def main():
"""
Main function
"""
print "%s (sensor) #v%s\n" % (NAME, VERSION)
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-c", dest="config_file", default=SENSOR_CONFIG_FILE, help="Configuration file (default: '%s')" % os.path.split(SENSOR_CONFIG_FILE)[-1])
options, _ = parser.parse_args()
if not check_sudo():
exit("[x] please run with sudo/Administrator privileges")
read_config(options.config_file)
init_sensor()
try:
start_sensor()
except KeyboardInterrupt:
print "\r[x] stopping (Ctrl-C pressed)"
except:
if config.SHOW_DEBUG:
traceback.print_exc()
finally:
os._exit(0)
def main():
print("%s (sensor) #v%s\n" % (NAME, VERSION))
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-c", dest="config_file", default=CONFIG_FILE, help="configuration file (default: '%s')" % os.path.split(CONFIG_FILE)[-1])
parser.add_option("-i", dest="pcap_file", help="open pcap file for offline analysis")
parser.add_option("-p", dest="plugins", help="plugin(s) to be used per event")
parser.add_option("--console", dest="console", action="store_true", help="print events to console (too)")
options, _ = parser.parse_args()
if not check_sudo():
exit("[!] please run '%s' with sudo/Administrator privileges" % __file__)
read_config(options.config_file)
for option in dir(options):
if isinstance(getattr(options, option), (basestring, bool)) and not option.startswith('_'):
config[option] = getattr(options, option)
if options.pcap_file:
if not os.path.isfile(options.pcap_file):
exit("[!] missing pcap file '%s'" % options.pcap_file)
else:
print("[i] using pcap file '%s'" % options.pcap_file)
try:
init()
monitor()
except KeyboardInterrupt:
print("\r[x] stopping (Ctrl-C pressed)")
def main():
"""
Main function
"""
print "%s (sensor) #v%s\n" % (NAME, VERSION)
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-c",
dest="config_file",
default=SENSOR_CONFIG_FILE,
help="Configuration file (default: '%s')" %
os.path.split(SENSOR_CONFIG_FILE)[-1])
options, _ = parser.parse_args()
if not check_sudo():
exit("[x] please run with sudo/Administrator privileges")
read_config(options.config_file)
init_sensor()
try:
start_sensor()
except KeyboardInterrupt:
print "\r[x] stopping (Ctrl-C pressed)"
except:
if config.SHOW_DEBUG:
traceback.print_exc()
finally:
os._exit(0)
def main():
"""
Main function
"""
print "%s #v%s\n" % (NAME, VERSION)
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-c",
dest="config_file",
default=CONFIG_FILE,
help="Configuration file (default: '%s')" %
os.path.split(CONFIG_FILE)[-1])
options, _ = parser.parse_args()
if not check_sudo():
exit("[x] please run with sudo/Administrator privileges")
read_config(options.config_file)
init_sensor()
try:
start_httpd()
start_sensor()
except socket.error, ex:
exit("[x] can't start the HTTP server ('%s')" % ex)
def init():
"""
Performs sensor initialization
"""
global _cap
global _datalink
global _multiprocessing
if config.USE_MULTIPROCESSING:
try:
import multiprocessing
if multiprocessing.cpu_count() > 1:
_multiprocessing = multiprocessing
except (ImportError, OSError, NotImplementedError):
pass
def update_timer():
_ = update(server=config.UPDATE_SERVER)
if _:
trails.clear()
trails.update(_)
elif not trails:
trails.update(load_trails())
thread = threading.Timer(config.UPDATE_PERIOD, update_timer)
thread.daemon = True
thread.start()
update_timer()
create_log_directory()
if check_sudo() is False:
exit("[x] please run with sudo/Administrator privileges")
if subprocess.mswindows and (config.MONITOR_INTERFACE
or "").lower() == "any":
exit("[x] virtual interface 'any' is not available on Windows OS")
if config.MONITOR_INTERFACE not in pcapy.findalldevs():
print "[x] interface '%s' not found" % config.MONITOR_INTERFACE
exit("[!] available interfaces: '%s'" % ",".join(pcapy.findalldevs()))
print "[i] opening interface '%s'" % config.MONITOR_INTERFACE
try:
_cap = pcapy.open_live(config.MONITOR_INTERFACE, SNAP_LEN, True, 0)
except socket.error, ex:
if "permitted" in str(ex):
exit("\n[x] please run with sudo/Administrator privileges")
elif "No such device" in str(ex):
exit("\n[x] no such device '%s'" % config.MONITOR_INTERFACE)
else:
raise
def init():
"""
Performs sensor initialization
"""
global _cap
global _datalink
global _multiprocessing
if config.USE_MULTIPROCESSING:
try:
import multiprocessing
if multiprocessing.cpu_count() > 1:
_multiprocessing = multiprocessing
except (ImportError, OSError, NotImplementedError):
pass
def update_timer():
_ = update(server=config.UPDATE_SERVER)
if _:
trails.clear()
trails.update(_)
elif not trails:
trails.update(load_trails())
thread = threading.Timer(config.UPDATE_PERIOD, update_timer)
thread.daemon = True
thread.start()
update_timer()
create_log_directory()
if check_sudo() is False:
exit("[x] please run with sudo/Administrator privileges")
if subprocess.mswindows and (config.MONITOR_INTERFACE or "").lower() == "any":
exit("[x] virtual interface 'any' is not available on Windows OS")
if config.MONITOR_INTERFACE not in pcapy.findalldevs():
print "[x] interface '%s' not found" % config.MONITOR_INTERFACE
exit("[!] available interfaces: '%s'" % ",".join(pcapy.findalldevs()))
print "[i] opening interface '%s'" % config.MONITOR_INTERFACE
try:
_cap = pcapy.open_live(config.MONITOR_INTERFACE, SNAP_LEN, True, 0)
except socket.error, ex:
if "permitted" in str(ex):
exit("\n[x] please run with sudo/Administrator privileges")
elif "No such device" in str(ex):
exit("\n[x] no such device '%s'" % config.MONITOR_INTERFACE)
else:
raise
def main():
print(figlet)
