增加白名单、进程链增加详细信息

增加白名单、进程链增加详细信息

Server/hash_white_list.py

@@ -0,0 +1,17 @@
+import sql
+g_white_list = []
+
+
+def add_white_list(path, hash, reason):
+    global g_white_list
+    if hash in g_white_list:
+        return False
+    g_white_list.append(hash)
+    sql.push_white_list(path, hash, reason)
+
+
+def synchronization_white_list():
+    sql_data = sql.query_all_white_list()
+    for data in sql_data:
+        g_white_list.append(data[1])
+    print("sync white list success, size: {}".format(len(sql_data)))

Server/log.py

@@ -8,6 +8,7 @@ import sql
 import global_vars
 import config
 import plugin
+import hash_white_list
 
 
 def process_log(host, json_log, raw_log):
@@ -53,8 +54,9 @@ def process_log(host, json_log, raw_log):
                 parent_user,
                 host,
             )
+            is_white_list = hash in hash_white_list.g_white_list
             child = process.Process(
-                pid, ppid, path, params, create_time, hash, parent_user, host
+                pid, ppid, path, params, create_time, hash, parent_user, host, is_white_list
             )
             chain = process.create_chain(parent_process)
             chain.add_process(child, parent_pid)
@@ -63,8 +65,9 @@ def process_log(host, json_log, raw_log):
                 child.set_score(score, rule_hit_name)
                 had_threat = global_vars.THREAT_TYPE_PROCESS
         else:
+            is_white_list = hash in hash_white_list.g_white_list
             child = process.Process(
-                pid, ppid, path, params, create_time, hash, user, host
+                pid, ppid, path, params, create_time, hash, user, host, is_white_list
             )
             parent_process.chain.add_process(child, ppid)
             current_process = child
@@ -81,7 +84,8 @@ def process_log(host, json_log, raw_log):
         pid = log["processid"]
         current_process = process.get_process_by_pid(pid)
         if current_process is not None:
-            plugin.dispath_process_terminal(host, current_process, raw_log, json_log)
+            plugin.dispath_process_terminal(
+                host, current_process, raw_log, json_log)
             current_process.active = False
             current_process.chain.terminate_count += 1
             if current_process.chain.terminate_count >= (
@@ -222,8 +226,8 @@ def process_raw_log(raw_logs: list) -> list:
         hash = log.hash
         create_time = log.timestamp
         host = log.host
-        current_process:process.Process = None
-        if path in process.skip_process_path :
+        current_process: process.Process = None
+        if path in process.skip_process_path:
             continue
         if log.action.lower() == "processcreate":
 

Server/process.py

@@ -85,7 +85,7 @@ g_ProcessChainList = []
 
 
 class Process:
-    def __init__(self, pid, ppid, path, params, time, md5, user, host):
+    def __init__(self, pid, ppid, path, params, time, md5, user, host, is_white=False):
         self.pid = pid
         self.ppid = ppid
         self.path = path
@@ -105,6 +105,7 @@ class Process:
         self.user = user
         self.chain: ProcessChain = None
         self.host = host
+        self.is_white = is_white
 
     def set_chain_data(self, chain):
         self.chain = chain
@@ -119,6 +120,8 @@ class Process:
         self.rmppid = rmppid
 
     def set_score(self, new_score, opertion):
+        if self.is_white:
+            return
         if opertion not in self.operationlist:
             self.risk_score += new_score
             self.operationlist[opertion] = 1

Server/rules/py/action.py

@@ -17,7 +17,7 @@ rule = [
         'rules': [
             'action == "processaccess" and calltrace =~ ".*unknown.*" and not calltrace =~ ".*conpty\.node.*" and not calltrace =~ ".*java\.dll.*" and not calltrace =~ ".*appvisvsubsystems64\.dll.*" and not calltrace =~ ".*twinui\.dll.*" and not calltrace =~ ".*nativeimages.*" and not targetimage == "c:\\windows\\system32\\cmd.exe"',
         ],
-        'score': 40,
+        'score': 20,
         'name': '异常进程访问'
     },
     {

Server/sql.py

@@ -20,6 +20,8 @@ g_rawdata_table = None
 g_rawdata_table_ins = None
 g_threat_table = None
 g_threat_table_ins = None
+g_hash_white_list_table = None
+g_hash_white_list_table_ins = None
 
 
 class raw_process_log(g_base):
@@ -62,6 +64,15 @@ class raw_process_log(g_base):
         return self.id
 
 
+class hash_white_list(g_base):
+    __tablename__ = "hash_white_list"
+    id = Column(Integer, primary_key=True)
+    hash = Column(String)
+    path = Column(String)
+    timestamp = Column(Integer)
+    reason = Column(String)
+
+
 class threat_log(g_base):
     __tablename__ = "threat_log"
     # 定义各字段
@@ -99,8 +110,11 @@ def init():
     global g_rawdata_table_ins
     global g_threat_table
     global g_threat_table_ins
+    global g_hash_white_list_table
+    global g_hash_white_list_table_ins
 
-    g_engine = create_engine("sqlite:///syseye.db?check_same_thread=False", echo=False)
+    g_engine = create_engine(
+        "sqlite:///syseye.db?check_same_thread=False", echo=False)
     g_base.metadata.create_all(g_engine)
     g_metadata = MetaData(g_engine)
     g_rawdata_table = Table("raw_process_log", g_metadata, autoload=True)
@@ -109,6 +123,54 @@ def init():
     g_threat_table = Table("threat_log", g_metadata, autoload=True)
     g_threat_table_ins = g_threat_table.insert()
 
+    g_hash_white_list_table = Table(
+        "hash_white_list", g_metadata, autoload=True)
+    g_hash_white_list_table_ins = g_hash_white_list_table.insert()
+
+
+def query_white_list_by_hash(pHash):
+    global g_hash_white_list_table
+    sql_session = sessionmaker(bind=g_engine)
+    white_list = sql_session().query(
+        g_hash_white_list_table).filter_by(hash=pHash).first()
+    sql_session().close()
+    return white_list
+
+
+def delete_white_list(pHash):
+    global g_hash_white_list_table
+    global g_engine
+    conn = g_engine.connect()
+    result = conn.execute(
+        delete(g_hash_white_list_table).where(
+            g_hash_white_list_table.columns.hash == pHash)
+    )
+    return result
+
+
+def push_white_list(pPath, pHash, pReason):
+    global g_hash_white_list_table_ins
+    current_time = int(round(time.time() * 1000))
+    ins = g_hash_white_list_table_ins.values(
+        path=pPath, hash=pHash, reason=pReason, timestamp=current_time)
+    # 连接引擎
+    conn = g_engine.connect()
+    # 执行语句
+    result = conn.execute(ins)
+    return result
+
+
+def query_all_white_list():
+    global g_hash_white_list_table
+    sql_session = sessionmaker(bind=g_engine)
+    white_list = (
+        sql_session()
+        .query(g_hash_white_list_table)
+        .all()
+    )
+    sql_session().close()
+    return white_list
+
 
 def push_process_raw(
     host,
@@ -241,7 +303,8 @@ def delete_threat(threat_id):
     global g_engine
     conn = g_engine.connect()
     result = conn.execute(
-        delete(g_threat_table).where(g_threat_table.columns.id == int(threat_id))
+        delete(g_threat_table).where(
+            g_threat_table.columns.id == int(threat_id))
     )
     return result
 

Server/templates/index.html

@@ -1 +1 @@
-<!DOCTYPE html><html><head><title>Duck Sys Eye</title><meta charset=utf-8><meta name=description content=syseye><meta name=format-detection content="telephone=no"><meta name=msapplication-tap-highlight content=no><meta name=viewport content="user-scalable=no,initial-scale=1,maximum-scale=1,minimum-scale=1,width=device-width"><link rel=icon type=image/png sizes=128x128 href=icons/favicon-128x128.png><link rel=icon type=image/png sizes=96x96 href=icons/favicon-96x96.png><link rel=icon type=image/png sizes=32x32 href=icons/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=icons/favicon-16x16.png><link rel=icon type=image/ico href=favicon.ico><script defer src=js/vendor.070221f5.js></script><script defer src=js/app.3ea8aeff.js></script><link href=css/vendor.5b8581f0.css rel=stylesheet><link href=css/app.31d6cfe0.css rel=stylesheet></head><body><div id=q-app></div></body></html>
+<!DOCTYPE html><html><head><title>Duck Sys Eye</title><meta charset=utf-8><meta name=description content=syseye><meta name=format-detection content="telephone=no"><meta name=msapplication-tap-highlight content=no><meta name=viewport content="user-scalable=no,initial-scale=1,maximum-scale=1,minimum-scale=1,width=device-width"><link rel=icon type=image/png sizes=128x128 href=icons/favicon-128x128.png><link rel=icon type=image/png sizes=96x96 href=icons/favicon-96x96.png><link rel=icon type=image/png sizes=32x32 href=icons/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=icons/favicon-16x16.png><link rel=icon type=image/ico href=favicon.ico><script defer src=js/vendor.8b656787.js></script><script defer src=js/app.3ff22fb9.js></script><link href=css/vendor.5b8581f0.css rel=stylesheet><link href=css/app.31d6cfe0.css rel=stylesheet></head><body><div id=q-app></div></body></html>

Server/templates/js/193.cfdf09ec.js

@@ -1 +1 @@
-"use strict";(globalThis["webpackChunksyseye"]=globalThis["webpackChunksyseye"]||[]).push([[193],{2193:(e,t,s)=>{s.r(t),s.d(t,{default:()=>p});var l=s(3673);const n={class:"fullscreen bg-blue text-white text-center q-pa-md flex flex-center"},o=(0,l._)("div",{style:{"font-size":"30vh"}}," 404 ",-1),c=(0,l._)("div",{class:"text-h2",style:{opacity:".4"}}," Oops. Nothing here... ",-1);function a(e,t,s,a,r,i){const u=(0,l.up)("q-btn");return(0,l.wg)(),(0,l.iD)("div",n,[(0,l._)("div",null,[o,c,(0,l.Wm)(u,{class:"q-mt-xl",color:"white","text-color":"blue",unelevated:"",to:"/",label:"Go Home","no-caps":""})])])}const r=(0,l.aZ)({name:"Error404"});var i=s(4260),u=s(9400),h=s(7518),b=s.n(h);const d=(0,i.Z)(r,[["render",a]]),p=d;b()(r,"components",{QBtn:u.Z})}}]);
+"use strict";(globalThis["webpackChunksyseye"]=globalThis["webpackChunksyseye"]||[]).push([[193],{2193:(e,t,s)=>{s.r(t),s.d(t,{default:()=>p});var l=s(3673);const n={class:"fullscreen bg-blue text-white text-center q-pa-md flex flex-center"},o=(0,l._)("div",{style:{"font-size":"30vh"}}," 404 ",-1),c=(0,l._)("div",{class:"text-h2",style:{opacity:".4"}}," Oops. Nothing here... ",-1);function a(e,t,s,a,r,i){const u=(0,l.up)("q-btn");return(0,l.wg)(),(0,l.iD)("div",n,[(0,l._)("div",null,[o,c,(0,l.Wm)(u,{class:"q-mt-xl",color:"white","text-color":"blue",unelevated:"",to:"/",label:"Go Home","no-caps":""})])])}const r=(0,l.aZ)({name:"Error404"});var i=s(4260),u=s(8240),h=s(7518),b=s.n(h);const d=(0,i.Z)(r,[["render",a]]),p=d;b()(r,"components",{QBtn:u.Z})}}]);

