admin/RmEye
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
huoji
2022-08-22 20:14:03 +08:00
parent 7a2dad9291
commit 3475c90afe
50 changed files with 5523 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

195
Server/log.py Normal file
View File

@@ -0,0 +1,195 @@
import json
import time
import process
import rule
import sql
import global_vars
import config
import plugin
def process_log(host, json_log, raw_log):
log = json_log["data"]
had_threat = global_vars.THREAT_TYPE_NONE
current_process: process.Process = None
rule_hit_name = ""
score = 0
chain_hash = ""
params = ""
user = ""
if json_log["action"] == "processcreate":
pid = log["processid"]
ppid = log["parentprocessid"]
path = log["image"]
params = log["commandline"]
user = log["user"]
hash = log["hashes"].split(",")[0].split("=")[1]
parent_pid = log["parentprocessid"]
parent_ppid = parent_pid
parent_path = log["parentimage"]
parent_params = log["parentcommandline"]
parent_user = log["parentuser"]
create_time = int(round(time.time() * 1000))
if path in process.skip_process_path or path in process.skip_process_path:
return
parent_process: process.Process = process.get_process_by_pid(ppid)
score, rule_hit_name = rule.calc_score_in_create_process(log)
if hash in process.skip_md5:
return
if parent_process is None or parent_path in process.root_process_path:
# build a process
parent_process = process.Process(
parent_pid,
parent_ppid,
parent_path,
parent_params,
create_time - 1,
"None",
parent_user,
host,
)
child = process.Process(
pid, ppid, path, params, create_time, hash, parent_user, host
)
chain = process.create_chain(parent_process)
chain.add_process(child, parent_pid)
current_process = child
if score > 0:
child.set_score(score, rule_hit_name)
had_threat = global_vars.THREAT_TYPE_PROCESS
else:
child = process.Process(
pid, ppid, path, params, create_time, hash, user, host
)
parent_process.chain.add_process(child, ppid)
current_process = child
if score > 0:
child.set_score(score, rule_hit_name)
had_threat = global_vars.THREAT_TYPE_PROCESS
had_threat_plugin = plugin.dispath_rule_new_process_create(
host, current_process, raw_log, json_log
)
if had_threat == global_vars.THREAT_TYPE_NONE:
had_threat = had_threat_plugin
elif json_log["action"] == "processterminal":
pid = log["processid"]
current_process = process.get_process_by_pid(pid)
if current_process is not None:
plugin.dispath_process_terminal(host, current_process, raw_log, json_log)
current_process.active = False
current_process.chain.terminate_count += 1
if current_process.chain.terminate_count >= (
current_process.chain.active_count - 1
):
current_process.chain.active = False
if current_process.chain.risk_score >= config.MAX_THREAT_SCORE:
sql.update_threat_log(
host,
current_process.chain.risk_score,
json.dumps(current_process.chain.operationlist),
current_process.chain.hash,
current_process.chain.get_json(),
global_vars.THREAT_TYPE_PROCESS,
True,
)
process.g_ProcessChainList.remove(current_process.chain)
elif "processid" in log:
current_process = process.get_process_by_pid(log["processid"])
if current_process is not None:
log["action"] = json_log["action"]
score, rule_hit_name = rule.calc_score_in_action(log)
if score > 0:
current_process.set_score(score, rule_hit_name)
had_threat = global_vars.THREAT_TYPE_PROCESS
had_threat_plugin = plugin.dispath_rule_new_process_action(
host, current_process, raw_log, json_log
)
if had_threat == global_vars.THREAT_TYPE_NONE:
had_threat = had_threat_plugin
if current_process is not None:
if current_process.chain.risk_score >= config.MAX_THREAT_SCORE:
if had_threat == global_vars.THREAT_TYPE_PROCESS:
current_process.chain.update_process_tree()
threat = sql.select_threat_by_chain_id(
host, current_process.chain.hash, global_vars.THREAT_TYPE_PROCESS
)
if len(threat) == 0:
process_info: process.Process = None
if len(current_process.chain.process_list) > 1:
process_info = current_process.chain.process_list[1]
else:
process_info = current_process
info_save_data = {
"path": process_info.path,
"hash": process_info.md5,
"params": process_info.params,
"user": process_info.user,
"create_time": process_info.time,
}
sql.push_threat_log(
host,
current_process.chain.risk_score,
json.dumps(current_process.chain.operationlist),
current_process.chain.hash,
current_process.chain.get_json(),
global_vars.THREAT_TYPE_PROCESS,
json.dumps(info_save_data),
)
else:
sql.update_threat_log(
host,
current_process.chain.risk_score,
json.dumps(current_process.chain.operationlist),
current_process.chain.hash,
current_process.chain.get_json(),
global_vars.THREAT_TYPE_PROCESS,
current_process.chain.active == False,
)
parent_pid = 0
target_pid = 0
self_hash = ""
target_image_path = ""
target_hash = ""
raw_json_log = json.loads(raw_log)
if current_process is not None:
chain_hash = current_process.chain.hash
parent_pid = current_process.ppid
if "TargetProcessId" in raw_json_log:
target_process: process.Process = current_process.chain.find_process_by_pid(
raw_json_log["TargetProcessId"]
)
target_pid = target_process.pid
target_image_path = target_process.path
target_hash = target_process.md5
self_hash = current_process.md5
sql.push_process_raw(
host,
raw_json_log,
rule_hit_name,
score,
chain_hash,
had_threat,
parent_pid,
target_pid,
self_hash,
target_image_path,
target_hash,
params,
user,
)
"""
for iter in process.g_ProcessChainList:
item: process.Process = iter
if item.risk_score >= config.MAX_THREAT_SCORE:
item.print_process()
"""