Initial Commit

Author: abzcoding

.gitignore

@@ -0,0 +1,47 @@
+docs/_build
+tmp.py
+
+*.py[cod]
+
+# emacs
+*~
+._*
+.\#*
+\#*\#
+
+# C extensions
+*.so
+
+# Packages
+*.egg
+*.egg-info
+dist
+build
+eggs
+parts
+bin
+var
+sdist
+develop-eggs
+.installed.cfg
+lib
+lib64
+
+# Installer logs
+pip-log.txt
+
+# Unit test / coverage reports
+.coverage
+.tox
+nosetests.xml
+
+# Translations
+*.mo
+
+# Mr Developer
+.mr.developer.cfg
+.project
+.pydevproject
+
+# Vim
+*.sw[op]

CHANGELOG.md

@@ -0,0 +1,21 @@
+APTDetector Changelog
+=================
+
+Since February 7, 2016 there have been 0 releases and 1 commits for
+an average of zero 0-commit release every 0 weeks.
+
+0.1
+------
+
+created the basic structure of the project.
+
+* Used [CapTipper][CapTipper] as the base for network analysis module
+
+0.0
+------
+*(February 7, 2016)*
+
+Project Started.
+
+
+[CapTipper]: http://captipper.readthedocs.org/en/latest/

LICENSE

@@ -0,0 +1,29 @@
+Copyright (c) 2016, Abouzar Parvan
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above
+      copyright notice, this list of conditions and the following
+      disclaimer in the documentation and/or other materials provided
+      with the distribution.
+
+    * The names of the contributors may not be used to endorse or
+      promote products derived from this software without specific
+      prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1,83 @@
+# APTDetector
+
+*Advanced Persistent Threat Detection by Using Network Analysis*
+
+**APTDetector** is a humble try to gather all means of malware detection
+from network analysis in one place, for educational purposes only.
+
+  * use [CapTipper][CapTipper] as the base for network analysis module
+  * use [Cuckoo Sandbox][Cuckoo] as automated malware detection
+
+
+APTDetector is tested against Python 3.4, 3.5, and
+PyPy. [Full and extensive docs are available on Read The Docs.][rtd]
+See what's new [by checking the CHANGELOG][changelog].
+
+[rtd]: https://aptdetector.readthedocs.org/en/latest/
+[changelog]: https://github.com/abzcoding/aptdetector/blob/master/CHANGELOG.md
+
+[CapTipper]: http://captipper.readthedocs.org/en/latest/
+[Cuckoo]: https://downloads.cuckoosandbox.org/docs/
+
+## Installation
+
+APTDetector can be added to a project in a few ways. There's the obvious one:
+
+```
+    pip install aptdetector
+```
+
+Then, [thanks to PyPI][aptdetector_pypi], dozens of boltons are just an import away:
+
+```python
+    import parse_pcap
+    from aptdetector.network.sniffer import urlFindler
+    urlFinder.pcap_file = pcap_file[0]
+    parse_pcap.run(urlFinder.pcap_file)
+    urlFinder()
+```
+
+However, due to the nature of utilities, application developers might
+dependencies. See the [Integration][integration] section of the docs
+
+[aptdetector_pypi]: https://pypi.python.org/pypi/aptdetector
+[integration]: https://aptdetector.readthedocs.org/en/latest/architecture.html#integration
+
+## Disclaimer
+
+Please do not use this program in production!!
+it's an educational project only.
+
+## References
+I've used based my work loosely on some respectful papers
+that i've linked below:
+* [Packet sniffing a brief introduction][packetsniff]
+* [Persistent threats and how to monitor and deter them][persistentthreat]
+* [Effective and Efficient Malware Detection at the End Host][effectivemalware]
+* [Detecting APT Activity with Network Traffic Analysis][detectingapt]
+* [Inspecting DNS Flow Traffic for Purposes of Botnet Detection][inspectingdns]
+* [BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection][botminer]
+* [Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis][panorama]
+
+[packetsniff]: http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=1166620&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F45%2F26303%2F01166620.pdf%3Farnumber%3D1166620
+[persistentthreat]: http://www.sciencedirect.com/science/article/pii/S1353485811700861
+[effectivemalware]: https://www.usenix.org/legacy/event/sec09/tech/full_papers/kolbitsch.pdf
+[detectingapt]: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
+[inspectingdns]: http://geant3.archive.geant.net/Media_Centre/Media_Library/Media%20Library/gn3_jra2_t4_M4_deliverable.pdf
+[botminer]: http://usenix.org/legacy/event/sec08/tech/full_papers/gu/gu_html/index.html
+[panorama]: http://dl.acm.org/citation.cfm?id=1315261
+
+## Gaps
+
+Found something missing in the standard library that should be in
+`aptdetector`? Found something missing in `aptdetector`? First, take a
+moment to read the very brief [architecture statement][architecture] to make
+sure the functionality would be a good fit.
+
+Then, if you are very motivated, submit [a Pull Request][prs]. Otherwise,
+submit a short feature request on [the Issues page][issues], and we will
+figure something out.
+
+[architecture]: https://aptdetector.readthedocs.org/en/latest/architecture.html
+[issues]: https://github.com/abzcoding/aptdetector/issues
+[prs]: https://github.com/abzcoding/aptdetector/pulls

TODO.rst

@@ -0,0 +1,15 @@
+TODO
+====
+
+- extracting urls from network traffic
+- create a workflow for automated malware detection
+
+network
+----------
+
+- implement network sniffer
+
+malware
+----------
+
+- try to connect to Cuckoo Sandbox

aptdetector/__init__.py

@@ -0,0 +1,2 @@
+sphinxcontrib-napoleon
+# sphinx_rtd_theme  # you'll need sphinx_rtd_theme for local dev

aptdetector/malware/__init__.py

@@ -0,0 +1,4 @@
+py==1.4.31
+pytest==2.8.7
+tox==2.3.1
+virtualenv==14.0.5

aptdetector/network/__init__.py

@@ -0,0 +1,37 @@
+"""Advanced Persistent Threat Detection by
+Using Network Analysis.
+
+used as a package or independently. `documented on Read
+the Docs <http://aptdetector.readthedocs.org>`_.
+"""
+
+from setuptools import setup
+
+
+__author__ = 'Abouzar Parvan'
+__version__ = '0.1'
+__contact__ = '[email protected]'
+__url__ = 'https://github.com/abzcoding/APTDetector'
+__license__ = 'BSD'
+
+
+setup(name='APTDetector',
+      version=__version__,
+      description="Advanced Persistent Threat Detection by Using Network Analysis.",
+      long_description=__doc__,
+      author=__author__,
+      author_email=__contact__,
+      url=__url__,
+      packages=['aptdetector'],
+      include_package_data=True,
+      zip_safe=False,
+      license=__license__,
+      platforms='linux_x86_64',
+      classifiers=[
+          'Topic :: Security',
+          'Intended Audience :: Education',
+          'Topic :: System :: Networking',
+          'Development Status :: 1 - Planning',
+          'Programming Language :: Python :: 3.4',
+          'Programming Language :: Python :: 3.5', ]
+      )

requirements-rtd.txt

@@ -0,0 +1,5 @@
+[tox]
+envlist = py34,py35,pypy
+[testenv]
+deps = -rrequirements-test.txt
+commands = py.test --doctest-modules aptdetector tests