196 lines
7.3 KiB
Python
196 lines
7.3 KiB
Python
import json
|
|
import time
|
|
|
|
import process
|
|
import rule
|
|
import sql
|
|
import global_vars
|
|
import config
|
|
import plugin
|
|
|
|
|
|
def process_log(host, json_log, raw_log):
|
|
log = json_log["data"]
|
|
had_threat = global_vars.THREAT_TYPE_NONE
|
|
current_process: process.Process = None
|
|
rule_hit_name = ""
|
|
score = 0
|
|
chain_hash = ""
|
|
params = ""
|
|
user = ""
|
|
|
|
if json_log["action"] == "processcreate":
|
|
pid = log["processid"]
|
|
ppid = log["parentprocessid"]
|
|
path = log["image"]
|
|
params = log["commandline"]
|
|
user = log["user"]
|
|
hash = log["hashes"].split(",")[0].split("=")[1]
|
|
|
|
parent_pid = log["parentprocessid"]
|
|
parent_ppid = parent_pid
|
|
parent_path = log["parentimage"]
|
|
parent_params = log["parentcommandline"]
|
|
parent_user = log["parentuser"]
|
|
create_time = int(round(time.time() * 1000))
|
|
|
|
if path in process.skip_process_path or path in process.skip_process_path:
|
|
return
|
|
parent_process: process.Process = process.get_process_by_pid(ppid)
|
|
score, rule_hit_name = rule.calc_score_in_create_process(log)
|
|
if hash in process.skip_md5:
|
|
return
|
|
if parent_process is None or parent_path in process.root_process_path:
|
|
# build a process
|
|
parent_process = process.Process(
|
|
parent_pid,
|
|
parent_ppid,
|
|
parent_path,
|
|
parent_params,
|
|
create_time - 1,
|
|
"None",
|
|
parent_user,
|
|
host,
|
|
)
|
|
child = process.Process(
|
|
pid, ppid, path, params, create_time, hash, parent_user, host
|
|
)
|
|
chain = process.create_chain(parent_process)
|
|
chain.add_process(child, parent_pid)
|
|
current_process = child
|
|
if score > 0:
|
|
child.set_score(score, rule_hit_name)
|
|
had_threat = global_vars.THREAT_TYPE_PROCESS
|
|
else:
|
|
child = process.Process(
|
|
pid, ppid, path, params, create_time, hash, user, host
|
|
)
|
|
parent_process.chain.add_process(child, ppid)
|
|
current_process = child
|
|
if score > 0:
|
|
child.set_score(score, rule_hit_name)
|
|
had_threat = global_vars.THREAT_TYPE_PROCESS
|
|
|
|
had_threat_plugin = plugin.dispath_rule_new_process_create(
|
|
host, current_process, raw_log, json_log
|
|
)
|
|
if had_threat == global_vars.THREAT_TYPE_NONE:
|
|
had_threat = had_threat_plugin
|
|
elif json_log["action"] == "processterminal":
|
|
pid = log["processid"]
|
|
current_process = process.get_process_by_pid(pid)
|
|
if current_process is not None:
|
|
plugin.dispath_process_terminal(host, current_process, raw_log, json_log)
|
|
current_process.active = False
|
|
current_process.chain.terminate_count += 1
|
|
if current_process.chain.terminate_count >= (
|
|
current_process.chain.active_count - 1
|
|
):
|
|
current_process.chain.active = False
|
|
if current_process.chain.risk_score >= config.MAX_THREAT_SCORE:
|
|
sql.update_threat_log(
|
|
host,
|
|
current_process.chain.risk_score,
|
|
json.dumps(current_process.chain.operationlist),
|
|
current_process.chain.hash,
|
|
current_process.chain.get_json(),
|
|
global_vars.THREAT_TYPE_PROCESS,
|
|
True,
|
|
)
|
|
process.g_ProcessChainList.remove(current_process.chain)
|
|
elif "processid" in log:
|
|
current_process = process.get_process_by_pid(log["processid"])
|
|
if current_process is not None:
|
|
log["action"] = json_log["action"]
|
|
score, rule_hit_name = rule.calc_score_in_action(log)
|
|
if score > 0:
|
|
current_process.set_score(score, rule_hit_name)
|
|
had_threat = global_vars.THREAT_TYPE_PROCESS
|
|
had_threat_plugin = plugin.dispath_rule_new_process_action(
|
|
host, current_process, raw_log, json_log
|
|
)
|
|
if had_threat == global_vars.THREAT_TYPE_NONE:
|
|
had_threat = had_threat_plugin
|
|
|
|
if current_process is not None:
|
|
if current_process.chain.risk_score >= config.MAX_THREAT_SCORE:
|
|
if had_threat == global_vars.THREAT_TYPE_PROCESS:
|
|
current_process.chain.update_process_tree()
|
|
threat = sql.select_threat_by_chain_id(
|
|
host, current_process.chain.hash, global_vars.THREAT_TYPE_PROCESS
|
|
)
|
|
if len(threat) == 0:
|
|
process_info: process.Process = None
|
|
|
|
if len(current_process.chain.process_list) > 1:
|
|
process_info = current_process.chain.process_list[1]
|
|
else:
|
|
process_info = current_process
|
|
info_save_data = {
|
|
"path": process_info.path,
|
|
"hash": process_info.md5,
|
|
"params": process_info.params,
|
|
"user": process_info.user,
|
|
"create_time": process_info.time,
|
|
}
|
|
sql.push_threat_log(
|
|
host,
|
|
current_process.chain.risk_score,
|
|
json.dumps(current_process.chain.operationlist),
|
|
current_process.chain.hash,
|
|
current_process.chain.get_json(),
|
|
global_vars.THREAT_TYPE_PROCESS,
|
|
json.dumps(info_save_data),
|
|
)
|
|
else:
|
|
sql.update_threat_log(
|
|
host,
|
|
current_process.chain.risk_score,
|
|
json.dumps(current_process.chain.operationlist),
|
|
current_process.chain.hash,
|
|
current_process.chain.get_json(),
|
|
global_vars.THREAT_TYPE_PROCESS,
|
|
current_process.chain.active == False,
|
|
)
|
|
parent_pid = 0
|
|
target_pid = 0
|
|
self_hash = ""
|
|
target_image_path = ""
|
|
target_hash = ""
|
|
raw_json_log = json.loads(raw_log)
|
|
|
|
if current_process is not None:
|
|
chain_hash = current_process.chain.hash
|
|
parent_pid = current_process.ppid
|
|
if "TargetProcessId" in raw_json_log:
|
|
target_process: process.Process = current_process.chain.find_process_by_pid(
|
|
raw_json_log["TargetProcessId"]
|
|
)
|
|
target_pid = target_process.pid
|
|
target_image_path = target_process.path
|
|
target_hash = target_process.md5
|
|
self_hash = current_process.md5
|
|
|
|
sql.push_process_raw(
|
|
host,
|
|
raw_json_log,
|
|
rule_hit_name,
|
|
score,
|
|
chain_hash,
|
|
had_threat,
|
|
parent_pid,
|
|
target_pid,
|
|
self_hash,
|
|
target_image_path,
|
|
target_hash,
|
|
params,
|
|
user,
|
|
)
|
|
|
|
"""
|
|
for iter in process.g_ProcessChainList:
|
|
item: process.Process = iter
|
|
if item.risk_score >= config.MAX_THREAT_SCORE:
|
|
item.print_process()
|
|
"""
|