logger.info("%s (sensor) #v%s" % (NAME, VERSION))
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-c", dest="config_file", default=CONFIG_FILE, help="configuration file (default: '%s')" % os.path.split(CONFIG_FILE)[-1])
parser.add_option("-i", dest="pcap_file", help="open pcap file for offline analysis")
parser.add_option("--console", dest="console", action="store_true", help="print events to console (too)")
parser.add_option("--no-updates", dest="no_updates", action="store_true", help="disable (online) trail updates")
parser.add_option("--debug", dest="debug", action="store_true", help=optparse.SUPPRESS_HELP)
options, _ = parser.parse_args()
if not check_sudo():
exit("[!] please run '%s' with sudo/Administrator privileges" % __file__)
read_config(options.config_file)
if options.debug:
config.console = True
config.SHOW_DEBUG = True
create_log_directory(config.LOG_DIR)
logger.init_file_loggers()
config.plugins = DEFAULT_PLUGINS
if config.PLUGINS:
config.plugins += re.split(r"[,;]", config.PLUGINS)
config.triggers = []
if config.TRIGGERS:
config.triggers += re.split(r"[,;]", config.TRIGGERS)
for option in dir(options):
if isinstance(getattr(options, option), (basestring, bool)) and not option.startswith('_'):
config[option] = getattr(options, option)
if options.pcap_file:
if options.pcap_file == '-':
logger.info("using STDIN")
elif not os.path.isfile(options.pcap_file):
exit("missing pcap file '%s'" % options.pcap_file)
else:
logger.info("using pcap file '%s'" % options.pcap_file)
try:
init()
monitor()
except KeyboardInterrupt:
logger.warning("stopping (Ctrl-C pressed)")
def main():
print("%s (server) #v%s\n" % (NAME, VERSION))
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-c", dest="config_file", default=CONFIG_FILE, help="configuration file (default: '%s')" % os.path.split(CONFIG_FILE)[-1])
options, _ = parser.parse_args()
read_config(options.config_file)
if config.USE_SSL:
try:
import OpenSSL
except ImportError:
if subprocess.mswindows:
exit("[!] please install 'pyopenssl' (e.g. 'pip install pyopenssl')")
else:
msg, _ = "[!] please install 'pyopenssl'", platform.linux_distribution()[0].lower()
for distro, install in {("fedora", "centos"): "sudo yum install pyOpenSSL", ("debian", "ubuntu"): "sudo apt-get install python-openssl"}.items():
if _ in distro:
msg += " (e.g. '%s')" % install
break
exit(msg)
if not config.SSL_PEM or not os.path.isfile(config.SSL_PEM):
hint = "openssl req -new -x509 -keyout %s -out %s -days 365 -nodes -subj '/O=%s CA/C=EU'" % (config.SSL_PEM or "server.pem", config.SSL_PEM or "server.pem", NAME)
exit("[!] invalid configuration value for 'SSL_PEM' ('%s')\n[?] (hint: \"%s\")" % (config.SSL_PEM, hint))
def update_timer():
if config.USE_SERVER_UPDATE_TRAILS:
update_trails()
update_ipcat()
thread = threading.Timer(config.UPDATE_PERIOD, update_timer)
thread.daemon = True
thread.start()
if config.UDP_ADDRESS and config.UDP_PORT:
if check_sudo() is False:
exit("[!] please run '%s' with sudo/Administrator privileges when using 'UDP_ADDRESS' configuration value" % __file__)
start_logd(address=config.UDP_ADDRESS, port=config.UDP_PORT, join=False)
try:
update_timer()
start_httpd(address=config.HTTP_ADDRESS, port=config.HTTP_PORT, pem=config.SSL_PEM if config.USE_SSL else None, join=True)
except KeyboardInterrupt:
print("\r[x] stopping (Ctrl-C pressed)")
def main():
print("%s (sensor) #v%s\n" % (NAME, VERSION))
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-c", dest="config_file", default=CONFIG_FILE, help="Configuration file (default: '%s')" % os.path.split(CONFIG_FILE)[-1])
options, _ = parser.parse_args()
if not check_sudo():
exit("[!] please run '%s' with sudo/Administrator privileges" % __file__)
read_config(options.config_file)
try:
init()
monitor()
except KeyboardInterrupt:
print("\r[x] stopping (Ctrl-C pressed)")
def project_init():
if not maltrail_config.DISABLE_CHECK_SUDO and not check_sudo():
exit("[!] please run '%s' with sudo/Administrator privileges" %
__file__)
try: # 进入初始化模块
init()
get_error_log_handle()
msg = "[i] using '%s' for trail storage" % maltrail_config.TRAILS_FILE
if os.path.isfile(maltrail_config.TRAILS_FILE):
mtime = time.gmtime(os.path.getmtime(maltrail_config.TRAILS_FILE))
msg += " (last modification: '%s')" % time.strftime(
HTTP_TIME_FORMAT, mtime)
log_error(msg, "INFO")
except KeyboardInterrupt:
print("\r[x] stopping (Ctrl-C pressed)")
def main():
print("%s (sensor) #v%s\n" % (NAME, VERSION))
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-c", dest="config_file", default=CONFIG_FILE, help="Configuration file (default: '%s')" % os.path.split(CONFIG_FILE)[-1])
options, _ = parser.parse_args()
if not check_sudo():
exit("[!] please run with sudo/Administrator privileges")
read_config(options.config_file)
try:
init()
monitor()
except KeyboardInterrupt:
print("\r[x] stopping (Ctrl-C pressed)")
def main():
print("%s (sensor) #v%s\n" % (NAME, VERSION))
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-c",
dest="config_file",
default=CONFIG_FILE,
help="configuration file (default: '%s')" %
os.path.split(CONFIG_FILE)[-1])
parser.add_option("-i",
dest="pcap_file",
help="open pcap file for offline analysis")
parser.add_option("-p",
dest="plugins",
help="plugin(s) to be used per event")
parser.add_option("--console",
dest="console",
action="store_true",
help="print events to console (too)")
options, _ = parser.parse_args()
if not check_sudo():
exit("[!] please run '%s' with sudo/Administrator privileges" %
__file__)
read_config(options.config_file)
for option in dir(options):
if isinstance(getattr(options, option),
(basestring, bool)) and not option.startswith('_'):
config[option] = getattr(options, option)
if options.pcap_file:
if not os.path.isfile(options.pcap_file):
exit("[!] missing pcap file '%s'" % options.pcap_file)
else:
print("[i] using pcap file '%s'" % options.pcap_file)
try:
init()
monitor()
except KeyboardInterrupt:
print("\r[x] stopping (Ctrl-C pressed)")
def main():
"""
Main function
"""
print "%s #v%s\n" % (NAME, VERSION)
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-c", dest="config_file", default=CONFIG_FILE, help="Configuration file (default: '%s')" % os.path.split(CONFIG_FILE)[-1])
options, _ = parser.parse_args()
if not check_sudo():
exit("[x] please run with sudo/Administrator privileges")
read_config(options.config_file)
init_sensor()
try:
start_httpd()
start_sensor()
except socket.error, ex:
exit("[x] can't start the HTTP server ('%s')" % ex)
def create_log_directory(log_dir):
if not os.path.isdir(log_dir):
if check_sudo() is False:
exit("please rerun with sudo/Administrator privileges")
os.makedirs(log_dir, 0755)
def init():
"""
Performs sensor initialization
"""
global _cap
global _datalink
global _multiprocessing
if config.USE_MULTIPROCESSING:
try:
import multiprocessing
if multiprocessing.cpu_count() > 1:
_multiprocessing = multiprocessing
except (ImportError, OSError, NotImplementedError):
pass
def update_timer():
_ = update(server=config.UPDATE_SERVER)
if _:
trails.clear()
trails.update(_)
elif not trails:
trails.update(load_trails())
thread = threading.Timer(config.UPDATE_PERIOD, update_timer)
thread.daemon = True
thread.start()
update_timer()
create_log_directory()
if check_sudo() is False:
exit("[!] please run with sudo/Administrator privileges")
if (config.MONITOR_INTERFACE or "").lower() == "any":
if subprocess.mswindows:
exit("[!] virtual interface 'any' is not available on Windows OS")
else:
print("[!] in case of any problems with packet capture on virtual interface 'any', please put all monitoring interfaces to promiscuous mode manually (e.g. 'sudo ifconfig eth0 promisc')")
if config.MONITOR_INTERFACE not in pcapy.findalldevs():
print("[!] interface '%s' not found" % config.MONITOR_INTERFACE)
exit("[x] available interfaces: '%s'" % ",".join(pcapy.findalldevs()))
print("[i] opening interface '%s'" % config.MONITOR_INTERFACE)
try:
_cap = pcapy.open_live(config.MONITOR_INTERFACE, SNAP_LEN, True, 0)
except (socket.error, pcapy.PcapError):
if "permitted" in str(sys.exc_info()[1]):
exit("[!] please run with sudo/Administrator privileges")
elif "No such device" in str(sys.exc_info()[1]):
exit("[!] no such device '%s'" % config.MONITOR_INTERFACE)
else:
raise
if config.LOG_SERVER and not len(config.LOG_SERVER.split(':')) == 2:
exit("[!] invalid configuration value for 'LOG_SERVER' ('%s')" % config.LOG_SERVER)
if config.CAPTURE_FILTER:
print("[i] setting filter '%s'" % config.CAPTURE_FILTER)
_cap.setfilter(config.CAPTURE_FILTER)
_datalink = _cap.datalink()
if _datalink not in (pcapy.DLT_EN10MB, pcapy.DLT_LINUX_SLL, pcapy.DLT_PPP):
exit("[!] datalink type '%s' not supported" % _datalink)
if _multiprocessing:
_init_multiprocessing()
try:
try:
mod = int(subprocess.check_output("grep -c ^processor /proc/cpuinfo", stderr=subprocess.STDOUT, shell=True).strip())
used = subprocess.check_output("for pid in $(ps aux | grep python | grep sensor.py | grep -E -o 'root[ ]*[0-9]*' | tr -d '[:alpha:] '); do schedtool $pid; done | grep -E -o 'AFFINITY .*' | cut -d ' ' -f 2 | grep -v 0xf", stderr=subprocess.STDOUT, shell=True).strip().split('\n')
max_used = max(int(_, 16) for _ in used)
affinity = max(1, (max_used << 1) % 2 ** mod)
except:
affinity = 1
p = subprocess.Popen("schedtool -n -2 -M 2 -p 10 -a 0x%02x %d" % (affinity, os.getpid()), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
_, stderr = p.communicate()
if "not found" in stderr:
print("[!] please install schedtool for better CPU scheduling (e.g. 'sudo apt-get install schedtool')")
except:
pass
def main():
print("%s (server) #v%s\n" % (NAME, VERSION))
if "--version" in sys.argv:
raise SystemExit
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-c",
dest="config_file",
default=CONFIG_FILE,
help="configuration file (default: '%s')" %
os.path.split(CONFIG_FILE)[-1])
parser.add_option("--debug",
dest="debug",
action="store_true",
help=optparse.SUPPRESS_HELP)
options, _ = parser.parse_args()
read_config(options.config_file)
if options.debug:
config.SHOW_DEBUG = True
if config.USE_SSL:
try:
__import__("OpenSSL")
except ImportError:
if IS_WIN:
exit(
"[!] please install 'pyopenssl' (e.g. 'pip install pyopenssl')"
)
else:
msg = "[!] please install 'pyopenssl'"
for distros, install in {
("fedora", "centos"): "sudo yum install pyOpenSSL",
("debian", "ubuntu"): "sudo apt-get install python-openssl"
}.items():
for distro in distros:
if distro in (platform.uname()[3] or "").lower():
msg += " (e.g. '%s')" % install
break
exit(msg)
if not config.SSL_PEM or not os.path.isfile(config.SSL_PEM):
hint = "openssl req -new -x509 -keyout %s -out %s -days 365 -nodes -subj '/O=%s CA/C=EU'" % (
config.SSL_PEM or "server.pem", config.SSL_PEM
or "server.pem", NAME)
exit(
"[!] invalid configuration value for 'SSL_PEM' ('%s')\n[?] (hint: \"%s\")"
% (config.SSL_PEM, hint))
def update_timer():
retries = 0
while retries < CHECK_CONNECTION_MAX_RETRIES and not check_connection(
):
sys.stdout.write(
"[!] can't update because of lack of Internet connection (waiting..."
