Code polishing, fixed report engine, introduced signature engine

bgehrich · Mar 5, 2012 · bb5effb · bb5effb
1 parent c97a893
commit bb5effb
Show file tree

Hide file tree

Showing 34 changed files with 276 additions and 105 deletions.
diff --git a/conf/reporting.conf b/conf/reporting.conf
@@ -28,3 +28,4 @@ reporthtml = on
 metadata = on
 maec = on
 pickled = on
+alert = on
diff --git a/cuckoo.py b/cuckoo.py
@@ -28,13 +28,13 @@
 from time import time, sleep
 from threading import Thread
 
-from cuckoo.logging.logo import logo
-from cuckoo.config.cuckooconfig import CuckooConfig
-from cuckoo.config.constants import *
+from cuckoo.common.logo import logo
+from cuckoo.common.cuckooconfig import CuckooConfig
+from cuckoo.common.constants import *
 from cuckoo.core.db import CuckooDatabase
 from cuckoo.core.getpackage import get_package
 from cuckoo.common.getfiletype import get_file_type
-from cuckoo.logging.crash import crash
+from cuckoo.common.crash import crash
 
 # Check the virtualization engine from the config fle and tries to retrieve
 # and import the corresponding Cuckoo's module.

diff --git a/cuckoo/config/constants.py → cuckoo/common/constants.py b/cuckoo/config/constants.py → cuckoo/common/constants.py
diff --git a/cuckoo/logging/crash.py → cuckoo/common/crash.py b/cuckoo/logging/crash.py → cuckoo/common/crash.py
@@ -20,7 +20,7 @@
 import sys
 import traceback
 
-import cuckoo.config.constants as constants
+import cuckoo.common.constants as constants
 
 def crash():
     """

diff --git a/cuckoo/config/cuckooconfig.py → cuckoo/common/cuckooconfig.py b/cuckoo/config/cuckooconfig.py → cuckoo/common/cuckooconfig.py
@@ -19,10 +19,9 @@
 
 import os
 import sys
-import logging
 import ConfigParser
 
-from cuckoo.config.constants import CUCKOO_CONFIG_FILE
+from cuckoo.common.constants import CUCKOO_CONFIG_FILE
 
 class CuckooConfig:
     """

diff --git a/cuckoo/reporting/lib/utils.py → cuckoo/common/dateutils.py b/cuckoo/reporting/lib/utils.py → cuckoo/common/dateutils.py
@@ -19,18 +19,18 @@
 
 from datetime import datetime
 
-def convert_time(timestamp):
+def datetime_to_iso(timestamp):
     """
     Parse a datatime string and returns a datetime in iso format.
     @param timestamp: timestamp string
     @return: ISO datetime
     """  
     if hasattr(datetime, 'strptime'):
-        # python 2.6
+        # Python 2.6
         strptime = datetime.strptime
     else:
-        # python 2.4 equivalent
+        # Python 2.4 equivalent
         import time
-        strptime = lambda date_string, format: datetime(*(time.strptime(date_string, format)[0:6]))  
-    return strptime(timestamp, '%Y-%m-%d %H:%M:%S').isoformat()
+        strptime = lambda date_string, format: datetime(*(time.strptime(date_string, format)[0:6]))
 
+    return strptime(timestamp, '%Y-%m-%d %H:%M:%S').isoformat()
diff --git a/cuckoo/common/getfiletype.py b/cuckoo/common/getfiletype.py
@@ -34,7 +34,7 @@ def get_file_type(file_path):
     @param file_path: file path
     @return: file type identifier or magic signature if format is not supported
     """
-    log = logging.getLogger("Core.GetFileType")
+    log = logging.getLogger("Common.GetFileType")
 
     if not os.path.exists(file_path):
         return None

diff --git a/cuckoo/logging/logo.py → cuckoo/common/logo.py b/cuckoo/logging/logo.py → cuckoo/common/logo.py
@@ -19,7 +19,7 @@
 
 import sys
 
-from cuckoo.config.constants import CUCKOO_VERSION
+from cuckoo.common.constants import CUCKOO_VERSION
 
 def logo():
     """

diff --git a/cuckoo/processing/convert.py → cuckoo/common/stringutils.py b/cuckoo/processing/convert.py → cuckoo/common/stringutils.py
diff --git a/cuckoo/core/db.py b/cuckoo/core/db.py
@@ -21,8 +21,8 @@
 import sys
 import logging
 
