From 42f3981eddbed75c0ba08ea1e1cced8098e7b264 Mon Sep 17 00:00:00 2001 From: Gerard Wagener Date: Thu, 7 Jan 2010 16:48:45 +0100 Subject: [PATCH] First attempt to automatically grasp kernel events from the UML --- aha/aha.py | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 aha/aha.py diff --git a/aha/aha.py b/aha/aha.py new file mode 100644 index 00000000000..da3cb658d5a --- /dev/null +++ b/aha/aha.py @@ -0,0 +1,58 @@ +#!/usr/bin/python +#Core of the adaptive honeypot alternative +# (c) Gerard Wagener +#License GPL +import os,sys +from pyinotify import * +KERNEL_OUT="/home/gerard/kernel/linux-2.6/out" + +class KernelEvents(ProcessEvent): + def silent_clean(self,filename): + try: + os.unlink(filename) + except OSError,e: + pass + + def load_file(self,filename): + msg = {} + fp = open(filename,'r') + for i in fp.read().split('\n'): + try: + (key,value) = i.split('=') + except ValueError,e: + pass + if msg.has_key(key) == False: + msg[key]=[] + msg[key].append(value) + + fp.close() + return msg + + def process_IN_CLOSE_WRITE(self, event): + filename = os.path.join(event.path,event.name) + msg = self.load_file(filename) + print msg + #Cleanup the file + self.silent_clean(filename) + +wm = WatchManager() + +mask = IN_CLOSE_WRITE # watched events + +notifier = Notifier(wm, KernelEvents()) +wdd = wm.add_watch(KERNEL_OUT, mask, rec=True) + +while True: + try: + # process the queue of events as explained above + notifier.process_events() + if notifier.check_events(): + # read notified events and enqeue them + notifier.read_events() + #TODO manage a global queue of unfinished events + #If inotify on close works this should not be necessary + except KeyboardInterrupt: + # destroy the inotify's instance on this interrupt (stop monitoring) + notifier.stop() + break +