if not retries else '.')
sys.stdout.flush()
time.sleep(10)
retries += 1
if retries:
print(")")
if retries == CHECK_CONNECTION_MAX_RETRIES:
print("[x] going to continue without online update")
_ = update_trails(offline=True)
else:
_ = update_trails()
update_ipcat()
thread = threading.Timer(config.UPDATE_PERIOD, update_timer)
thread.daemon = True
thread.start()
if config.UDP_ADDRESS and config.UDP_PORT:
if config.UDP_PORT <= 1024 and not config.DISABLE_CHECK_SUDO and check_sudo(
) is False:
exit(
"[!] please run '%s' with root privileges when using 'UDP_ADDRESS' configuration value"
% __file__)
create_log_directory()
start_logd(address=config.UDP_ADDRESS,
port=config.UDP_PORT,
join=False)
try:
if config.USE_SERVER_UPDATE_TRAILS:
update_timer()
start_httpd(address=config.HTTP_ADDRESS,
port=config.HTTP_PORT,
pem=config.SSL_PEM if config.USE_SSL else None,
join=True)
except KeyboardInterrupt:
print("\r[x] stopping (Ctrl-C pressed)")
def main():
print("%s (server) #v%s\n" % (NAME, VERSION))
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-c", dest="config_file", default=CONFIG_FILE, help="configuration file (default: '%s')" % os.path.split(CONFIG_FILE)[-1])
options, _ = parser.parse_args()
read_config(options.config_file)
if config.USE_SSL:
try:
import OpenSSL
except ImportError:
if subprocess.mswindows:
exit("[!] please install 'pyopenssl' (e.g. 'pip install pyopenssl')")
else:
msg, _ = "[!] please install 'pyopenssl'", platform.linux_distribution()[0].lower()
for distro, install in {("fedora", "centos"): "sudo yum install pyOpenSSL", ("debian", "ubuntu"): "sudo apt-get install python-openssl"}.items():
if _ in distro:
msg += " (e.g. '%s')" % install
break
exit(msg)
if not config.SSL_PEM or not os.path.isfile(config.SSL_PEM):
hint = "openssl req -new -x509 -keyout %s -out %s -days 365 -nodes -subj '/O=%s CA/C=EU'" % (config.SSL_PEM or "server.pem", config.SSL_PEM or "server.pem", NAME)
exit("[!] invalid configuration value for 'SSL_PEM' ('%s')\n[?] (hint: \"%s\")" % (config.SSL_PEM, hint))
def update_timer():
retries = 0
while retries < CHECK_CONNECTION_MAX_RETRIES and not check_connection():
sys.stdout.write("[!] can't update because of lack of Internet connection (waiting..." if not retries else '.')
sys.stdout.flush()
time.sleep(10)
retries += 1
if retries:
print(")")
if retries == CHECK_CONNECTION_MAX_RETRIES:
print("[x] going to continue without online update")
_ = update_trails(offline=True)
else:
_ = update_trails()
update_ipcat()
thread = threading.Timer(config.UPDATE_PERIOD, update_timer)
thread.daemon = True
thread.start()
if config.UDP_ADDRESS and config.UDP_PORT:
if config.UDP_PORT <= 1024 and not config.DISABLE_CHECK_SUDO and check_sudo() is False:
exit("[!] please run '%s' with sudo/Administrator privileges when using 'UDP_ADDRESS' configuration value" % __file__)
create_log_directory()
start_logd(address=config.UDP_ADDRESS, port=config.UDP_PORT, join=False)
try:
if config.USE_SERVER_UPDATE_TRAILS:
update_timer()
start_httpd(address=config.HTTP_ADDRESS, port=config.HTTP_PORT, pem=config.SSL_PEM if config.USE_SSL else None, join=True)
except KeyboardInterrupt:
print("\r[x] stopping (Ctrl-C pressed)")
def init():
"""
Performs sensor initialization
"""
global _cap
global _datalink
global _multiprocessing
if config.USE_MULTIPROCESSING:
try:
import multiprocessing
if multiprocessing.cpu_count() > 1:
_multiprocessing = multiprocessing
except (ImportError, OSError, NotImplementedError):
pass
def update_timer():
_ = update_trails(server=config.UPDATE_SERVER)
update_ipcat()
if _:
trails.clear()
trails.update(_)
elif not trails:
trails.update(load_trails())
thread = threading.Timer(config.UPDATE_PERIOD, update_timer)
thread.daemon = True
thread.start()
update_timer()
create_log_directory()
if check_sudo() is False:
exit("[!] please run with sudo/Administrator privileges")
if (config.MONITOR_INTERFACE or "").lower() == "any":
if subprocess.mswindows:
print("[!] virtual interface 'any' is not available on Windows OS")
exit("[x] available interfaces: '%s'" %
",".join(pcapy.findalldevs()))
else:
print(
"[!] in case of any problems with packet capture on virtual interface 'any', please put all monitoring interfaces to promiscuous mode manually (e.g. 'sudo ifconfig eth0 promisc')"
)
if config.MONITOR_INTERFACE not in pcapy.findalldevs():
print("[!] interface '%s' not found" % config.MONITOR_INTERFACE)
exit("[x] available interfaces: '%s'" % ",".join(pcapy.findalldevs()))
print("[i] opening interface '%s'" % config.MONITOR_INTERFACE)
try:
_cap = pcapy.open_live(config.MONITOR_INTERFACE, SNAP_LEN, True, 0)
except (socket.error, pcapy.PcapError):
if "permitted" in str(sys.exc_info()[1]):
exit("[!] please run with sudo/Administrator privileges")
elif "No such device" in str(sys.exc_info()[1]):
exit("[!] no such device '%s'" % config.MONITOR_INTERFACE)
else:
raise
if config.LOG_SERVER and not len(config.LOG_SERVER.split(':')) == 2:
exit("[!] invalid configuration value for 'LOG_SERVER' ('%s')" %
config.LOG_SERVER)
if config.CAPTURE_FILTER:
print("[i] setting filter '%s'" % config.CAPTURE_FILTER)
_cap.setfilter(config.CAPTURE_FILTER)
_datalink = _cap.datalink()
if _datalink not in (pcapy.DLT_EN10MB, pcapy.DLT_LINUX_SLL, pcapy.DLT_PPP):
exit("[!] datalink type '%s' not supported" % _datalink)
if _multiprocessing:
_init_multiprocessing()
try:
try:
mod = int(
subprocess.check_output("grep -c ^processor /proc/cpuinfo",
stderr=subprocess.STDOUT,
shell=True).strip())
used = subprocess.check_output(
"for pid in $(ps aux | grep python | grep sensor.py | grep -E -o 'root[ ]*[0-9]*' | tr -d '[:alpha:] '); do schedtool $pid; done | grep -E -o 'AFFINITY .*' | cut -d ' ' -f 2 | grep -v 0xf",
stderr=subprocess.STDOUT,
shell=True).strip().split('\n')
max_used = max(int(_, 16) for _ in used)
affinity = max(1, (max_used << 1) % 2**mod)
except:
affinity = 1
p = subprocess.Popen("schedtool -n -2 -M 2 -p 10 -a 0x%02x %d" %
(affinity, os.getpid()),
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
_, stderr = p.communicate()
if "not found" in stderr:
print(
"[!] please install schedtool for better CPU scheduling (e.g. 'sudo apt-get install schedtool')"
)
except:
pass
def init():
"""
Performs sensor initialization
"""
global _multiprocessing
if config.USE_MULTIPROCESSING:
try:
import multiprocessing
if multiprocessing.cpu_count() > 1:
_multiprocessing = multiprocessing
except (ImportError, OSError, NotImplementedError):
pass
def update_timer():
_ = update_trails(server=config.UPDATE_SERVER)
update_ipcat()
if _:
trails.clear()
trails.update(_)
elif not trails:
trails.update(load_trails())
thread = threading.Timer(config.UPDATE_PERIOD, update_timer)
thread.daemon = True
thread.start()
create_log_directory()
get_error_log_handle()
check_memory()
update_timer()
if check_sudo() is False:
exit("[!] please run '%s' with sudo/Administrator privileges" %
__file__)
interfaces = set(_.strip() for _ in config.MONITOR_INTERFACE.split(','))
if (config.MONITOR_INTERFACE or "").lower() == "any":
if subprocess.mswindows or "any" not in pcapy.findalldevs():
print(
"[x] virtual interface 'any' missing. Replacing it with all interface names"
)
interfaces = pcapy.findalldevs()
else:
print(
"[?] in case of any problems with packet capture on virtual interface 'any', please put all monitoring interfaces to promiscuous mode manually (e.g. 'sudo ifconfig eth0 promisc')"
)
for interface in interfaces:
if interface.lower() != "any" and interface not in pcapy.findalldevs():
hint = "[?] available interfaces: '%s'" % ",".join(
pcapy.findalldevs())
exit("[!] interface '%s' not found\n%s" % (interface, hint))
print("[i] opening interface '%s'" % interface)
try:
_caps.append(
pcapy.open_live(interface, SNAP_LEN, True, CAPTURE_TIMEOUT))
except (socket.error, pcapy.PcapError):
if "permitted" in str(sys.exc_info()[1]):
exit("[!] please run '%s' with sudo/Administrator privileges" %
__file__)
elif "No such device" in str(sys.exc_info()[1]):
exit("[!] no such device '%s'" % interface)
else:
raise
if config.LOG_SERVER and not len(config.LOG_SERVER.split(':')) == 2:
exit("[!] invalid configuration value for 'LOG_SERVER' ('%s')" %
config.LOG_SERVER)
if config.CAPTURE_FILTER:
print("[i] setting filter '%s'" % config.CAPTURE_FILTER)
for _cap in _caps:
_cap.setfilter(config.CAPTURE_FILTER)
if _multiprocessing:
_init_multiprocessing()
if not subprocess.mswindows:
try:
try:
mod = int(
subprocess.check_output("grep -c ^processor /proc/cpuinfo",
stderr=subprocess.STDOUT,
shell=True).strip())
used = subprocess.check_output(
"for pid in $(ps aux | grep python | grep sensor.py | grep -E -o 'root[ ]*[0-9]*' | tr -d '[:alpha:] '); do schedtool $pid; done | grep -E -o 'AFFINITY .*' | cut -d ' ' -f 2 | grep -v 0xf",
stderr=subprocess.STDOUT,
shell=True).strip().split('\n')
max_used = max(int(_, 16) for _ in used)
affinity = max(1, (max_used << 1) % 2**mod)
except:
affinity = 1
p = subprocess.Popen("schedtool -n -2 -M 2 -p 10 -a 0x%02x %d" %
(affinity, os.getpid()),
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
_, stderr = p.communicate()
if "not found" in stderr:
msg, _ = "[?] please install 'schedtool' for better CPU scheduling", platform.linux_distribution(
)[0].lower()
for distro, install in {
("fedora", "centos"): "sudo yum install schedtool",
("debian", "ubuntu"): "sudo apt-get install schedtool"
}.items():
if _ in distro:
msg += " (e.g. '%s')" % install
break
print(msg)
except:
pass
def init():
"""
Performs sensor initialization
"""
def update_timer():
retries = 0
if not config.no_updates:
while retries < CHECK_CONNECTION_MAX_RETRIES and not check_connection():
sys.stdout.write("[ERROR]: can't update because of lack of Internet connection (waiting..." if not retries else '.')
