adulau/aha
1
0
Fork 0
mirror of https://github.com/adulau/aha.git synced 2024-12-27 11:16:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

Try #1: Integrate process tree analysis in aha

Browse source 
Problem: Exceptions are thrown: Need to distinguish between message types
This commit is contained in:
Gerard Wagener 2010-01-15 10:20:47 +01:00
parent 5117feb142
commit 3fd629f6f3
1 changed files with 24 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
aha/aha.py
View file

@ -11,11 +11,31 @@ class KernelEvents(ProcessEvent):
def __init__(self,inqueue,outqueue,insultmaxidx): def __init__(self,inqueue,outqueue,insultmaxidx):
self.ahaa = AHAActions(inqueue,outqueue) self.ahaa = AHAActions(inqueue,outqueue)
self.processtrees = ProcessTrees()
def decision(self,filekey,msg): def decision(self,filekey,msg):
print msg
try: try:
command = msg['file'][0] command = msg['file'][0]
pid = int(msg['pid'][0])
ppid = int(msg['ppid'][0])
print "Got command: ",command print "Got command: ",command
#Is there a new SSH connection?
if msg['file'][0] == '/usr/sbin/sshd':
print "New user found pid=",pid,",ppid=",ppid
self.processtrees.addUser(pid)
self.ahaa.create_message(filekey,block=0, exitcode=0,
insult=0, substitue=0)
return
else:
#is this process related to a user?
if self.processtrees.searchTree(pid,ppid) == False:
print "Process belongs to the system, allow it"
#Note the process could also belong to a local
#connected user
self.ahaa.create_message(filekey,block=0, exitcode=0,
insult=0, substitue=0)
if msg['file'][0] == '/usr/bin/bvi': if msg['file'][0] == '/usr/bin/bvi':
self.ahaa.create_message(filekey, block=1, self.ahaa.create_message(filekey, block=1,
exitcode=KERNEL_ERRORS.ENOMEM, exitcode=KERNEL_ERRORS.ENOMEM,
@ -28,9 +48,11 @@ class KernelEvents(ProcessEvent):
insult=idx, substitue=0) insult=idx, substitue=0)
return return
except KeyError,e: except KeyError,e:
pass print "EXCEPTION: KeyError"
except IndexError,w: except IndexError,w:
pass print "EXCEPTION: IndexError"
except ValueError,s:
print "EXCEPTION: ValueError"
#Default action; allow-> out of memory #Default action; allow-> out of memory
self.ahaa.create_message(filekey,block=0,exitcode=0,insult=0, self.ahaa.create_message(filekey,block=0,exitcode=0,insult=0,
substitue=0) substitue=0)