-from cuckoo.config.cuckooconfig import CuckooConfig
-from cuckoo.config.constants import CUCKOO_DB_FILE
+from cuckoo.common.cuckooconfig import CuckooConfig
+from cuckoo.common.constants import CUCKOO_DB_FILE
 
 try:
     import sqlite3
@@ -37,7 +37,7 @@ class CuckooDatabase:
     """
 
     def __init__(self):
-        log = logging.getLogger("Database.Init")
+        log = logging.getLogger("Core.CuckooDatabase")
         self._conn = None
         self._cursor = None
 
@@ -156,7 +156,7 @@ def get_task(self):
         """
         Acquire a task from the queue.
         """
-        log = logging.getLogger("Database.GetTask")
+        log = logging.getLogger("Core.CuckooDatabase.GetTask")
 
         if not self._cursor:
             log.error("Unable to acquire cursor.")
@@ -185,7 +185,7 @@ def lock(self, task_id):
         Lock a task.
         @param task_id: task ID 
         """
-        log = logging.getLogger("Database.Lock")
+        log = logging.getLogger("Core.CuckooDatabase.Lock")
 
         if not self._cursor:
             log.error("Unable to acquire cursor.")
@@ -222,7 +222,7 @@ def unlock(self, task_id):
         Unlock a task.
         @param task_id: task ID
         """ 
-        log = logging.getLogger("Database.Unlock")
+        log = logging.getLogger("Core.CuckooDatabase.Unlock")
 
         if not self._cursor:
             log.error("Unable to acquire cursor.")
@@ -261,7 +261,7 @@ def complete(self, task_id, success = True):
         @param task_id: completed task ID
         @param success: boolean representing the analysis sucess or failure
         """ 
-        log = logging.getLogger("Database.Complete")
+        log = logging.getLogger("Core.CuckooDatabase.Complete")
 
         if not self._cursor:
             log("Unable to acquire cursor.")

diff --git a/cuckoo/core/getpackage.py b/cuckoo/core/getpackage.py
@@ -17,16 +17,14 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see http://www.gnu.org/licenses/.
 
-import re
-
 def get_package(file_type):
-    if re.search("DLL", file_type):
+    if "DLL" in file_type:
         return "dll"
-    elif re.search("PE32", file_type) or re.search("MS-DOS", file_type):
+    elif "PE32" in file_type or "MS-DOS" in file_type:
         return "exe"
-    elif re.match("PDF", file_type):
+    elif "PDF" in file_type:
         return "pdf"
-    elif re.search("HTML", file_type):
+    elif "HTML" in file_type:
         return "html"
     else:
         return None
diff --git a/cuckoo/core/sniffer.py b/cuckoo/core/sniffer.py
@@ -22,7 +22,7 @@
 import logging
 import subprocess
 
-from cuckoo.config.cuckooconfig import CuckooConfig
+from cuckoo.common.cuckooconfig import CuckooConfig
 
 class Sniffer:
     """
@@ -39,16 +39,14 @@ def __init__(self, pcap_file):
         self.proc = None
         self.guest_mac = None
 
-        log = logging.getLogger("Sniffer")
-
     def start(self, interface, guest_mac):
         """
         Start sniffing.
         @param interface: network interface name to sniff
         @param guest_mac: virtual machine MAC address to filter
         @return: boolean identifying the success of the operation
         """  
-        log = logging.getLogger("Sniffer.Start")
+        log = logging.getLogger("Core.Sniffer.Start")
         self.guest_mac = guest_mac
 
         if not self.tcpdump:
@@ -92,7 +90,7 @@ def stop(self):
         Stop sniffing.
         @return: boolean identifying the success of the operation
         """
-        log = logging.getLogger("Sniffer.Stop")
+        log = logging.getLogger("Core.Sniffer.Stop")
 
         if self.proc != None and self.proc.poll() == None:
             try:
@@ -103,3 +101,5 @@ def stop(self):
                 return False
 
             log.info("Sniffer stopped monitoring %s." % self.guest_mac)
+
+        return True
diff --git a/cuckoo/core/virtualbox.py b/cuckoo/core/virtualbox.py
@@ -21,7 +21,7 @@
 import sys
 import logging
 
