DragonFly On-Line Manual Pages

Search: Section:  

SPYBYE(1)              DragonFly General Commands Manual             SPYBYE(1)


NAME

     spybye - a proxy to help finding malware


SYNOPSIS

     crawl [-g good patterns] [-b bad patterns] [-p port] [-l log file]
           [-S shareing url] [-P] [-x]


DESCRIPTION

     The spybye tool provide a proxy server through which web pages can be
     fetched and analyzed for potentially dangerous includes.  To use spybye,
     you need to configure your web browser to use the port configured by -p
     as proxy port.

     The options are as follows:

     -b good patterns  A file or URL from which good patterns can be loaded.
                       Any URL that maches a good pattern is declared
                       harmless.

     -b bad patterns   A file or URL from which bad patterns can be loaded.
                       Any URL that matches a bad pattern is declared
                       dangerous.

     -p port           The port number under which spybye creates the proxy
                       server.  This is the port the web browser needs to
                       contect to.

     -l log file       A filename to which potentially dangerous site
                       interactions are being logged.

     -S share url      When spybye finds a dangerous URL, it can be reported
                       to the provided URL.  By default, this points to
                       www.spybye.org.  This option can be disabled by
                       providing an empty string.

     -P                By default, spybye does not allow any fetches to
                       private IP addresses.  By specifying this option, web
                       pages can be fetched from any IP address.

     -x                Puts spybye into proxy mode.  It's possible to browse
                       the web normally, but spybye is going to disallow
                       fetches it deems dangerous.

     This tool is not very complicated and very straight forward.  It uses the
     web browser to decode potentially obfuscated javascript and then traces
     all fetches the web browser makes.  All URLs that have been classifies as
     dangerous are displayed in the overview page but the web broswer is
     denied access to them.  For additional security, the referer header needs
     to match the already discovered URL space.  Nonetheless, running spybye
     could potentially get your computer infected when visiting a dangerous
     web page.  So, ideally, your web browser should run within a virtual
     machine.


AUTHORS

     The spybye utility has been developed by Niels Provos.

DragonFly 6.5-DEVELOPMENT      February 19, 2007     DragonFly 6.5-DEVELOPMENT

Search: Section: