Class: DoroParser::Doroxtractr

Inherits:

Mu::Xtractr

• Object
• Mu::Xtractr
• DoroParser::Doroxtractr

Defined in:

lib/dorothy2/DEM.rb

Overview

PcaprLocal::Xtractr.new

Instance Attribute Summary

Attributes inherited from Mu::Xtractr

#address, #port, #relurl

Instance Method Summary

• #findconfget ⇒ Object

  Find the HTTP GET request made by the host (Zeus uses it to send stolen data to its dropzone) Is the first get request made to the C&C [!?].

• #findzeusdata(re, type, cc = '192.168.10.3') ⇒ Object

  Find the HTTP requests made by the host (Zeus uses it to send stolen data to its dropzone) The biggest post refers to the STATS one (by default is sent every 20 min) the smallest post refers to the LOG one (by default is sent every minute) the biggest GET refers to the Configuration file downloaded by the Zeus C&C.

• #flowcontent(id) ⇒ Object

  Retrieve the content of a specified flow-ID.

• #flowgrep(id, re) ⇒ Object
• #flowinfo(id) ⇒ Object
• #flowsummary(verbose = 0) ⇒ Object
• #streamdata(id) ⇒ Object
• #summaryhttp(fast = 0, v = 0) ⇒ Object
• #summaryhttpmethod(re, fast = 0) ⇒ Object
• #summaryport(port) ⇒ Object

Methods inherited from Mu::Xtractr

#about, create, #field, #fields, #flow, #flows, #get, #host, #hosts, #initialize, #inspect, #json, #packet, #packets, #service, #services

Constructor Details

This class inherits a constructor from Mu::Xtractr

Instance Method Details

#findconfget ⇒ Object

Find the HTTP GET request made by the host (Zeus uses it to send stolen data to its dropzone) Is the first get request made to the C&C [!?]

# File 'lib/dorothy2/DEM.rb', line 393

def findconfget
  self.flows("flow.service:HTTP flow.dst: #{cc}")
end

#findzeusdata(re, type, cc = '192.168.10.3') ⇒ Object

Find the HTTP requests made by the host (Zeus uses it to send stolen data to its dropzone) The biggest post refers to the STATS one (by default is sent every 20 min) the smallest post refers to the LOG one (by default is sent every minute) the biggest GET refers to the Configuration file downloaded by the Zeus C&C

# File 'lib/dorothy2/DEM.rb', line 374

def findzeusdata(re, type, cc='192.168.10.3')
  flowids = {}
  self.flows("flow.service:HTTP flow.dst: #{cc}").each do |flow|
    method = self.flows("flow.id:#{flow.id}").values('http.request.method')[0].value
    flowids[flow.id] = flow.stream.flow.contents.first.body.length if method =~ /#{Regexp.escape(re)}/
  end
  if type == "ping"
    return flowids.sort {|a,b| a[1]<=>b[1]}.first
    elsif type == "stat" || type == "conf"
    return flowids.sort {|a,b| a[1]<=>b[1]}.last
    else
    puts "Error, choose one argument from: ping, stat, conf"
    return 1
  end
end

#flowcontent(id) ⇒ Object

Retrieve the content of a specified flow-ID

# File 'lib/dorothy2/DEM.rb', line 456

def flowcontent(id)
  body = ""
  self.flows("flow.id:#{id}").each do |flow|
    flow.contents.each do |c|
      body << c.body
    end
  end
  return body
end

#flowgrep(id, re) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 428

def flowgrep(id, re)
  self.flows("flow.id:#{id}").each do |f|
    @t = false  
    f.stream.each do |mex|
      if mex.bytes =~ /#{re}/
        puts "#{f.id}: > #{f.dst.address} - #{$1}" 
        @t = true
      end
    end
  end
  return @t
end

#flowinfo(id) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 364

def flowinfo(id)
  f = self.flows("flow.id:#{id}").first.inspect
  f << self.flows("flow.id:#{id}").first.time.to_s
  return f
end

#flowsummary(verbose = 0) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 408

def flowsummary(verbose=0)
  self.flows.each { |flow|
    flowdeep = self.flows("flow.id:#{flow.id}")
    if verbose == 1
      puts "#{flow.id}: #{flow.time} : #{flow.src.address} > #{flow.dst.address} - #{flow.packets} - #{flow.bytes} - #{flow.duration} - #{flow.title}" 
      else
      puts "| #{flow.id}: #{flow.src.address} > #{flow.service.name} > #{flow.dst.address} : #{flow.title}"
    end
  }
end

#streamdata(id) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 441

def streamdata(id)
  data = []
  self.flows("flow.id:#{id}").each do |f|
    f.stream.each do |mex|
      t = [mex.bytes, mex.dir]
      data.push t 
    end
  end
  return data
end

#summaryhttp(fast = 0, v = 0) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 350

def summaryhttp(fast=0, v=0)
  ids = []
  self.flows('flow.service:HTTP').each { |flow|
    method = self.flows("flow.id:#{flow.id}").values('http.request.method')[0].value
    if fast == 0
      puts "#{flow.id} #{flow.src.address} > #{flow.dst.address} - #{method} -  #{flow.stream.flow.contents.first.body.length}" 
      else
      puts "#{flow.id} #{flow.src.address} > #{flow.dst.address} - #{method}"
    end
    ids.push(flow.id)
  }
  return ids
end

#summaryhttpmethod(re, fast = 0) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 397

def summaryhttpmethod(re, fast=0)
  self.flows('flow.service:HTTP').each { |flow|
    flowdeep = self.flows("flow.id:#{flow.id}")
    if fast == 0
      puts "#{flow.id} #{flow.src.address} > #{flow.dst.address} - #{flow.stream.flow.contents.first.body.length}" if flowdeep.values('http.request.method')[0] && flowdeep.values('http.request.method')[0].value =~ /#{Regexp.escape(re)}/
      else
      puts "#{flow.id} #{flow.src.address} > #{flow.dst.address}" if flowdeep.values('http.request.method')[0] && flowdeep.values('http.request.method')[0].value =~ /#{Regexp.escape(re)}/
    end
  }
end

#summaryport(port) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 420

def summaryport(port)
  self.flows("flow.dport:#{port}").each do |f|
    f.contents.each do |c|
      puts "#{f.id}: #{flow.id} #{flow.src.address} > #{flow.dst.address} #{f.title} : #{c.body.length}"
    end
  end
end