streamdata(id) ⇒ Object

# File 'lib/dorothy2/do-parsers.rb', line 441

def streamdata(id)
	data = []
	self.flows("flow.id:#{id}").each do |f|
		f.stream.each do |mex|
			t = [mex.bytes, mex.dir]
			data.push t 
		end
	end
	return data
end

#summaryhttp(fast = 0, v = 0) ⇒ Object

# File 'lib/dorothy2/do-parsers.rb', line 350

def summaryhttp(fast=0, v=0)
	ids = []
	self.flows('flow.service:HTTP').each { |flow|
		method = self.flows("flow.id:#{flow.id}").values('http.request.method')[0].value
		if fast == 0
			puts "#{flow.id} #{flow.src.address} > #{flow.dst.address} - #{method} -  #{flow.stream.flow.contents.first.body.length}" 
			else
			puts "#{flow.id} #{flow.src.address} > #{flow.dst.address} - #{method}"
		end
		ids.push(flow.id)
	}
	return ids
end

#summaryhttpmethod(re, fast = 0) ⇒ Object

# File 'lib/dorothy2/do-parsers.rb', line 397

def summaryhttpmethod(re, fast=0)
	self.flows('flow.service:HTTP').each { |flow|
		flowdeep = self.flows("flow.id:#{flow.id}")
		if fast == 0
			puts "#{flow.id} #{flow.src.address} > #{flow.dst.address} - #{flow.stream.flow.contents.first.body.length}" if flowdeep.values('http.request.method')[0] && flowdeep.values('http.request.method')[0].value =~ /#{Regexp.escape(re)}/
			else
			puts "#{flow.id} #{flow.src.address} > #{flow.dst.address}" if flowdeep.values('http.request.method')[0] && flowdeep.values('http.request.method')[0].value =~ /#{Regexp.escape(re)}/
		end
	}
end

#summaryport(port) ⇒ Object

# File 'lib/dorothy2/do-parsers.rb', line 420

def summaryport(port)
	self.flows("flow.dport:#{port}").each do |f|
		f.contents.each do |c|
			puts "#{f.id}: #{flow.id} #{flow.src.address} > #{flow.dst.address} #{f.title} : #{c.body.length}"
		end
	end
end