コード例 #1
0
    def action(self, sensors, domain):
        # only take action on sensors that support CbLR
        logger.info("ApiKillProcessAction ENTER")
        logger.info(sensors)
        logger.info(domain)
        for sensor in [
                sensor for sensor in sensors
                if sensor.get('supports_cblr', False) is True
        ]:
            sensor_id = sensor.get('id')

            with self.bolo_lock:
                if sensor_id not in self.bolo:
                    new_thread = LiveResponseThread(self.cb, sensor_id, [])
                    new_thread.start()
                    self.bolo[sensor_id] = \
                        {
                            'sensor_id': sensor_id,
                            'sensor': sensor,
                            'added': time.time(),
                            'killing_thread': new_thread,
                        }
                self.bolo_searches.append({
                    'domain': domain,
                    'sensor_id': sensor_id,
                    'timestamp': time.time()
                })
コード例 #2
0
def netconn_callback(cb, event_type, event_data):
    try:
        msg = sensor_events.CbEventMsg()
        msg.ParseFromString(event_data)
        if not msg.HasField('env') or not msg.HasField('network'):
            return

        if not msg.network.HasField('utf8_netpath') or not len(msg.network.utf8_netpath):
            return

        sensor_id = msg.env.endpoint.SensorId
        key = '%d:%s' % (sensor_id, msg.network.utf8_netpath)
        process_guid = make_guid(sensor_id, msg.header)

        with bolo_lock:
            logger.info(bolo.keys())
            if key in bolo.keys():
                logger.info("Killing process guid %s" % process_guid)
                if 'killing_thread' not in bolo[key] or not bolo[key]['killing_thread'].add_processes(
                        [process_guid]):
                    new_thread = LiveResponseThread(cb, sensor_id, [process_guid], one_time=True)
                    bolo[key]['killing_thread'] = new_thread
                    new_thread.start()
    except:
        logger.info(traceback.format_exc())
コード例 #3
0
 def _add_processes_to_bolo(self, sensor_id, target_proc_guids):
     with self.bolo_lock:
         t = self.bolo[sensor_id]['killing_thread']
         if not t.add_processes(target_proc_guids):
             # old thread died, start another
             t.join()
             t = LiveResponseThread(self.cb, self.logger, sensor_id, [])
             t.start()
             self.bolo[sensor_id]['killing_thread'] = t
             t.add_processes(target_proc_guids)
コード例 #4
0
    def action(self, sensors, domain):
        # only take action on sensors that support CbLR
        for sensor in [sensor for sensor in sensors if sensor.get('supports_cblr', False) is True]:
            sensor_id = sensor.get('id')

            with self.bolo_lock:
                if sensor_id not in self.bolo:
                    new_thread = LiveResponseThread(self.cb, self.logger, sensor_id, [])
                    new_thread.start()
                    self.bolo[sensor_id] = \
                        {
                            'sensor_id': sensor_id,
                            'sensor': sensor,
                            'added': time.time(),
                            'killing_thread': new_thread,
                        }
                self.bolo_searches.append({
                    'domain': domain,
                    'sensor_id': sensor_id,
                    'timestamp': time.time()
                })
コード例 #5
0
 def _add_processes_to_bolo(self, sensor_id, target_proc_guids):
     with self.bolo_lock:
         t = self.bolo[sensor_id]['killing_thread']
         if not t.add_processes(target_proc_guids):
             # old thread died, start another
             t.join()
             t = LiveResponseThread(self.cb, sensor_id, [])
             t.start()
             self.bolo[sensor_id]['killing_thread'] = t
             t.add_processes(target_proc_guids)