Ejemplo n.º 1
0
def pb_create(filename):
    # http://pastebin.com/faq#9
    # 512kB limit per paste
    if fileutils.is_file(filename):
        with open(filename) as fo:
            pastedata = fo.read()
            if b64:
                pastedata = base64.b64encode(pastedata)
        res = apis.pastebin_create(pastedata)
        if res.success:
            return res.pasteurl
    return None
Ejemplo n.º 2
0
    def __init__(self, configfile=None):
        # max bytes (within respective protocol buffers) to inspect
        self.MAX_INSPECT_UDP_DEPTH = 8192
        self.MAX_INSPECT_CTS_DEPTH = 8192
        self.MAX_INSPECT_STC_DEPTH = 8192

        self.conf = utils.objdict({})

        self.configfile = os.path.abspath(configfile)
        self.config = ConfigParser.SafeConfigParser()

        if configfile and fileutils.is_file(configfile):
            self.config.read(self.configfile)
Ejemplo n.º 3
0
def main():
    session = utils.objdict({})
    session.config = utils.objdict({})
    session.config.configfile = None
    session.config.cuckooreport = None
    session.config.inputdir = None
    session.config.inputfiles = None
    session.config.interactive = None
    session.config.nobanner = None
    session.config.noribenreport = None
    session.config.reportsdir = None
    session.config.rescan = None
    session.config.serve = None
    session.config.supportedmimetypes = None
    session.config.verbose = None

    parser = argparse.ArgumentParser(
        description="Rudra - The destroyer of evil")
    parser.add_argument("-c",
                        "--configfile",
                        dest="configfile",
                        action="store",
                        default=None,
                        help="custom config file (default: ./rudra.conf)")
    parser.add_argument("-f",
                        "--inputfile",
                        dest="inputfile",
                        action="append",
                        default=[],
                        help="file to analyze")
    parser.add_argument("-d",
                        "--inputdir",
                        dest="inputdir",
                        action="append",
                        default=[],
                        help="directory to analyze")
    parser.add_argument("-r",
                        "--reportsdir",
                        dest="reportsdir",
                        action="store",
                        default=None,
                        help="custom reports directory (default: ./reports)")
    parser.add_argument("-i",
                        "--interactive",
                        dest="interactive",
                        action="store_true",
                        default=False,
                        help="invoke interactive mode")
    parser.add_argument("-b",
                        "--nobanner",
                        dest="nobanner",
                        action="store_true",
                        default=False,
                        help="disable banner")
    parser.add_argument("-v",
                        "--verbose",
                        dest="verbose",
                        action="store_true",
                        default=False,
                        help="enable verbose output")
    parser.add_argument("-D",
                        "--reportsdirstruct",
                        dest="reportsdirstruct",
                        action="store_true",
                        default=False,
                        help="retain source-like reports directory structure")
    parser.add_argument("-R",
                        "--rescan",
                        dest="rescan",
                        action="store_true",
                        default=False,
                        help="force rescan for input file")
    parser.add_argument("-C",
                        "--cuckooreport",
                        dest="cuckooreport",
                        action="store",
                        default=None,
                        help="cuckoo json report for input file")
    parser.add_argument("-N",
                        "--noribenreport",
                        dest="noribenreport",
                        action="store",
                        default=None,
                        help="noriben csv report for input file")
    args = parser.parse_args()

    # set user preferred file as config file
    # or use default config file
    # and read config options from it
    if args.configfile:
        configfile = args.configfile
    else:
        configfile = "./rudra.conf"
    configobj = config.Config(configfile)
    session.config = utils.objdict(configobj.read_as_dict())

    if len(args.inputfile) > 0:
        session.config.inputfiles = []
        if len(args.inputfile) > 1:
            for f in args.inputfile:
                if fileutils.is_file(f):
                    session.config.inputfiles.append(f)
                else:
                    utils.error("%s is not a file!" % f)
        else:
            session.config.inputfiles = args.inputfile

    if len(args.inputdir) > 0:
        session.config.inputfiles = []
        for directory in args.inputdir:
            if fileutils.is_dir(directory):
                session.config.inputfiles += fileutils.file_list(
                    directory, whitelist=session.config.supportedmimetypes)

    # set the reports dir
    if "reportsdir" not in session.config.keys():
        session.config.reportsdir = False
    if args.reportsdir:
        session.config.reportsdir = args.reportsdir

    # enable interactive mode
    if "interactive" not in session.config.keys():
        session.config.interactive = False
    if args.interactive:
        session.config.interactive = args.interactive

    # disable banner if requested
    if "nobanner" not in session.config.keys():
        session.config.nobanner = False
    if args.nobanner:
        session.config.nobanner = args.nobanner

