Created
January 3, 2017 15:44
-
-
Save taziden/5374f8b4e793320ae9c8918fe9990836 to your computer and use it in GitHub Desktop.
Tracking malware creation using a custom Sysdig chisel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--[[ | |
Copyright (C) 2014 Draios inc. | |
Copyright (C) 2016 Sysnove | |
This program is free software: you can redistribute it and/or modify | |
it under the terms of the GNU General Public License version 2 as | |
published by the Free Software Foundation. | |
This program is distributed in the hope that it will be useful, | |
but WITHOUT ANY WARRANTY; without even the implied warranty of | |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
GNU General Public License for more details. | |
You should have received a copy of the GNU General Public License | |
along with this program. If not, see <http://www.gnu.org/licenses/>. | |
--]] | |
-- Chisel description | |
description = "This chisel intercepts all writes to a set a files defined by a filter." | |
short_description = "This chisel intercepts all writes to a set a files defined by a filter."; | |
category = "I/O"; | |
-- Argument list | |
args = {} | |
-- Imports and globals | |
require "common" | |
-- Initialization callback | |
function on_init() | |
local filter | |
-- Request the fields that we need | |
fbuf = chisel.request_field("evt.buffer") | |
fdata = chisel.request_field("evt.arg.data") | |
ffdname = chisel.request_field("fd.name") | |
fisw = chisel.request_field("evt.is_io_write") | |
fpid = chisel.request_field("proc.pid") | |
fpname = chisel.request_field("proc.name") | |
fres = chisel.request_field("evt.rawarg.res") | |
ftid = chisel.request_field("thread.tid") | |
fts = chisel.request_field("evt.time") | |
-- set the output format to ascii | |
sysdig.set_output_format("ascii") | |
--[[ set the filter, this is the most important part, the one you could modify to fit your needs. | |
Filter as defined below is selecting successful write events to files with names ending in php | |
and belonging to a particular group named "client1". | |
--]] | |
filter = "(not fd.name contains /dev/pt and not fd.name contains /dev/tty) and " | |
filter = string.format("%s%s", filter, "evt.is_io_write=true and ") | |
filter = string.format("%s%s", filter, "fd.type=file and evt.dir=< and evt.failed=false and group.name=client1") | |
filter = string.format("%s%s", filter, " and fd.filename contains .php") | |
chisel.set_filter(filter) | |
return true | |
end | |
-- Event parsing callback | |
function on_event() | |
-- Extract the event details | |
local data = evt.field(fdata) | |
local fdname = evt.field(ffdname) | |
local pid = evt.field(fpid) | |
local pname = evt.field(fpname) | |
local res = evt.field(fres) | |
local ts = evt.field(fts) | |
local read_write | |
-- Render the message to screen | |
print(string.format("%s %s(%s) %s %s %s", ts, pname, pid, format_bytes(res), fdname)) | |
return true | |
end | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment