From 6f75d2f7d0e894128f5f3cc6ee4648f382b9f2b8 Mon Sep 17 00:00:00 2001 From: Gerard Wagener Date: Mon, 18 Jan 2010 17:41:21 +0100 Subject: [PATCH] Worker should is also maintaining a process list --- aha/aha-worker.py | 38 ++++++++++++++++++++++++++++++++++---- aha/aha.cfg | 2 ++ 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/aha/aha-worker.py b/aha/aha-worker.py index d7c24234fe6..60863785032 100644 --- a/aha/aha-worker.py +++ b/aha/aha-worker.py @@ -17,7 +17,7 @@ class PeriodTaks(): #Define message types FROM_KERNEL = 1 TO_KERNEL = 2 - + def __init__(self,outqueue,inqueue, timeout,sleeptime, logfile): self.outqueue= outqueue self.inqueue = inqueue @@ -27,12 +27,15 @@ class PeriodTaks(): #Log file descriptor self.lfd = open(logfile,'a') self.aha = AHAActions(inqueue,outqueue) + #Processtree related stuff + self.ptree = ProcessTrees() #Make close action externally available def closeLogFile(self): self.lfd.close() def remove_old_msg(self,queue): + msg = None #Get current date if the files are older than the timeout remove them t0 = int(time.strftime("%s")) files = dircache.listdir(queue) @@ -44,11 +47,14 @@ class PeriodTaks(): if (delta > self.timeout): #Old file was found record it if queue == self.outqueue: - self.record_message(af,t1,PeriodTaks.FROM_KERNEL) + msg = self.record_message(af,t1,PeriodTaks.FROM_KERNEL) + print msg if queue == self.inqueue: - self.record_message(af,t1,PeriodTaks.TO_KERNEL) + msg = self.record_message(af,t1,PeriodTaks.TO_KERNEL) #Remove it self.aha.silent_clean(af) + #Return the message for further processing + return msg def clean_input_queue(self): try: @@ -57,9 +63,29 @@ class PeriodTaks(): sys.stderr.write(str(e)) + def maintain_process_tree(self,msg): + try: + pid = int(msg['pid'][0]) + ppid = int(msg['ppid'][0]) + type = int(msg['type'][0]) + #Focus on do_execve messages + if (type == 1 ) or (type== 2): + self.ptree.searchTree(pid,ppid) + #Focus on sys_close + if (type == 3): + self.ptree.silent_remove_pid(pid) + except IndexError,e: + pass + except ValueError,e: + pass + + def clean_output_queue(self): try: - self.remove_old_msg(self.outqueue) + msg = self.remove_old_msg(self.outqueue) + if msg: + self.maintain_process_tree(msg) + except OSError,e: sys.stderr.write(str(e)) @@ -72,13 +98,16 @@ class PeriodTaks(): msg = self.aha.load_file(filename) logEntry = self.aha.serializeKernelMessage(msg,filename,ctime) self.lfd.write(logEntry) + return msg if type == PeriodTaks.TO_KERNEL: msg = self.aha.get_kernel_reply(filename) logEntry=self.aha.serializeAhaReply(msg,filename,ctime) self.lfd.write(logEntry) + return msg except IOError,e: sys.stderr.write('Failed to record message: %s\n'%filename) + return None def usage(exitcode): print """ @@ -122,6 +151,7 @@ try: logfile = c.get('worker','logfile') p = PeriodTaks(outqueue, inqueue, timeout,sleeptime,logfile) print "Start working ..." + while True: p.clean_input_queue() p.clean_output_queue() diff --git a/aha/aha.cfg b/aha/aha.cfg index 70b6166eb01..df264f1ca81 100644 --- a/aha/aha.cfg +++ b/aha/aha.cfg @@ -5,6 +5,8 @@ sleeptime=3 #removed or not timeout=3 logfile=/home/gerard/kernel/adaptive-honeypot/linux-2.6/aha/aha.log +#Directory where UML information is periodically stored +exportdir=/tmp/ahaworker [common] #Directory where the kernel writes data