Skip to content

Commit

Permalink
work in progress for #168
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmguero
mmguero committed Apr 6, 2023
1 parent 3ab934a commit bdd28ca
Showing 1 changed file with 16 additions and 63 deletions.
79 changes: 16 additions & 63 deletions shared/bin/zeek_carve_utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -301,10 +301,7 @@ def __init__(
self.newFilesSocket.connect(f"tcp://{host}:{port}")
self.newFilesSocket.setsockopt(zmq.SUBSCRIBE, bytes(topic, encoding='ascii'))
self.newFilesSocket.RCVTIMEO = rcvTimeout
self.logger.info(
f"{self.scriptName}:\tbound to ventilator at {port}",
timestamp=True,
)
self.logger.info(f"{self.scriptName}:\tbound to ventilator at {port}")

# ---------------------------------------------------------------------------------
def Pull(self, scanWorkerId=0):
Expand All @@ -320,7 +317,6 @@ def Pull(self, scanWorkerId=0):

self.logger.debug(
f"{self.scriptName}[{scanWorkerId}]:\t{'📨' if (FILE_SCAN_RESULT_FILE in fileinfo) else '🕑'}\t{fileinfo[FILE_SCAN_RESULT_FILE] if (FILE_SCAN_RESULT_FILE in fileinfo) else '(recv)'}",
timestamp=True,
)

return fileinfo
Expand Down Expand Up @@ -553,10 +549,7 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo
nowTime = int(time.time())

if not connected:
self.logger.debug(
f"{get_ident()}: ClamAV attempting connection",
timestamp=True,
)
self.logger.debug(f"{get_ident()}: ClamAV attempting connection")
clamAv = (
clamd.ClamdUnixSocket(path=self.socketFileName)
if self.socketFileName is not None
Expand All @@ -565,16 +558,10 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo
try:
clamAv.ping()
connected = True
self.logger.debug(
f"{get_ident()}: ClamAV connected!",
timestamp=True,
)
self.logger.debug(f"{get_ident()}: ClamAV connected!")
except Exception as e:
connected = False
self.logger.info(
f"{get_ident()}: ClamAV connection failed: {str(e)}",
timestamp=True,
)
self.logger.info(f"{get_ident()}: ClamAV connection failed: {str(e)}")

if connected:
# first make sure we haven't exceeded rate limits
Expand All @@ -586,24 +573,15 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo

if connected and allowed:
try:
self.logger.debug(
f'{get_ident()} ClamAV scanning: {fileName}',
timestamp=True,
)
self.logger.debug(f'{get_ident()} ClamAV scanning: {fileName}')
clamavResult.result = clamAv.scan(fileName)
self.logger.debug(
f'{get_ident()} ClamAV scan result: {clamavResult.result}',
timestamp=True,
)
self.logger.debug(f'{get_ident()} ClamAV scan result: {clamavResult.result}')
clamavResult.success = clamavResult.result is not None
clamavResult.finished = True
except Exception as e:
if clamavResult.result is None:
clamavResult.result = str(e)
self.logger.info(
f'{get_ident()} ClamAV scan error: {clamavResult.result}',
timestamp=True,
)
self.logger.info(f'{get_ident()} ClamAV scan error: {clamavResult.result}')
finally:
self.scanningFilesCount.decrement()

Expand Down Expand Up @@ -689,17 +667,10 @@ def __init__(
yara.compile(filename)
self.ruleFilespecs[filename] = filename
except yara.SyntaxError as e:
self.logger.info(
f'{get_ident()} Ignored Yara compile error in {filename}: {e}',
timestamp=True,
)
self.logger.info(
f"{get_ident()}: Initializing Yara with {len(self.ruleFilespecs)} rules files",
timestamp=True,
)
self.logger.info(f'{get_ident()} Ignored Yara compile error in {filename}: {e}')
self.logger.info(f"{get_ident()}: Initializing Yara with {len(self.ruleFilespecs)} rules files")
self.logger.debug(
f"{get_ident()}: Initializing Yara with {len(self.ruleFilespecs)} rules files: {self.ruleFilespecs}",
timestamp=True,
f"{get_ident()}: Initializing Yara with {len(self.ruleFilespecs)} rules files: {self.ruleFilespecs}"
)

self.compiledRules = yara.compile(filepaths=self.ruleFilespecs)
Expand Down Expand Up @@ -737,26 +708,17 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo

if allowed:
try:
self.logger.debug(
f'{get_ident()} Yara scanning: {fileName}',
timestamp=True,
)
self.logger.debug(f'{get_ident()} Yara scanning: {fileName}')
yaraResult.result = self.compiledRules.match(fileName, timeout=YARA_RUN_TIMEOUT_SEC)
self.logger.debug(
f'{get_ident()} Yara scan result: {yaraResult.result}',
timestamp=True,
)
self.logger.debug(f'{get_ident()} Yara scan result: {yaraResult.result}')
yaraResult.success = yaraResult.result is not None
yaraResult.finished = True
except Exception as e:
if yaraResult.result is None:
yaraResult.result = {"error": str(e)}
yaraResult.success = False
yaraResult.finished = True
self.logger.info(
f'{get_ident()} Yara scan error: {yaraResult.result}',
timestamp=True,
)
self.logger.info(f'{get_ident()} Yara scan error: {yaraResult.result}')
finally:
self.scanningFilesCount.decrement()

Expand Down Expand Up @@ -866,10 +828,7 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo

if allowed:
try:
self.logger.debug(
f'{get_ident()} Capa scanning: {fileName}',
timestamp=True,
)
self.logger.debug(f'{get_ident()} Capa scanning: {fileName}')

if self.rulesDir is not None:
cmd = [
Expand Down Expand Up @@ -915,20 +874,14 @@ def submit(self, fileName=None, fileSize=None, fileType=None, block=False, timeo
# probably failed because it's not an executable, ignore it
capaResult.result = {"error": str(capaErr)}

self.logger.debug(
f'{get_ident()} Capa scan result: {capaResult.result}',
timestamp=True,
)
self.logger.debug(f'{get_ident()} Capa scan result: {capaResult.result}')
capaResult.success = capaResult.result is not None
capaResult.finished = True

except Exception as e:
if capaResult.result is None:
capaResult.result = str(e)
self.logger.debug(
f'{get_ident()} Capa scan error: {capaResult.result}',
timestamp=True,
)
self.logger.debug(f'{get_ident()} Capa scan error: {capaResult.result}')

finally:
self.scanningFilesCount.decrement()
Expand Down

0 comments on commit bdd28ca

Please sign in to comment.