-from cuckoo.config.cuckooconfig import CuckooConfig
+from cuckoo.common.cuckooconfig import CuckooConfig
 
 # Load VirtualBox's SDK APIs.
 try:
@@ -85,7 +85,7 @@ def infos(self):
         Gets virtual machine infomation.
         @return: boolean identifying the success of the operation
         """
-        log = logging.getLogger("VirtualMachine.Infos")
+        log = logging.getLogger("Core.VirtualBox.Infos")
 
         if self.mach:
             # Check if machine is accessible.
@@ -117,8 +117,8 @@ def infos(self):
             log.info("Virtual machine \"%s\" information:" % self.name)
             log.info("\t\_| Name: %s" % self.mach.name)
             log.info("\t  | ID: %s" % self.mach.id)
-            log.info("\t  | VRAM Size: %s MB" % self.mach.VRAMSize)
             log.info("\t  | OS Type: %s" % self.mach.OSTypeId)
+            log.info("\t  | VRAM Size: %s MB" % self.mach.VRAMSize)
             log.info("\t  | CPU Count: %s Core/s" % self.mach.CPUCount)
             log.info("\t  | Memory Size: %s MB" % self.mach.memorySize)   
             log.info("\t  | State: %s" % state)
@@ -136,7 +136,7 @@ def check(self):
         Checks if VirtualBox version is supported
         @return: boolean saying if VirtualBox version is supported or not
         """
-        log = logging.getLogger("VirtualMachine.Check")
+        log = logging.getLogger("Core.VirtualBox.Check")
 
         # Check if VirtualBox version is supported.
         if not re.match(VBOX_VERSION, self.vbox.version):
@@ -154,7 +154,7 @@ def start(self):
         Starts virtual machine.
         @return: boolean identifying the success of the operation
         """
-        log = logging.getLogger("VirtualMachine.Start")
+        log = logging.getLogger("Core.VirtualBox.Start")
 
         if self.mach:
             try:
@@ -212,7 +212,7 @@ def stop(self):
         Stops virtual machine.
         @return: boolean identifying the success of the operation
         """
-        log = logging.getLogger("VirtualMachine.Stop")
+        log = logging.getLogger("Core.VirtualBox.Stop")
 
         if self.mach:
             try:
@@ -264,7 +264,7 @@ def restore(self):
         Restores virtual machine.
         @return: boolean identifying the success of the operation
         """
-        log = logging.getLogger("VirtualMachine.Restore")
+        log = logging.getLogger("Core.VirtualBox.Restore")
 
         if self.mach:
             try:
@@ -326,7 +326,7 @@ def execute(self, exec_name, args = None, timeout = None):
         @param timeout: process execution timeout
         @return: boolean identifying the success of the operation
         """   
-        log = logging.getLogger("VirtualMachine.Execute")
+        log = logging.getLogger("Core.VirtualBox.Execute")
 
         # Check if program name is specified.
         if not exec_name or exec_name == "":

diff --git a/cuckoo/processing/analysis.py b/cuckoo/processing/analysis.py
@@ -22,7 +22,7 @@
 import csv
 import logging
 
-from cuckoo.processing.convert import convert_to_printable
+from cuckoo.common.stringutils import convert_to_printable
 
 class ParseBehaviorLog:
     """
@@ -48,7 +48,7 @@ def _parse(self, row):
         """
         call = {}
         arguments = []
-        log = logging.getLogger("Processor.ParseBehaviorLog")
+        log = logging.getLogger("Processing.ParseBehaviorLog")
 
