Preliminar running version of tracking IP addresses with process ids

2024-12-26 10:46:11 +00:00 · 2010-01-19 17:19:37 +01:00 · 2010-01-19 17:19:37 +01:00 · e226c7303a
commit e226c7303a
parent 628f6f6236
2 changed files with 32 additions and 17 deletions
--- a/aha/aha-worker.py
+++ b/aha/aha-worker.py
@ -45,12 +45,12 @@ class PeriodTaks():
        mlist = []
        for file in files:
            af = queue + os.sep + file
-            self.debug("found file : %s"%af)
+            #self.debug("found file : %s"%af)
            s = os.stat(af)
            t1 = int(s[os.path.stat.ST_CTIME])
            delta = t0 - t1
            if (delta > self.timeout):
-                self.debug("%s exceeds threshold"%af)
+                #self.debug("%s exceeds threshold"%af)
                #Old file was found record it
                if queue == self.outqueue:
                    msg = self.record_message(af,t1,PeriodTaks.FROM_KERNEL)
@ -85,28 +85,32 @@ class PeriodTaks():
                    self.debug('Got sys_execve message')
                    #Is there a new user
                    file = msg['file'][0]
-                    self.debug('Got command: %s'%file)
+                    self.debug('Got command:  %s, pid=%d,ppid=%d'%(file,pid,ppid))
+                    self.ptree.annotateProcessList(msg)
                    if file == '/usr/sbin/sshd':
                        self.debug("New user found %s"%pid)
                        self.ptree.addUser(pid)
+                    #Annotate all the processes
                #Check all pids and ppids
                if self.ptree.searchTree(pid,ppid):
-                    self.ptree.annotateProcessList(msg)
-                    self.debug("User related command")
-                    self.ptree.exportUserListTxt(exportFile)
+                    self.debug("User related command %d"%pid)
                else:
                    self.debug("System related command")
                    #TODO free annotated list
                # Remove dead processes from process tree 
                if (type == 3):
                    pid = int(msg['pid'][0])
-                    self.ptree.silent_remove_pid(pid)
+                    #When the attacker disconnects, regenerate a status file
+                    if self.ptree.userList.has_key(pid):
+                        print "User disconnected export file"
+                        self.ptree.exportUserListTxt(exportFile)
+                    #self.ptree.silent_remove_pid(pid)
        except KeyError,e:
-            pass
+            print e 
        except ValueError,e:
-            pass
+            print e
        except IndexError,e:
-            pass
+            print e
 
    def clean_output_queue(self):
        try:
--- a/aha/ahalib.py
+++ b/aha/ahalib.py
@ -105,16 +105,21 @@ class ProcessTrees:
        self.foundUser = 0
        self.aplist = {}
    #This first clone of /usr/sbin/sshd does not has the
-    #SSH specific environment variables
-    #FIXME search is only done at first level of the tree
-    #pid is the ssh clone for this user
+    #SSH specific environment variables. Therefore ask all the
+    #children
    def search_ssh_info(self,pid):
-        for child in self.processList:
-            if child == pid:
-                #Found a child of the first priviledged seperated process
+        print "Searching info for ",pid
+        children = self.get_children(pid)
+        print "Children of pid",children
+        print type(children)
+        for child in children:
+            if self.aplist.has_key(child):
+                print "Found annotations for child %d"%child
                if self.aplist[child].has_key('ssh_client'):
+                    print "Found ssh info for child %d"%child
                    return self.aplist[child]['ssh_client']
        # Retuns None if ssh related information was not found
+        sys.stderr.write('ERROR: No child provided SSH information\n')
        return None
        
    # Record additional information about processes like SSH parameters
@ -131,6 +136,7 @@ class ProcessTrees:
            #Does the message  has a file name ?
            if msg.has_key('file'):
                self.aplist[pid]['file'] = msg['file'][0]
+                print "Annotated pid=",pid, "file=",msg['file'][0]
            #Does the message has SSH related information?
            if msg.has_key('env'):
                # Go through the environment list
@ -138,13 +144,16 @@ class ProcessTrees:
                    if ev.startswith('SSH_CLIENT='):
                        ev = ev.replace('SSH_CLIENT=','')
                        self.aplist[pid]['ssh_client'] = ev
+                        print "Annotated pid=", pid," ev",ev
            # Is there a timestamp?
            if msg.has_key('timestamp'):
                self.aplist[pid]['timestamp'] = msg['timestamp']
 
        except ValueError,e:
+            print e
            pass
        except IndexError,e:
+            print e
            pass

    def addUser(self,pid):
@ -216,12 +225,14 @@ class ProcessTrees:
            ts =  time.strftime("%Y-%m-%d %H:%M:%S") 
            f.write("*** UserList created on %s ***\n"%(str(ts)))
            for pid in self.userList.keys():
+                print "Inspecting user: ",pid
                #See if some annotation is found for this pid
                if self.aplist.has_key(pid):
+                    print "Found some annotations for",pid
                    #Look for SSH variables in the first child process
                    sshinfo = self.search_ssh_info(pid)
                    if sshinfo:
-                        f.write(sshinfo)
+                        f.write("%s\n"%sshinfo)
                    else:
                        sys.stderr.write("No SSH information is there\n")
                    if self.aplist[pid].has_key('timestamp'):