def run(self): observer_global = Observer() #READ MONITORED DIRECTORIES CONFIG conf = configer.Config() monitored_directories_options = conf.get_config_options( 'monitored_directories.json') for options in monitored_directories_options: dw = DirectoryWatcher(options, conf, self.ultra_mq, self.getName()) if dw.is_dir_valid(): observer_global.schedule(dw, path=dw.get_dirpath(), recursive=dw.is_recursive()) else: print("Invalid dirpath for monitoring: {}".format( dw.get_dirpath())) # START WATCHING observer_global.start() observer_global.join()
def __init__(self, app, SHOW_MQ, TRAY_MQ, ALARM_MQ, MALWARE_MQ, EXCEPTION_RULES): QtWidgets.QMainWindow.__init__(self) self.app = app self.some_widget = QtWidgets.QWidget() screen_resolution = self.app.desktop().screenGeometry() self.screen_width, self.screen_height = screen_resolution.width( ), screen_resolution.height() self.dialog_controls = dict() self.SHOW_MQ = SHOW_MQ self.TRAY_MQ = TRAY_MQ self.ALARM_MQ = ALARM_MQ self.MALWARE_MQ = MALWARE_MQ self.EXCEPTION_RULES = EXCEPTION_RULES # GET GUI CONFIG self.cc = configer.Config() gui_options = self.cc.get_config_single_category( configer.MAIN_CONFIG, "gui") if gui_options['learning_mode']: self.LEARNING_MODE = True else: self.LEARNING_MODE = False
import pytz from utils import configer from datetime import datetime from tzlocal import get_localzone #TIMEZONE cc = configer.Config() CONFIG_TIMEZONE = cc.get_config_single_category("attack_monitor.cfg", "time")['timezone'] # AUTODETECT TIMEZONE if CONFIG_TIMEZONE == "AUTODETECT": CONFIG_TIMEZONE = get_localzone().zone CONFIG_TIMEZONE_PYTZ = pytz.timezone(CONFIG_TIMEZONE) #//TIMEZONE class NiceDate(): @staticmethod def get_now(): return datetime.now(CONFIG_TIMEZONE_PYTZ) @staticmethod def log_event_to_nice_date(er): (d, milliseconds) = er.get_expanded_field_time_created_tuple() return d.astimezone(CONFIG_TIMEZONE_PYTZ) @staticmethod def naive_datetime_localize(d): return CONFIG_TIMEZONE_PYTZ.localize(d)
def load_exceptions(): cc = configer.Config() cc.get_config_options()
def main(): logo() print() cc = configer.Config() is_user_an_admin() is_sysmon_installed() # CONFIG debug_enabled = cc.get_config_single_variable_from_category( configer.MAIN_CONFIG, "logs", "debug") # SHARED STRUCTURES AMONGST PROCESSESS MM = multiprocessing.Manager() # ULTRA MQ ULTRA_MQ = MM.Queue() # ALERT MQ ALERT_MQ = MM.Queue() # SHOW MQ SHOW_MQ = MM.Queue() # TRAY MQ TRAY_MQ = MM.Queue() # MALWARE MQ GATHERING_OPTIONS = MM.dict() GATHERING_OPTIONS['enabled'] = False GATHERING_OPTIONS['malware_dir'] = None GATHERING_OPTIONS['generate_report'] = False GATHERING_OPTIONS['report_dir'] = None GATHERING_OPTIONS['absolute_time'] = None GATHERING_OPTIONS['control_start_proc'] = 'malware_monitor_start.exe' GATHERING_OPTIONS[ 'control_generate_proc'] = 'malware_monitor_report_generate.exe' # MALWARE STORAGE CONTAINERS = MM.dict() MALWARE_MQ = MM.Queue() MALWARE_INTERESTING_PIDS = MM.list() DNS_QUERIES = MM.list() # AGGREGATE CONTAINERS['MALWARE_INTERESTING_PIDS'] = MALWARE_INTERESTING_PIDS CONTAINERS['DNS_QUERIES'] = DNS_QUERIES # SHARED DATA / MALWARE REPORT PROCESS_TREE = MM.dict() # EXCEPTIONS EXCEPTION_RULES = MM.list() # LOGGING OUTPUT DEBUG_MQ = MM.Queue() if not debug_enabled: DEBUG_MQ = None ALARM_MQ = MM.Queue() # GENERATE REPLACE VARIABLES - %%% generate_env_variables(cc.get_replace_variables_path()) load_initial_exception_rules(cc, EXCEPTION_RULES) # GUI PROCESS gp = gui_process.GUI_Process(SHOW_MQ, TRAY_MQ, ALARM_MQ, MALWARE_MQ, EXCEPTION_RULES) gp.start() # ------------------------------------------- # ACTIVE PROCESSING START - BEYOND THIS POINT # ACTIVE PROCESSING START - BEYOND THIS POINT # ------------------------------------------- if debug_enabled: dlog = debug.LoggerDebug() dlog.set_input_queqe(DEBUG_MQ) dlog.start() # ALARMS ONLY LOGGER (MAIN ONE) alog = alarm.LoggerAlarm() alog.set_input_queqe(ALARM_MQ) alog.start() # ENHANCERS enhancer_config = cc.get_config_single_category(configer.MAIN_CONFIG, "enhancers") for enhancer in Enhancer.__subclasses__(): enhancer_instance = enhancer() # SPECIFIC FOR PROCESS TREE if isinstance(enhancer_instance, enhancer_process_tree.enhancer_process_tree): enhancer_instance.setStorage(PROCESS_TREE) enhancer_instance.name = enhancer_instance.getName() # IS ENABLED if enhancer_config[enhancer_instance.name]: enhancer_instance.start() print("Enhancer: {} started".format(enhancer_instance.getName())) else: print("[Disabled in config] Enhancer: {} started".format( enhancer_instance.getName())) # FEEDERS feeders_active = [] feeders_config = cc.get_config_single_category(configer.MAIN_CONFIG, "feeders") for feeder in Feeder.__subclasses__(): feeder_instance = feeder() feeder_instance.name = feeder_instance.getName() # IS ENABLED if feeders_config[feeder_instance.name]: feeder_instance.set_ultra_mq(ULTRA_MQ) feeder_instance.set_config_options( cc.get_options_for_feeder(feeder_instance.getName())) feeder_instance.start() print("Feeder: {} started".format(feeder_instance.getName())) else: print("Feeder: {} [Disabled in config]".format( feeder_instance.getName())) # INTEGRATORS INTEGRATORS_COUNT = 3 for i in range(0, INTEGRATORS_COUNT): inor = Integrator(ULTRA_MQ, ALERT_MQ, DEBUG_MQ, GATHERING_OPTIONS, PROCESS_TREE) inor.name = "INTEGRATOR_{}".format(i) inor.start() print("{} started".format(inor.name)) # EXCEPTION ENGINE EXCEPTION_ENGINE_COUNT = 2 for i in range(0, EXCEPTION_ENGINE_COUNT): eengine = ExceptionFilter(ALERT_MQ, SHOW_MQ, EXCEPTION_RULES) eengine.name = "EXCEPTION_ENGINE_{}".format(i) eengine.start() print("{} started".format(eengine.name)) # GATHERERS - MALWARE REPORTING GATHERERS_COUNT = 1 for i in range(0, GATHERERS_COUNT): gath = Gatherer(GATHERING_OPTIONS, MALWARE_MQ, CONTAINERS, PROCESS_TREE) gath.name = "GATHERER_{}".format(i) gath.start() print("{} started".format(gath.name)) # WAIT FOR GUI END gp.join()
def __init__(self, EXCEPTION_RULES): self.EXCEPTION_RULES = EXCEPTION_RULES self.cc = configer.Config() self.REPLACE_VARIABLES = self.load_replace_variables(self.cc) self.EXCEPTION_BASEDIR = self.cc.get_exception_files_basedir()
def load_font(self): cc = configer.Config() freeserif_font = cc.get_font_path() pdfmetrics.registerFont(TTFont("freeserif", freeserif_font))