         # Try to acquire the first fixed columns.
         try:
@@ -121,7 +121,7 @@ def extract(self):
         """
         Processes the specified process log file.
         """
-        log = logging.getLogger("Processor.ParseBehaviorLog")
+        log = logging.getLogger("Processing.ParseBehaviorLog")
 
         if not os.path.exists(self._log_path):
             log.error("Analysis logs folder does not exist at path \"%s\"."
@@ -159,7 +159,7 @@ def process(self):
         @return: dictionary containing the abstracted analysis results
         """
         results = []
-        log = logging.getLogger("Processor.BehaviorAnalysis")
+        log = logging.getLogger("Processing.BehaviorAnalysis")
 
         # Check if the specified directory exists.
         if not os.path.exists(self._logs_path):

diff --git a/cuckoo/processing/config.py → cuckoo/processing/analysisconfig.py b/cuckoo/processing/config.py → cuckoo/processing/analysisconfig.py
diff --git a/cuckoo/processing/data.py → cuckoo/processing/cuckoodict.py b/cuckoo/processing/data.py → cuckoo/processing/cuckoodict.py
@@ -26,12 +26,13 @@
 import logging
 from datetime import datetime
 
-from cuckoo.config.constants import CUCKOO_VERSION
+from cuckoo.common.constants import CUCKOO_VERSION
 from cuckoo.processing.file import File
 from cuckoo.processing.pcap import Pcap
-from cuckoo.processing.config import AnalysisConfig
+from cuckoo.processing.analysisconfig import AnalysisConfig
 from cuckoo.processing.pe import PortableExecutable
 from cuckoo.processing.analysis import BehaviorAnalysis, BehaviorSummary, ProcessTree
+from cuckoo.processing.signatures import SignaturesProcessor
 
 class CuckooDict:
     def __init__(self, analysis_path):
@@ -101,7 +102,7 @@ def process(self):
         Process the analysis results and generate a dictionary containing all
         abstracted information.
         """
-        log = logging.getLogger("Processor.CuckooDict")
+        log = logging.getLogger("Processing.CuckooDict")
 
         if not os.path.exists(self._analysis_path):
             log.error("Analysis results folder does not exist at path \"%s\"."
@@ -136,13 +137,15 @@ def process(self):
                     results["static"] = PortableExecutable(file_path).process()
 
         results["dropped"] = self._get_dropped()
-        results["screenshots"] = self._get_screenshots()
+        #results["screenshots"] = self._get_screenshots()
         results["network"] = Pcap(self._pcap_path).process()
 
         results["behavior"] = {}
         results["behavior"]["processes"] = BehaviorAnalysis(self._logs_path).process()
         results["behavior"]["processtree"] = ProcessTree(results["behavior"]["processes"]).process()
         results["behavior"]["summary"] = BehaviorSummary(results["behavior"]["processes"]).process()
+
+        results["signatures"] = SignaturesProcessor().process(results)
 
         if not results or len(results) == 0:
             return None

diff --git a/cuckoo/processing/file.py b/cuckoo/processing/file.py
@@ -23,7 +23,7 @@
 import hashlib
 import binascii
 
-from cuckoo.processing.convert import convert_to_printable
+from cuckoo.common.stringutils import convert_to_printable
 
 try:
     # Try to import libmagic python bindings. You can install them with Ubuntu's
@@ -114,7 +114,7 @@ def _get_ssdeep(self):
         Generates the ssdeep fuzzy hash of the file.
         @return: ssdeep fuzzy hash of the file
         """
-        log = logging.getLogger("Processor.File")
+        log = logging.getLogger("Processing.File")
 
         if not IS_SSDEEP:
             log.warning("Ssdeep Python bindings are not installed, " \
@@ -133,7 +133,7 @@ def _get_type(self):
         Retrieves the libmagic type of the file.
         @return: file type
         """
-        log = logging.getLogger("Processor.File")
+        log = logging.getLogger("Processing.File")
 
         if not IS_MAGIC:
             log.warning("Libmagic Python bindings are not installed, " \
@@ -159,7 +159,7 @@ def process(self):
         Generates file information dictionary.
         @return: dictionary containing all the file's information
         """
-        log = logging.getLogger("Processor.File")
+        log = logging.getLogger("Processing.File")
 
         if not os.path.exists(self.file_path):
             log.error("File at path \"%s\" does not exist." % self.file_path)