import time import pickle import os import sys import math score_threshold = 5.0 bmp = [0x42, 0x4D] doc = [0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1] gif = [0x47, 0x49, 0x46, 0x38] jpg = [0xFF, 0xD8, 0xFF] mz = [0x4D, 0x5A] pdf = [0x25, 0x50, 0x44, 0x46] pk = [0x50, 0x4B] png = [0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A] zip = [0x1F, 0x8B] known_headers = {} known_headers['bmp'] = ''.join(map(chr,bmp)).encode() known_headers['dll'] = ''.join(map(chr,mz)).encode() known_headers['doc'] = ''.join(map(chr,doc)).encode() known_headers['docx'] = ''.join(map(chr,pk)).encode() known_headers['exe'] = ''.join(map(chr,mz)).encode() known_headers['gif'] = ''.join(map(chr,gif)).encode() known_headers['jpg'] = ''.join(map(chr,jpg)).encode() known_headers['pdf'] = ''.join(map(chr,pdf)).encode() known_headers['png'] = ''.join(map(chr,png)).encode() known_headers['pptx'] = ''.join(map(chr,pk)).encode() known_headers['xlsx'] = ''.join(map(chr,pk)).encode() known_headers['zip'] = ''.join(map(chr,zip)).encode() entropy_max = {} entropy_max['bmp'] = 7.5 entropy_max['c'] = 7.0 entropy_max['cpp'] = 7.0 entropy_max['dll'] = 7.5 entropy_max['doc'] = 7.5 entropy_max['docx'] = 7.5 entropy_max['exe'] = 7.5 entropy_max['gif'] = 7.5 entropy_max['h'] = 7.0 entropy_max['jpg'] = 7.5 entropy_max['pdf'] = 7.5 entropy_max['png'] = 7.5 entropy_max['pptx'] = 7.5 entropy_max['rtf'] = 7.0 entropy_max['txt'] = 7.0 entropy_max['xlsx'] = 7.5 entropy_max['zip'] = 7.5 def analyze(log_path): f = open(log_path, "rb") total_files = 0 system_alert_score = 0.0 original_data = None while True: try: original_data = pickle.load(f) except: break total_files += 1 # individual event analysis try: original_data['path'] = original_data['path'].decode('utf-8') original_data['operation'] = original_data['operation'].decode('utf-8') original_data['pid'] = original_data['pid'].decode('utf-8') except: break pid = original_data['pid'] file_name = os.path.basename(original_data['path']) file_extension = os.path.splitext(original_data['path'])[1][1:] print('=' * 20) print('pid: ', pid) print('file_name: ', file_name) print('operation: ', original_data['operation']) print('original_data contents length: ', len(original_data['contents'])) if original_data['operation'] == 'RENAME': prev_path = original_data['prev_path'].decode('utf-8') prev_file_extension = os.path.splitext(prev_path)[1][1:] print('previous extension: ', prev_file_extension) # 1) header mismatch if original_data['operation'] == 'RENAME': if prev_file_extension in known_headers: if len(original_data['contents']) >= len(known_headers[prev_file_extension][1:]): if not original_data['contents'].startswith(known_headers[prev_file_extension][1:]): print('*** renamed file header mismatch ***') system_alert_score += 4.0 elif file_extension in known_headers: if len(original_data['contents']) >= len(known_headers[file_extension][1:]): if not original_data['contents'].startswith(known_headers[file_extension][1:]): print('*** header mismatch ***') system_alert_score += 2.0 # 2) entropy analysis entropy = calculate_entropy(original_data['contents']) print('entropy: ', entropy) if original_data['operation'] == 'RENAME': if prev_file_extension in entropy_max: print('*** renamed file exceeds expected entropy max ***') system_alert_score += 4.0 elif file_extension in entropy_max: if entropy > entropy_max[file_extension]: print('*** file exceeds expected entropy max ***') system_alert_score += 2.0 print('') print('-' * 20) print('Total Files Analyzed: ', total_files) print('Total Alert Score: ', system_alert_score) if score_threshold < system_alert_score: print('***** Alert Score Exceeded Threshold *****') def calculate_entropy(data): if len(data) == 0: return 0.0 entropy = 0.0 for x in range(256): p_x = float(data.count(x))/len(data) if p_x > 0: entropy += - p_x*math.log(p_x, 2) return entropy if __name__ == "__main__": if len(sys.argv) == 1: log_path = "C:\\python_log\\python_log.dcart" else: log_path = sys.argv[1] if os.path.exists(log_path): analyze(log_path)