admin/RmEye
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update opswat.py

Browse Source
This commit is contained in:
huoji
2022-09-29 17:16:04 +08:00
parent b3c6b5ae3a
commit 27a22c2074
1 changed files with 5 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
Server/plugins/ioc_opswat/opswat.py
View File

@@ -1,4 +1,3 @@
import log
import requests import requests
import global_vars import global_vars
import process import process
@@ -256,13 +255,9 @@ def asnyc_check_ip(current_process: process.Process, host, ip):
if cache_status == STATUS_VIRUS: if cache_status == STATUS_VIRUS:
current_process.set_score(666, "恶意网络链接IP:{}".format(ip)) current_process.set_score(666, "恶意网络链接IP:{}".format(ip))
log.update_process_threat_status(
current_process, host, global_vars.THREAT_TYPE_PROCESS)
elif cache_status == STATUS_UNK: elif cache_status == STATUS_UNK:
# crowdstrike: 这个我熟 # crowdstrike: 这个我熟
current_process.set_score(10, "低信誉ip链接:{}".format(ip)) current_process.set_score(10, "低信誉ip链接:{}".format(ip))
log.update_process_threat_status(
current_process, host, global_vars.THREAT_TYPE_PROCESS)
g_check_ip_list[ip] = cache_status g_check_ip_list[ip] = cache_status
@@ -291,13 +286,9 @@ def asnyc_check_hash(current_process: process.Process, host):
if cache_status == STATUS_VIRUS: if cache_status == STATUS_VIRUS:
current_process.set_score(666, "恶意软件") current_process.set_score(666, "恶意软件")
log.update_process_threat_status(
current_process, host, global_vars.THREAT_TYPE_PROCESS)
elif cache_status == STATUS_UNK: elif cache_status == STATUS_UNK:
# crowdstrike: 这个我熟 # crowdstrike: 这个我熟
current_process.set_score(10, "低信誉文件") current_process.set_score(10, "低信誉文件")
log.update_process_threat_status(
current_process, host, global_vars.THREAT_TYPE_PROCESS)
g_check_hashes_list[hash] = cache_status g_check_hashes_list[hash] = cache_status
@@ -314,9 +305,11 @@ def rule_new_process_action(current_process: process.Process, host, raw_log_data
if rm_plugs_config['apikey'] != "" is not None and json_log_data['action'] == 'networkconnect' and hash_white_list.check_in_while_list(current_process) == False: if rm_plugs_config['apikey'] != "" is not None and json_log_data['action'] == 'networkconnect' and hash_white_list.check_in_while_list(current_process) == False:
# print('network connect{}'.format( # print('network connect{}'.format(
# json_log_data['data']['destinationip'])) # json_log_data['data']['destinationip']))
g_check_ip_list[json_log_data['data']['destinationip']] = -2 ip_addr = json_log_data['data']['destinationip']
asnyc_check_ip(current_process, host, if len(ip_addr) >= 5:
json_log_data['data']['destinationip']) g_check_ip_list[json_log_data['data']['destinationip']] = -2
asnyc_check_ip(current_process, host,
json_log_data['data']['destinationip'])
return global_vars.THREAT_TYPE_NONE return global_vars.THREAT_TYPE_NONE