    # default config enables following message types: INFO, WARN and ERROR (program exits on an ERROR)
    # to enable DEBUG messages: activate verbosity
    if "verbose" not in session.config.keys():
        session.config.verbose = False
    if args.verbose:
        session.config.verbose = args.verbose

    # force rescan for input file
    if "reportsdirstruct" not in session.config.keys():
        session.config.reportsdirstruct = False
    if args.reportsdirstruct:
        session.config.reportsdirstruct = args.reportsdirstruct

    # force rescan for input file
    if "rescan" not in session.config.keys():
        session.config.rescan = False
    if args.rescan:
        session.config.rescan = args.rescan

    # use arg as cuckoo report for input file
    if "cuckooreport" not in session.config.keys():
        session.config.cuckooreport = None
    if args.cuckooreport and not args.inputdir:
        session.config.cuckooreport = args.cuckooreport

    # use arg as noriben report for input file
    if "noribenreport" not in session.config.keys():
        session.config.noribenreport = None
    if args.noribenreport and not args.inputdir:
        session.config.noribenreport = args.noribenreport

    r = rudra.Rudra(session=session)
Ejemplo n.º 4
0
    def analyze(self, filename):
        if not fileutils.is_file(filename):
            utils.warn("%s is not a file." % filename)
            return

        timing = utils.objdict({})
        timing.starttime = time.time()
        self.session.config.reportsdir = "%s/%s/" % (
            self.session.config.basereportsdir,
            fileutils.file_hashes(filename, "sha256"))
        print "Starting analysis on %s @ %s" % (
            filename, utils.time_to_local_string(timing.starttime))

        ## refrain scanning a file more than once
        ## include db checks and ensure config similarity
        ## or check if the report file already exists in reports directory

        ## populate these after syncing with db
        self.session.report.misc = utils.objdict({})
        #self.session.report.misc.firstseen = utils.current_datetime_string()
        #self.session.report.misc.lastseen = utils.current_datetime_string()

        filesize = fileutils.file_size(filename)
        if self.session.config.statsfilesizelimit == 0 or filesize <= self.session.config.statsfilesizelimit:
            # limit is equal to 0 or filesize is lesser than limit
            # all good, keep going
            pass
        else:
            utils.info(
                "Disabling entropy compression stats calculation and file visualization (filesize: %d, statsfilesizelimit: %d)"
                % (filesize, self.session.config.statsfilesizelimit))
            self.session.config.enableentropycompressionstats = False
            self.session.config.enablefilevisualization = False

        if not self.session.config.enablegeoloc:
            # if geodata lookup is disabled
            # map cannot be shown, so disable it explicitly
            self.session.config.enablegooglemaps = False
            utils.info(
                "Geolocation is disabled in config and as such Google Maps layout is being auto-disabled"
            )

        # initialize filemeta specific classes and call analysis methods
        utils.info(
            "Invoking filemeta module for type identification and metadata collection"
        )
        filemeta = FileMeta(filename=filename, config=self.session.config)
        if filemeta:
            filemeta.analyze()
            self.session.report.meta = filemeta.report
            if not self.session.config.enableentropycompressionstats:
                self.session.report.meta.filesize = filesize
        else:
            self.session.report.meta = None

        if filemeta and self.session.report.meta and self.session.report.meta.filemimetype == "application/vnd.tcpdump.pcap":
            if self.session.config.enablepcap:
                utils.info(
                    "Invoking pcapanalysis module for host identification, dns/http/ftp/smtp/pop3/imap probing and flow inspection"
                )
                pcapid = PCAPAnalysis(filename=filename,
                                      config=self.session.config)
                if pcapid:
                    pcapid.analyze()
                    self.session.report.pcap = pcapid.report
                else:
                    self.session.report.pcap = None
            else:
                self.session.report.pcap = None

        elif filemeta and self.session.report.meta and self.session.report.meta.filemimetype == "application/x-dosexec":
            if self.session.config.enablepe:
                utils.info(
                    "Invoking peanalysis module for scanning file and identifying threat indicators"
                )
                pea = PEAnalysis(filename=filename, config=self.session.config)
                if pea:
                    pea.analyze()
                    self.session.report.pe = pea.report
                else:
                    self.session.report.pe = None
            else:
                self.session.report.pe = None

        timing.endtime = time.time()
        timing.elapsedtime = timing.endtime - timing.starttime
        self.session.report.misc.config = self.session.config

        self.save()
        print "Completed analysis on %s @ %s (Elapsed: %s)" % (
            filename, utils.time_to_local_string(
                timing.endtime), utils.elapsed_time_string(timing.elapsedtime))
Ejemplo n.º 5
0
 def already_scanned(self, filesha2):
     if fileutils.is_file("%s/%s.json" %
                          (self.session.config.currreportpath,
                           self.session.config.currreportfile)):
         return True
     return False