def action(self, sensors, domain): # only take action on sensors that support CbLR logger.info("ApiKillProcessAction ENTER") logger.info(sensors) logger.info(domain) for sensor in [ sensor for sensor in sensors if sensor.get('supports_cblr', False) is True ]: sensor_id = sensor.get('id') with self.bolo_lock: if sensor_id not in self.bolo: new_thread = LiveResponseThread(self.cb, sensor_id, []) new_thread.start() self.bolo[sensor_id] = \ { 'sensor_id': sensor_id, 'sensor': sensor, 'added': time.time(), 'killing_thread': new_thread, } self.bolo_searches.append({ 'domain': domain, 'sensor_id': sensor_id, 'timestamp': time.time() })
def netconn_callback(cb, event_type, event_data): try: msg = sensor_events.CbEventMsg() msg.ParseFromString(event_data) if not msg.HasField('env') or not msg.HasField('network'): return if not msg.network.HasField('utf8_netpath') or not len(msg.network.utf8_netpath): return sensor_id = msg.env.endpoint.SensorId key = '%d:%s' % (sensor_id, msg.network.utf8_netpath) process_guid = make_guid(sensor_id, msg.header) with bolo_lock: logger.info(bolo.keys()) if key in bolo.keys(): logger.info("Killing process guid %s" % process_guid) if 'killing_thread' not in bolo[key] or not bolo[key]['killing_thread'].add_processes( [process_guid]): new_thread = LiveResponseThread(cb, sensor_id, [process_guid], one_time=True) bolo[key]['killing_thread'] = new_thread new_thread.start() except: logger.info(traceback.format_exc())
def _add_processes_to_bolo(self, sensor_id, target_proc_guids): with self.bolo_lock: t = self.bolo[sensor_id]['killing_thread'] if not t.add_processes(target_proc_guids): # old thread died, start another t.join() t = LiveResponseThread(self.cb, self.logger, sensor_id, []) t.start() self.bolo[sensor_id]['killing_thread'] = t t.add_processes(target_proc_guids)
def action(self, sensors, domain): # only take action on sensors that support CbLR for sensor in [sensor for sensor in sensors if sensor.get('supports_cblr', False) is True]: sensor_id = sensor.get('id') with self.bolo_lock: if sensor_id not in self.bolo: new_thread = LiveResponseThread(self.cb, self.logger, sensor_id, []) new_thread.start() self.bolo[sensor_id] = \ { 'sensor_id': sensor_id, 'sensor': sensor, 'added': time.time(), 'killing_thread': new_thread, } self.bolo_searches.append({ 'domain': domain, 'sensor_id': sensor_id, 'timestamp': time.time() })
def _add_processes_to_bolo(self, sensor_id, target_proc_guids): with self.bolo_lock: t = self.bolo[sensor_id]['killing_thread'] if not t.add_processes(target_proc_guids): # old thread died, start another t.join() t = LiveResponseThread(self.cb, sensor_id, []) t.start() self.bolo[sensor_id]['killing_thread'] = t t.add_processes(target_proc_guids)