sys.stdout.flush()
time.sleep(10)
retries += 1
if retries:
sys.stdout.write(")\n")
if config.no_updates or retries == CHECK_CONNECTION_MAX_RETRIES:
if retries == CHECK_CONNECTION_MAX_RETRIES:
logger.error("going to continue without online update")
_ = update_trails(offline=True)
else:
_ = update_trails(server=config.UPDATE_SERVER)
update_ipcat()
if _:
trails.clear()
trails.update(_)
elif not trails:
trails.update(load_trails())
thread = threading.Timer(config.UPDATE_PERIOD, update_timer)
thread.start()
check_memory()
msg = "using '%s' for trail storage" % TRAILS_FILE
if os.path.isfile(TRAILS_FILE):
mtime = time.gmtime(os.path.getmtime(TRAILS_FILE))
msg += " (last modification: '%s')" % time.strftime(HTTP_TIME_FORMAT, mtime)
logger.info(msg)
update_timer()
if check_sudo() is False:
exit("[!] please run '%s' with sudo/Administrator privileges" % __file__)
if config.plugins is None:
exit("[!] No plugins defined!")
logger.info("Loading plugins:" + str(config.plugins))
config.plugin_functions = load_plugins(config.plugins)
if config.triggers:
logger.info("Loading triggers:" + str(config.triggers))
config.trigger_functions = load_triggers(config.triggers)
if config.pcap_file:
_caps.append(pcapy.open_offline(config.pcap_file))
else:
interfaces = set(_.strip() for _ in config.MONITOR_INTERFACE.split(','))
if (config.MONITOR_INTERFACE or "").lower() == "any":
if "any" not in pcapy.findalldevs():
logger.error("virtual interface 'any' missing. Replacing it with all interface names")
interfaces = pcapy.findalldevs()
else:
logger.info("in case of any problems with packet capture on virtual interface 'any', please put all monitoring interfaces to promiscuous mode manually (e.g. 'sudo ifconfig eth0 promisc')")
for interface in interfaces:
if interface.lower() != "any" and interface not in pcapy.findalldevs():
hint = "[?] available interfaces: '%s'" % ",".join(pcapy.findalldevs())
exit("[!] interface '%s' not found\n%s" % (interface, hint))
logger.info("opening interface '%s'" % interface)
try:
_caps.append(pcapy.open_live(interface, SNAP_LEN, True, CAPTURE_TIMEOUT))
except (socket.error, pcapy.PcapError):
if "permitted" in str(sys.exc_info()[1]):
exit("[!] please run '%s' with sudo/Administrator privileges" % __file__)
elif "No such device" in str(sys.exc_info()[1]):
exit("[!] no such device '%s'" % interface)
else:
raise
if config.LOG_SERVER and not len(config.LOG_SERVER.split(':')) == 2:
exit("[!] invalid configuration value for 'LOG_SERVER' ('%s')" % config.LOG_SERVER)
if config.SYSLOG_SERVER and not len(config.SYSLOG_SERVER.split(':')) == 2:
exit("[!] invalid configuration value for 'SYSLOG_SERVER' ('%s')" % config.SYSLOG_SERVER)
if config.CAPTURE_FILTER:
logger.info("setting capture filter '%s'" % config.CAPTURE_FILTER)
for _cap in _caps:
try:
_cap.setfilter(config.CAPTURE_FILTER)
except:
pass
logger.info("Starting processing threads...")
init_threads()
logger.info("Threads started...")
def main():
print("%s (server) #v%s\n" % (NAME, VERSION))
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-c", dest="config_file", default=CONFIG_FILE, help="configuration file (default: '%s')" % os.path.split(CONFIG_FILE)[-1])
options, _ = parser.parse_args()
read_config(options.config_file)
if config.USE_SSL:
try:
import OpenSSL
except ImportError:
if subprocess.mswindows:
exit("[!] please install 'pyopenssl' (e.g. 'pip install pyopenssl')")
else:
msg, _ = "[!] please install 'pyopenssl'", platform.linux_distribution()[0].lower()
for distro, install in {("fedora", "centos"): "sudo yum install pyOpenSSL", ("debian", "ubuntu"): "sudo apt-get install python-openssl"}.items():
if _ in distro:
msg += " (e.g. '%s')" % install
break
exit(msg)
if not config.SSL_PEM or not os.path.isfile(config.SSL_PEM):
hint = "openssl req -new -x509 -keyout %s -out %s -days 365 -nodes -subj '/O=%s CA/C=EU'" % (config.SSL_PEM or "server.pem", config.SSL_PEM or "server.pem", NAME)
exit("[!] invalid configuration value for 'SSL_PEM' ('%s')\n[?] (hint: \"%s\")" % (config.SSL_PEM, hint))
def update_timer():
retries = 0
while retries < CHECK_CONNECTION_MAX_RETRIES and not check_connection():
sys.stdout.write("[!] can't update because of lack of network connection (waiting..." if not retries else '.')
sys.stdout.flush()
time.sleep(10)
retries += 1
if retries:
print(")")
if retries == CHECK_CONNECTION_MAX_RETRIES:
print("[x] going to continue without update")
else:
if config.USE_SERVER_UPDATE_TRAILS:
update_trails()
update_ipcat()
thread = threading.Timer(config.UPDATE_PERIOD, update_timer)
thread.daemon = True
thread.start()
if config.UDP_ADDRESS and config.UDP_PORT:
if check_sudo() is False:
exit("[!] please run '%s' with sudo/Administrator privileges when using 'UDP_ADDRESS' configuration value" % __file__)
start_logd(address=config.UDP_ADDRESS, port=config.UDP_PORT, join=False)
try:
update_timer()
start_httpd(address=config.HTTP_ADDRESS, port=config.HTTP_PORT, pem=config.SSL_PEM if config.USE_SSL else None, join=True)
except KeyboardInterrupt:
print("\r[x] stopping (Ctrl-C pressed)")
def init():
"""
Performs sensor initialization
"""
global _multiprocessing
try:
import multiprocessing
if config.PROCESS_COUNT > 1:
_multiprocessing = multiprocessing
except (ImportError, OSError, NotImplementedError):
pass
def update_timer():
first = True
while not check_connection():
sys.stdout.write("[!] can't update because of lack of network connection (waiting..." if first else '.')
sys.stdout.flush()
time.sleep(60)
first = False
if not first:
print(")")
_ = update_trails(server=config.UPDATE_SERVER)
update_ipcat()
if _:
trails.clear()
trails.update(_)
elif not trails:
trails.update(load_trails())
thread = threading.Timer(config.UPDATE_PERIOD, update_timer)
thread.daemon = True
thread.start()
create_log_directory()
get_error_log_handle()
check_memory()
update_timer()
if check_sudo() is False:
exit("[!] please run '%s' with sudo/Administrator privileges" % __file__)
if config.plugins:
config.plugin_functions = []
for plugin in re.split(r"[,;]", config.plugins):
plugin = plugin.strip()
found = False
for _ in (plugin, os.path.join("plugins", plugin), os.path.join("plugins", "%s.py" % plugin)):
if os.path.isfile(_):
plugin = _
found = True
break
if not found:
exit("[!] plugin script '%s' not found" % plugin)
else:
dirname, filename = os.path.split(plugin)
dirname = os.path.abspath(dirname)
if not os.path.exists(os.path.join(dirname, '__init__.py')):
exit("[!] empty file '__init__.py' required inside directory '%s'" % dirname)
if not filename.endswith(".py"):
exit("[!] plugin script '%s' should have an extension '.py'" % filename)
if dirname not in sys.path:
sys.path.insert(0, dirname)
try:
module = __import__(filename[:-3].encode(sys.getfilesystemencoding()))
except (ImportError, SyntaxError), msg:
exit("[!] unable to import plugin script '%s' (%s)" % (filename, msg))
found = False
for name, function in inspect.getmembers(module, inspect.isfunction):
if name == "plugin" and not set(inspect.getargspec(function).args) & set(("event_tuple', 'packet")):
found = True
config.plugin_functions.append(function)
function.func_name = module.__name__
if not found:
exit("[!] missing function 'plugin(event_tuple, packet)' in plugin script '%s'" % filename)
def init():
"""
Performs sensor initialization
"""
global _multiprocessing
try:
import multiprocessing
if config.PROCESS_COUNT > 1:
_multiprocessing = multiprocessing
except (ImportError, OSError, NotImplementedError):
pass
def update_timer():
retries = 0
while retries < CHECK_CONNECTION_MAX_RETRIES and not check_connection():
sys.stdout.write("[!] can't update because of lack of network connection (waiting..." if not retries else '.')
sys.stdout.flush()
time.sleep(10)
retries += 1
if retries:
print(")")
if retries == CHECK_CONNECTION_MAX_RETRIES:
print("[x] going to continue without update")
_ = {}
else:
_ = update_trails(server=config.UPDATE_SERVER)
update_ipcat()
if _:
trails.clear()
trails.update(_)
elif not trails:
trails.update(load_trails())
thread = threading.Timer(config.UPDATE_PERIOD, update_timer)
thread.daemon = True
thread.start()
create_log_directory()
get_error_log_handle()
check_memory()
update_timer()
if check_sudo() is False:
exit("[!] please run '%s' with sudo/Administrator privileges" % __file__)
if config.plugins:
config.plugin_functions = []
for plugin in re.split(r"[,;]", config.plugins):
plugin = plugin.strip()
found = False
for _ in (plugin, os.path.join("plugins", plugin), os.path.join("plugins", "%s.py" % plugin)):
if os.path.isfile(_):
plugin = _
found = True
break
if not found:
exit("[!] plugin script '%s' not found" % plugin)
else:
dirname, filename = os.path.split(plugin)
dirname = os.path.abspath(dirname)
if not os.path.exists(os.path.join(dirname, '__init__.py')):
exit("[!] empty file '__init__.py' required inside directory '%s'" % dirname)
if not filename.endswith(".py"):
exit("[!] plugin script '%s' should have an extension '.py'" % filename)
if dirname not in sys.path:
sys.path.insert(0, dirname)
try:
module = __import__(filename[:-3].encode(sys.getfilesystemencoding()))
except (ImportError, SyntaxError), msg:
exit("[!] unable to import plugin script '%s' (%s)" % (filename, msg))
found = False
for name, function in inspect.getmembers(module, inspect.isfunction):
if name == "plugin" and not set(inspect.getargspec(function).args) & set(("event_tuple', 'packet")):
found = True
config.plugin_functions.append(function)
function.func_name = module.__name__
if not found:
exit("[!] missing function 'plugin(event_tuple, packet)' in plugin script '%s'" % filename)
def create_log_directory():
if not os.path.isdir(config.LOG_DIR):
if check_sudo() is False:
exit("[!] please run with sudo/Administrator privileges")
os.makedirs(config.LOG_DIR)
print("[i] using '%s' for log storage" % config.LOG_DIR)
def create_log_directory():
if not os.path.isdir(config.LOG_DIR):
if check_sudo() is False:
exit("[x] please run with sudo/Administrator privileges")
os.makedirs(config.LOG_DIR)
print("[i] using '%s' for log storage" % config.LOG_DIR)
def create_log_directory():
if not os.path.isdir(config.LOG_DIR):
if not config.DISABLE_CHECK_SUDO and check_sudo() is False:
exit("[!] please rerun with sudo/Administrator privileges")
os.makedirs(config.LOG_DIR, 0o755)
print("[i] using '%s' for log storage" % config.LOG_DIR)
def init():
"""
Performs sensor initialization
"""
global _multiprocessing
if config.USE_MULTIPROCESSING:
try:
import multiprocessing
if multiprocessing.cpu_count() > 1:
_multiprocessing = multiprocessing
except (ImportError, OSError, NotImplementedError):
pass
def update_timer():
_ = update_trails(server=config.UPDATE_SERVER)
update_ipcat()
if _:
trails.clear()
trails.update(_)
elif not trails:
trails.update(load_trails())
thread = threading.Timer(config.UPDATE_PERIOD, update_timer)
thread.daemon = True
thread.start()
create_log_directory()
get_error_log_handle()
check_memory()
update_timer()
if check_sudo() is False:
exit("[!] please run '%s' with sudo/Administrator privileges" % __file__)
interfaces = set(_.strip() for _ in config.MONITOR_INTERFACE.split(","))
if (config.MONITOR_INTERFACE or "").lower() == "any":
if subprocess.mswindows or "any" not in pcapy.findalldevs():
print("[x] virtual interface 'any' missing. Replacing it with all interface names")
interfaces = pcapy.findalldevs()
else:
print(
"[?] in case of any problems with packet capture on virtual interface 'any', please put all monitoring interfaces to promiscuous mode manually (e.g. 'sudo ifconfig eth0 promisc')"
)
for interface in interfaces:
if interface.lower() != "any" and interface not in pcapy.findalldevs():
hint = "[?] available interfaces: '%s'" % ",".join(pcapy.findalldevs())
exit("[!] interface '%s' not found\n%s" % (interface, hint))
print("[i] opening interface '%s'" % interface)
try:
_caps.append(pcapy.open_live(interface, SNAP_LEN, True, CAPTURE_TIMEOUT))
except (socket.error, pcapy.PcapError):
if "permitted" in str(sys.exc_info()[1]):
exit("[!] please run '%s' with sudo/Administrator privileges" % __file__)
elif "No such device" in str(sys.exc_info()[1]):
exit("[!] no such device '%s'" % interface)
else:
raise
if config.LOG_SERVER and not len(config.LOG_SERVER.split(":")) == 2:
exit("[!] invalid configuration value for 'LOG_SERVER' ('%s')" % config.LOG_SERVER)
if config.CAPTURE_FILTER:
print("[i] setting filter '%s'" % config.CAPTURE_FILTER)
for _cap in _caps:
_cap.setfilter(config.CAPTURE_FILTER)
if _multiprocessing:
_init_multiprocessing()
if not subprocess.mswindows:
try:
try:
mod = int(
subprocess.check_output(
"grep -c ^processor /proc/cpuinfo", stderr=subprocess.STDOUT, shell=True
).strip()
)
used = (
subprocess.check_output(
"for pid in $(ps aux | grep python | grep sensor.py | grep -E -o 'root[ ]*[0-9]*' | tr -d '[:alpha:] '); do schedtool $pid; done | grep -E -o 'AFFINITY .*' | cut -d ' ' -f 2 | grep -v 0xf",
stderr=subprocess.STDOUT,
shell=True,
)
.strip()
.split("\n")
)
max_used = max(int(_, 16) for _ in used)
affinity = max(1, (max_used << 1) % 2 ** mod)
except:
affinity = 1
p = subprocess.Popen(
"schedtool -n -2 -M 2 -p 10 -a 0x%02x %d" % (affinity, os.getpid()),
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
_, stderr = p.communicate()
if "not found" in stderr:
msg, _ = (
"[?] please install 'schedtool' for better CPU scheduling",
platform.linux_distribution()[0].lower(),
)
for distro, install in {
("fedora", "centos"): "sudo yum install schedtool",
("debian", "ubuntu"): "sudo apt-get install schedtool",
}.items():
if _ in distro:
msg += " (e.g. '%s')" % install
break
print(msg)
except:
pass