1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
require 'socket'
class FakeAgent
include PacketFu
DEFAULT_ENDPOINT='http://localhost:3000'
attr_reader :id, :endpoint
def initialize(endpoint = DEFAULT_ENDPOINT)
@endpoint = endpoint
end
def register(id = ENV['AGENT_ID'])
if id.present?
@id = id
else
response = Typhoeus.post(registration_url, body: { agent: { hostname: hostname } })
json = JSON.parse(response.body)
@id = json["id"]
end
end
def watch(directory)
listener = Listen.to(directory, debug: true) do |modified, added, removed|
publish_event(:modified, modified)
publish_event(:added, added)
publish_event(:removed, removed)
(modified + added + removed).flatten.each do |file|
scan_file(file)
end
end
listener.start
sleep
end
def scan(directory)
Dir["**/**/*"].each do |file|
scan_file(file)
end
end
def scan_file(file)
return unless File.file?(file)
case disposition_for(file)
when "malicious"
publish_event(:quarantined, [file])
when "unknown"
puts "file is unknown"
end
rescue StandardError => error
log_error(error)
end
def sniff(interface)
capture = Capture.new(iface: interface, start: true)
capture.stream.each do |p|
packet = Packet.parse(p)
if packet.is_ip?
yield packet if block_given?
end
end
end
def packet_capture(interface)
sniff(interface) do |packet|
if packet.ip_saddr == Utils.ifconfig(interface)[:ip_saddr]
else
packet_info = [packet.ip_saddr, packet.ip_daddr, packet.size, packet.proto.last]
#puts packet.dissect
puts "%-15s -> %-15s %-4d %s" % packet_info
end
end
end
private
def publish_event(event, files)
files.each do |file|
body = {
event: {
agent_id: id,
type: event,
data: {
fingerprint: fingerprint_for(file),
path: file,
hostname: hostname,
ip_addresses: ip_addresses,
}
}
}
Typhoeus.post(event_url, body: body)
end
rescue StandardError => error
log_error(error)
end
def fingerprint_for(file)
return nil unless File.exist?(file)
result = `sha256sum #{file}`
sha, * = result.split(' ')
sha
end
def hostname
@hostname ||= "#{Socket.gethostname}-#{Faker::Internet.slug}"
end
def ip_addresses
@ipaddresses ||= Socket.ip_address_list.find_all { |x| x.ipv4? }.map { |x| x.ip_address }
end
def disposition_for(file)
fingerprint = fingerprint_for(file)
body = {
data: {
fingerprint: fingerprint,
path: File.expand_path(file)
}
}
JSON.parse(Typhoeus.get(file_query_url(fingerprint), body: body).body)["state"]
end
def file_query_url(fingerprint)
"#{endpoint}/api/agents/#{id}/files/#{fingerprint}"
end
def event_url
"#{endpoint}/api/agents/#{id}/events/"
end
def registration_url
"#{endpoint}/api/agents"
end
def log_error(error)
puts "#{error.message} #{error.backtrace.join(' ')}"
end
end
|
