-
Notifications
You must be signed in to change notification settings - Fork 0
/
MIDAS_cef_syslog_output
86 lines (82 loc) · 4.36 KB
/
MIDAS_cef_syslog_output
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
--- midas.py 2013-07-15 22:00:42.000000000 -0400
+++ midas_cef.py 2013-07-15 21:59:49.000000000 -0400
@@ -21,6 +21,10 @@
import argparse
import logging
import pymongo
+import socket
+import time
+
+from logging.handlers import SysLogHandler
# Import DB Config from midas-settings.cfg
config = ConfigParser.SafeConfigParser()
@@ -62,7 +66,28 @@
rules = yara.compile(yararules)
# Set Path to files from Argument
-pathtofiles = args['Path']
+#pathtofiles = args['Path']
+pathtofiles = config.get('settings','filePath')
+cef_log = config.get('settings','cef_log')
+vendor = config.get('settings','deviceVendor')
+product = config.get('settings','deviceProduct')
+version = config.get('settings','deviceVersion')
+
+
+# JSA Syslog prep
+do_syslog = 'F'
+if config.has_section("syslog"):
+ do_syslog = 'T'
+ print ("Configuring Syslog")
+ loghost = config.get('syslog','loghost')
+ logport = int(config.get('syslog','logport'))
+ logger = logging.getLogger()
+ logger.setLevel(logging.INFO)
+ syslog = SysLogHandler(address=(loghost, logport))
+
+else:
+ print ("No syslog section found")
+
# Return Warm and Fuzzy to CLI while magic happens in the background
print "\n\n Scanning all files recursively from here: " + pathtofiles
@@ -92,6 +117,7 @@
def main():
# Sleep function, program will run infinitly until killed (ctrl-c)
while True:
+ sensor_name = socket.gethostname()
# Recursivly walk the target path and create a filename which is relative to the program
for root, dirs, files in os.walk(pathtofiles):
for name in files:
@@ -99,6 +125,7 @@
# Run exiftool to extract all metadata from a file
with exiftool.ExifTool() as et:
metadata = et.get_metadata(filename)
+ #for i in metadata:
# call the md5sum function to get a hash, then use this as the OID to prevent duplicates in the database
md5 = md5sum(filename)
metadata[u'_id'] = md5
@@ -122,6 +149,13 @@
matches.extend(fullmatches)
# Print yara hits, or none..**this will eventually export to logger**
if matches:
+ for sigs in matches:
+ if do_syslog == 'T':
+ stime = time.mktime(time.gmtime())
+ formatter = logging.Formatter('%(name)s: %(levelname)s %(message)s')
+ syslog.setFormatter(formatter)
+ logger.addHandler(syslog)
+ logger.info('CEF:0|{0}|{1}|{2}|sig1|{3}|2|msg={4} found in {5} dvchost={6} fname={7} fileHash={8} ts={9}\n'.format(vendor,product,version,sigs,sigs,md5,sensor_name,filename,md5,stime)) #jsa
metadata[u'YaraAlerts'] = str(matches)
logging.warning(timestamp + ": Yara Matches for " + name + ": " + str(matches) + " MD5: " + md5)
else:
@@ -137,9 +171,10 @@
#Make destination dir per agument if non existant
if not os.path.exists(args['move']):
os.makedirs(args['move'])
- shutil.move(filename, args['move'] + name)
+ #shutil.move(filename, args['move'] + name)
+ shutil.move(filename, args['move'] + md5)
#Verify move for logs:
- logging.info(timestamp + ":" + filename + " has been moved to " + args['move'] + name)
+ logging.info(timestamp + ":" + filename + " has been moved to " + args['move'] + md5)
# if -d switch is on, this will delete each file after scanning. !!BE CAREFUL WITH THIS!!
if args['delete'] == True: