白名单现在看父进程,如果父进程是白名单的子进程产生的行为都加白(不确定是否可靠,有待观察).

2022-09-02 15:23:34 +08:00
parent e3ae734150
commit fe69282d89
3 changed files with 6 additions and 2 deletions
--- a/Server/config.py
+++ b/Server/config.py
@@ -1,4 +1,4 @@
 # 检出阈值,越高越难检出但是也会越准确
 MAX_THREAT_SCORE = 170
 # 授权访问主站的IP列表.如果不在后台里面则不能访问后台
-ALLOW_ACCESS_IP = ['127.0.0.1']
+ALLOW_ACCESS_IP = ['127.0.0.1', '192.168.111.189', '192.168.111.187']
--- a/Server/log.py
+++ b/Server/log.py
@@ -58,6 +58,8 @@ def process_log(host, json_log, raw_log):
            child = process.Process(
                pid, ppid, path, params, create_time, hash, parent_user, host, is_white_list
            )
+            parent_process.parent_process = parent_process
+            child.parent_process = parent_process
            chain = process.create_chain(parent_process)
            chain.add_process(child, parent_pid)
            current_process = child
@@ -69,6 +71,7 @@ def process_log(host, json_log, raw_log):
            child = process.Process(
                pid, ppid, path, params, create_time, hash, user, host, is_white_list
            )
+            child.parent_process = parent_process
            parent_process.chain.add_process(child, ppid)
            current_process = child
            if score > 0:
--- a/Server/process.py
+++ b/Server/process.py
@@ -87,6 +87,7 @@ g_ProcessChainList = []
 class Process:
    def __init__(self, pid, ppid, path, params, time, md5, user, host, is_white=False):
        self.pid = pid
+        self.parent_process = None
        self.ppid = ppid
        self.path = path
        self.params = params
@@ -120,7 +121,7 @@ class Process:
        self.rmppid = rmppid

    def set_score(self, new_score, opertion):
-        if self.is_white:
+        if self.is_white or self.chain.root_process.is_white or self.parent_process.is_white:
            return
        if opertion not in self.operationlist:
            self.risk_score += new_score