Server/templates/js/315.6ad8e4ee.js

@@ -0,0 +1 @@
+"use strict";(globalThis["webpackChunksyseye"]=globalThis["webpackChunksyseye"]||[]).push([[315],{7315:(e,a,t)=>{t.r(a),t.d(a,{default:()=>_});var n=t(3673),s=t(2323);function o(e,a,t,o,i,l){const r=(0,n.up)("q-td"),p=(0,n.up)("q-btn"),d=(0,n.up)("q-tr"),h=(0,n.up)("q-table");return(0,n.wg)(),(0,n.j4)(h,{class:"q-pa-lg",dense:e.$q.screen.lt.md,title:"白名单列表",columns:e.data_columns,rows:e.data_columns_data,loading:e.loading,pagination:e.pagination,"onUpdate:pagination":a[0]||(a[0]=a=>e.pagination=a),onRequest:e.onRequest},{body:(0,n.w5)((a=>[(0,n.Wm)(d,{props:a},{default:(0,n.w5)((()=>[(0,n.Wm)(r,{key:"path",props:a},{default:(0,n.w5)((()=>[(0,n.Uk)((0,s.zw)(a.row.path),1)])),_:2},1032,["props"]),(0,n.Wm)(r,{key:"hash",props:a},{default:(0,n.w5)((()=>[(0,n.Uk)((0,s.zw)(a.row.hash),1)])),_:2},1032,["props"]),(0,n.Wm)(r,{key:"reason",props:a},{default:(0,n.w5)((()=>[(0,n.Uk)((0,s.zw)(a.row.reason),1)])),_:2},1032,["props"]),(0,n.Wm)(r,{key:"timestamp",props:a},{default:(0,n.w5)((()=>[(0,n.Uk)((0,s.zw)(e.time_parase(a.row.timestamp)),1)])),_:2},1032,["props"]),(0,n.Wm)(r,{key:"action",props:a},{default:(0,n.w5)((()=>[(0,n.Wm)(p,{color:"red",label:"移除白名单",onClick:t=>e.delete_white_hash(a.row.hash)},null,8,["onClick"])])),_:2},1032,["props"])])),_:2},1032,["props"])])),_:1},8,["dense","columns","rows","loading","pagination","onRequest"])}var i=t(52),l=t.n(i);const r=(0,n.aZ)({name:"WhiteList",data:function(){return{data_columns:[{name:"path",align:"center",label:"路径",field:"path"},{name:"hash",align:"center",label:"hash",field:"hash"},{name:"reason",align:"center",label:"原因",field:"reason"},{name:"timestamp",align:"center",label:"时间",field:"timestamp"},{name:"action",align:"center",label:"操作",field:"steamid"}],data_columns_data:[],loading:!1,pagination:{sortBy:"desc",descending:!1,page:1,rowsPerPage:10,rowsNumber:10}}},mounted(){this.onRequest({pagination:this.pagination,filter:void 0})},methods:{delete_white_hash(e){l().get("/api/v1/del/white_list?hash="+e).then((e=>{console.log("duck was gone")}))},time_parase(e){const a=e=>e<10?"0"+e:e,t=new Date(Number(e));console.log("time",e);const n=t.getFullYear(),s=t.getMonth()+1,o=t.getDate(),i=t.getHours(),l=t.getMinutes(),r=t.getSeconds();return n+"-"+a(s)+"-"+a(o)+" "+a(i)+":"+a(l)+":"+a(r)},onRequest(e){this.data_columns_data=[],this.loading=!0;const{page:a}=e.pagination;l().get("/api/v1/query/white_list_all").then((e=>{const t=e.data.result;console.log(t);for(let a=0;a<t.length;a++){const e=t[a];this.data_columns_data.push(e)}this.pagination.page=a,this.pagination.rowsNumber=this.data_columns_data.length,this.pagination.rowsPerPage=this.data_columns_data.length,this.loading=!1}))}}});var p=t(4260),d=t(1779),h=t(8186),g=t(3884),u=t(8240),c=t(7518),m=t.n(c);const w=(0,p.Z)(r,[["render",o]]),_=w;m()(r,"components",{QTable:d.Z,QTr:h.Z,QTd:g.Z,QBtn:u.Z})}}]);

Server/templates/js/950.7d796a08.js

@@ -1 +0,0 @@
-"use strict";(globalThis["webpackChunksyseye"]=globalThis["webpackChunksyseye"]||[]).push([[950],{950:(e,a,t)=>{t.r(a),t.d(a,{default:()=>T});var l=t(3673);const r=(0,l.Uk)(" DuckSysEye内部测试版本v0.0.0.1 "),i=(0,l.Uk)(" 仪表盘 "),n=(0,l.Uk)(" 未处理威胁列表 "),o=(0,l.Uk)(" 已处理威胁列表 "),u=(0,l.Uk)(" 已忽略威胁列表 ");function c(e,a,t,c,s,d){const m=(0,l.up)("q-toolbar-title"),w=(0,l.up)("q-btn"),p=(0,l.up)("q-toolbar"),b=(0,l.up)("q-header"),_=(0,l.up)("q-icon"),h=(0,l.up)("q-item-section"),v=(0,l.up)("q-item"),f=(0,l.up)("q-list"),W=(0,l.up)("q-scroll-area"),k=(0,l.up)("q-drawer"),g=(0,l.up)("router-view"),y=(0,l.up)("q-page-container"),L=(0,l.up)("q-layout"),Z=(0,l.Q2)("ripple");return(0,l.wg)(),(0,l.j4)(L,{view:"lHh Lpr lFf",style:{"background-color":"rgb(239, 243, 246)"}},{default:(0,l.w5)((()=>[(0,l.Wm)(b,{elevated:"","height-hint":"98"},{default:(0,l.w5)((()=>[(0,l.Wm)(p,{class:"text-primary bg-white"},{default:(0,l.w5)((()=>[(0,l.Wm)(m,null,{default:(0,l.w5)((()=>[r])),_:1}),(0,l.Wm)(w,{flat:"",round:"",dense:"",icon:"more_vert"})])),_:1})])),_:1}),(0,l.Wm)(k,{"show-if-above":"",mini:e.miniState,onMouseover:a[4]||(a[4]=a=>e.miniState=!1),onMouseout:a[5]||(a[5]=a=>e.miniState=!0),width:200,breakpoint:500,bordered:"",class:"bg-white text-primary"},{default:(0,l.w5)((()=>[(0,l.Wm)(W,{class:"fit"},{default:(0,l.w5)((()=>[(0,l.Wm)(f,{padding:""},{default:(0,l.w5)((()=>[(0,l.wy)(((0,l.wg)(),(0,l.j4)(v,{active:"dashboard"==e.selectLabel,clickable:"","active-class":"menu-active",onClick:a[0]||(a[0]=a=>e.selectLabel="dashboard"),to:"/page/dashboard"},{default:(0,l.w5)((()=>[(0,l.Wm)(h,{avatar:""},{default:(0,l.w5)((()=>[(0,l.Wm)(_,{name:"dashboard"})])),_:1}),(0,l.Wm)(h,null,{default:(0,l.w5)((()=>[i])),_:1})])),_:1},8,["active"])),[[Z]]),(0,l.wy)(((0,l.wg)(),(0,l.j4)(v,{active:"non_hanlde_report"==e.selectLabel,clickable:"","active-class":"menu-active",onClick:a[1]||(a[1]=a=>{e.selectLabel="non_hanlde_report",e.routerToThreatList(0)})},{default:(0,l.w5)((()=>[(0,l.Wm)(h,{avatar:""},{default:(0,l.w5)((()=>[(0,l.Wm)(_,{name:"report"})])),_:1}),(0,l.Wm)(h,null,{default:(0,l.w5)((()=>[n])),_:1})])),_:1},8,["active"])),[[Z]]),(0,l.wy)(((0,l.wg)(),(0,l.j4)(v,{active:"handle_report"==e.selectLabel,clickable:"","active-class":"menu-active",onClick:a[2]||(a[2]=a=>{e.selectLabel="handle_report",e.routerToThreatList(1)})},{default:(0,l.w5)((()=>[(0,l.Wm)(h,{avatar:""},{default:(0,l.w5)((()=>[(0,l.Wm)(_,{name:"done"})])),_:1}),(0,l.Wm)(h,null,{default:(0,l.w5)((()=>[o])),_:1})])),_:1},8,["active"])),[[Z]]),(0,l.wy)(((0,l.wg)(),(0,l.j4)(v,{active:"ingore_report"==e.selectLabel,clickable:"","active-class":"menu-active",onClick:a[3]||(a[3]=a=>{e.selectLabel="ingore_report",e.routerToThreatList(2)})},{default:(0,l.w5)((()=>[(0,l.Wm)(h,{avatar:""},{default:(0,l.w5)((()=>[(0,l.Wm)(_,{name:"texture"})])),_:1}),(0,l.Wm)(h,null,{default:(0,l.w5)((()=>[u])),_:1})])),_:1},8,["active"])),[[Z]])])),_:1})])),_:1})])),_:1},8,["mini"]),(0,l.Wm)(y,null,{default:(0,l.w5)((()=>[(0,l.Wm)(g)])),_:1})])),_:1})}const s=(0,l.aZ)({name:"MainLayout",setup(){return{}},data:function(){return{selectLabel:"non_hanlde_report",drawer:!1,miniState:!0}},methods:{routerToThreatList(e){this.$router.push({name:"index",params:{queryIndex:e}})}}});var d=t(4260),m=t(9214),w=t(3812),p=t(9570),b=t(3747),_=t(9400),h=t(2901),v=t(7704),f=t(7011),W=t(3414),k=t(2035),g=t(4554),y=t(2652),L=t(6489),Z=t(7518),q=t.n(Z);const Q=(0,d.Z)(s,[["render",c]]),T=Q;q()(s,"components",{QLayout:m.Z,QHeader:w.Z,QToolbar:p.Z,QToolbarTitle:b.Z,QBtn:_.Z,QDrawer:h.Z,QScrollArea:v.Z,QList:f.Z,QItem:W.Z,QItemSection:k.Z,QIcon:g.Z,QPageContainer:y.Z}),q()(s,"directives",{Ripple:L.Z})}}]);

Server/webserver.py

@@ -1,3 +1,4 @@
+import hash_white_list
 import json
 from flask import Flask
 from flask import request
@@ -8,6 +9,7 @@ import config
 from flask import Flask, render_template, request
 import plugin
 import logging
+import html
 
 app = Flask(
     __name__,
@@ -65,6 +67,59 @@ def threat_statistics():
     return {"data": return_data}
 
 
+@app.route("/api/v1/query/white_list_all", methods=["GET"])
+def white_list_query_all():
+    if request.remote_addr not in config.ALLOW_ACCESS_IP:
+        return "Access Denied"
+    all_list = sql.query_all_white_list()
+    result = []
+    for iter in all_list:
+        result.append({
+            "hash": iter[1],
+            "path": iter[2],
+            "timestamp": iter[3],
+            "reason": iter[4]
+        })
+    return {"status": "success", "result": result}
+
+
+@app.route("/api/v1/query/white_list", methods=["GET"])
+def white_list_query():
+    hash = request.args.get("hash")
+    if request.remote_addr not in config.ALLOW_ACCESS_IP or hash is None or len(hash) == 0:
+        return "Access Denied"
+    hash = hash.lower()
+    result = 0
+    if hash in hash_white_list.g_white_list:
+        result = 1
+    return {"status": "success", "result": result}
+
+
+@app.route("/api/v1/del/white_list", methods=["GET"])
+def white_list_del():
+    hash = request.args.get("hash")
+    if request.remote_addr not in config.ALLOW_ACCESS_IP or hash is None or len(hash) == 0:
+        return "Access Denied"
+    hash = hash.lower()
+    if hash in hash_white_list.g_white_list:
+        sql.delete_white_list(hash)
+        hash_white_list.g_white_list.remove(hash)
+    return {"status": "success"}
+
+
+@app.route("/api/v1/set/white_list", methods=["POST"])
+def white_list_set():
+    body_data = request.data.decode()
+    if request.remote_addr not in config.ALLOW_ACCESS_IP:
+        return "Access Denied"
+    json_data = json.loads(body_data)
+    hash = html.escape(json_data["hash"]).lower()
+    path = html.escape(json_data["path"]).lower()
+    reason = html.escape(json_data["reason"])
+    hash_white_list.add_white_list(path, hash, reason)
+    return {"status": "success"}
+
+
 @app.route("/api/v1/get/process_chain/handle", methods=["GET"])
 def handle_chain_data():
     id = request.args.get("id")
@@ -159,6 +214,7 @@ if __name__ == "__main__":
     plugin.reload_plugs()
     sql.init()
     rule.init_rule()
+    hash_white_list.synchronization_white_list()
 
     # 如果你觉得日志太多了,去掉这个注释...
     flask_log = logging.getLogger("werkzeug")