Dorothy2:一个开源的僵尸网络分析框架3

三、 安装Dorothygem

$ sudo gem install dorothy2

四、 配置并开启Dorothy

  1. 安装Maxmind库

-GeoLiteCity

-GeoLite ASN

-将GeoLiteCity.dat和GeoIPASNum.dat拷贝到Dorothy的etc/geo文件夹中

2.开启Dorothy

$ dorothy_start –v

3.按照下列顺序进行配置

-环境变量(db和esx服务器等)

-Dorothy源(获取新代码)

-用于分析的ESX虚拟机

五、使用Dorothy

1.将.exe或.bat文件拷贝到$yourdorothyhome/opt/bins/manual/

2.执行dorothy

$ dorothy_start -v -s malwarefolder

Dorothy的使用:

Usage:

dorothy2 [options]

where [options] are:

--Version,-V: Print the current version.

--verbose,-v: Enable verbose mode

--infoflow,-i: Print the analysis flow

--baseline, -b: Create a new processbaseline

--source, -s: Choose a source (from theones defined in etc/sources.yml)

--CreateSource,-C: Create new source file

--daemon, -d: (start|stop) Execute/killthe selected module (-W, -B, -A) in backround. If no modules are specified, itwill exec/kill all of them.

--debug,-e: Add extensive log trails

--manual,-m: Start everything, copy the file,and wait for me.

--SandboxUpdate,-S: Update Dorothive with the newSandbox file

--DorothiveInit, -D: (RE)Install the DorothyDatabase (Dorothive)

--queue, -q: Show the analysis queue

--Analyser, -A: Execute only the Analyser Module (willanalalyse only the current queue)

--BFM, -B: Execute only the Binary Fetcher Module (BFM)

--DEM, -E: Execute only the network Data ExtationModule (DEM) aka doroParser

--WebGUI, -W: Execute the WebGUI Module (WGUI)

--help, -h: Show this message

执行样例:

$dorothy2 -v -d start

Dorothy2首次执行时,它会指引用户对分析环境进行配置,相关配置步骤如下:

配置环境变量($home/.dorothy.yml)

配置BFM源($dorothyhome/etc/sources.yml)

配置沙箱环境($dorothyhome/etc/sandboxes.yml)

配置分析设置文件($dorothyhome/etc/profiles.yml)

配置步骤完成之后,用户可以随时修改和编辑配置文件。

许可证信息

GNU GENERAL PUBLIC LICENSE

Version 3, 29 June 2007