Class: DoroParser::Doroxtractr

Inherits:

Mu::Xtractr

• Object
• Mu::Xtractr
• DoroParser::Doroxtractr

Defined in:

lib/dorothy2/DEM.rb

Overview

PcaprLocal::Xtractr.new

Instance Attribute Summary

Attributes inherited from Mu::Xtractr

#address, #port, #relurl

Instance Method Summary

• #findconfget ⇒ Object

  Find the HTTP GET request made by the host (Zeus uses it to send stolen data to its dropzone) Is the first get request made to the C&C [!?].

• #findzeusdata(re, type, cc = '192.168.10.3') ⇒ Object

  Find the HTTP requests made by the host (Zeus uses it to send stolen data to its dropzone) The biggest post refers to the STATS one (by default is sent every 20 min) the smallest post refers to the LOG one (by default is sent every minute) the biggest GET refers to the Configuration file downloaded by the Zeus C&C.

• #flowcontent(id) ⇒ Object

  Retrieve the content of a specified flow-ID.

• #flowgrep(id, re) ⇒ Object
• #flowinfo(id) ⇒ Object
• #flowsummary(verbose = 0) ⇒ Object
• #streamdata(id) ⇒ Object
• #summaryhttp(fast = 0, v = 0) ⇒ Object
• #summaryhttpmethod(re, fast = 0) ⇒ Object
• #summaryport(port) ⇒ Object

Methods inherited from Mu::Xtractr

#about, create, #field, #fields, #flow, #flows, #get, #host, #hosts, #initialize, #inspect, #json, #packet, #packets, #service, #services

Constructor Details

This class inherits a constructor from Mu::Xtractr

Instance Method Details

#findconfget ⇒ Object

Find the HTTP GET request made by the host (Zeus uses it to send stolen data to its dropzone) Is the first get request made to the C&C [!?]

# File 'lib/dorothy2/DEM.rb', line 321

def findconfget
  self.flows("flow.service:HTTP flow.dst: #{cc}")
end

#findzeusdata(re, type, cc = '192.168.10.3') ⇒ Object

Find the HTTP requests made by the host (Zeus uses it to send stolen data to its dropzone) The biggest post refers to the STATS one (by default is sent every 20 min) the smallest post refers to the LOG one (by default is sent every minute) the biggest GET refers to the Configuration file downloaded by the Zeus C&C

# File 'lib/dorothy2/DEM.rb', line 302

def findzeusdata(re, type, cc='192.168.10.3')
  flowids = {}
  self.flows("flow.service:HTTP flow.dst: #{cc}").each do |flow|
    method = self.flows("flow.id:#{flow.id}").values('http.request.method')[0].value
    flowids[flow.id] = flow.stream.flow.contents.first.body.length if method =~ /#{Regexp.escape(re)}/
  end
  if type == "ping"
    return flowids.sort {|a,b| a[1]<=>b[1]}.first
  elsif type == "stat" || type == "conf"
    return flowids.sort {|a,b| a[1]<=>b[1]}.last
  else
    puts "Error, choose one argument from: ping, stat, conf"
    return 1
  end
end

#flowcontent(id) ⇒ Object

Retrieve the content of a specified flow-ID

# File 'lib/dorothy2/DEM.rb', line 381

def flowcontent(id)
  body = ""
  self.flows("flow.id:#{id}").each do |flow|
    flow.contents.each do |c|
      body << c.body
    end
  end
  return body
end

#flowgrep(id, re) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 356

def flowgrep(id, re)
  self.flows("flow.id:#{id}").each do |f|
    @t = false
    f.stream.each do |mex|
      if mex.bytes =~ /#{re}/
        puts "#{f.id}: > #{f.dst.address} - #{$1}"
        @t = true
      end
    end
  end
  return @t
end

#flowinfo(id) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 293

def flowinfo(id)
  f = self.flows("flow.id:#{id}").first.inspect
  f << self.flows("flow.id:#{id}").first.time.to_s
end

#flowsummary(verbose = 0) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 336

def flowsummary(verbose=0)
  self.flows.each { |flow|
    flowdeep = self.flows("flow.id:#{flow.id}")
    if verbose == 1
      puts "#{flow.id}: #{flow.time} : #{flow.src.address} > #{flow.dst.address} - #{flow.packets} - #{flow.bytes} - #{flow.duration} - #{flow.title}"
    else
      puts "| #{flow.id}: #{flow.src.address} > #{flow.service.name} > #{flow.dst.address} : #{flow.title}"
    end
  }
end

#streamdata(id) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 369

def streamdata(id)
  data = []
  self.flows("flow.id:#{id}").each do |f|
    f.stream.each do |mex|
      t = [mex.bytes, mex.dir]
      data.push t
    end
  end
  return data
end

#summaryhttp(fast = 0, v = 0) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 279

def summaryhttp(fast=0, v=0)
  ids = []
  self.flows('flow.service:HTTP').each { |flow|
    method = self.flows("flow.id:#{flow.id}").values('http.request.method')[0].value
    if fast == 0
      puts "#{flow.id} #{flow.src.address} > #{flow.dst.address} - #{method} -  #{flow.stream.flow.contents.first.body.length}"
    else
      puts "#{flow.id} #{flow.src.address} > #{flow.dst.address} - #{method}"
    end
    ids.push(flow.id)
  }
  return ids
end

#summaryhttpmethod(re, fast = 0) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 325

def summaryhttpmethod(re, fast=0)
  self.flows('flow.service:HTTP').each { |flow|
    flowdeep = self.flows("flow.id:#{flow.id}")
    if fast == 0
      puts "#{flow.id} #{flow.src.address} > #{flow.dst.address} - #{flow.stream.flow.contents.first.body.length}" if flowdeep.values('http.request.method')[0] && flowdeep.values('http.request.method')[0].value =~ /#{Regexp.escape(re)}/
    else
      puts "#{flow.id} #{flow.src.address} > #{flow.dst.address}" if flowdeep.values('http.request.method')[0] && flowdeep.values('http.request.method')[0].value =~ /#{Regexp.escape(re)}/
    end
  }
end

#summaryport(port) ⇒ Object

# File 'lib/dorothy2/DEM.rb', line 348

def summaryport(port)
  self.flows("flow.dport:#{port}").each do |f|
    f.contents.each do |c|
      puts "#{f.id}: #{flow.id} #{flow.src.address} > #{flow.dst.address} #{f.title} : #{c.body.length}"
    end
  end
end