fixing bugs with program flow and data collection

README.md

@@ -20,6 +20,7 @@ Usage:
   lin_fh [--ip <ip> --port <port>] [--limit]
   lin_fh [--ip <ip> --port <port>] [--suidsgid] [--limit]
   lin_fh --suidsgid [--limit]
+  lin_fh --max <bytes> [--limit]
   lin_fh --limit
   lin_fh --help
 
@@ -28,15 +29,29 @@ Options:
   -i, --ip <ip>         IP address to send output to [default: NONE]
   -p, --port <port>     Destination port to send output to [default: 80]
   -l, --limit           Limit CPU use
+  -m, --max <bytes>     Max size of a text file in bytes to inspect the content
+                        of for interesting strings [default: 100000]
+                        - Text files will always be searched for references
+                          to other files.
   -s, --suidsgid        Search for suid and sgid files
+                        - This will search the entire '/' including subdirectories
+                        - Can take a very long time
+                        - /dev/, /mnt/, /proc/, /sys/ directories are ignored
 
 Note:
   If not run as root some telemetry cannot be harvested.
+
+  A log with data_type of 'Rootkit' will be generated if the size of file read into
+  memory is less that the size on disk. This is a simple possible root kit identification
+  method.
+  - See: https://github.com/sandflysecurity/sandfly-file-decloak
   
   To capture network output, start a netcat listener on your port of choice.
   Use the -k option with netcat to prevent netcat from closing after a TCP connection is closed.
 
   Files larger than 256MB will not be hashed.
+
+  Text files larger than '--max' will not be inspected for interesting strings.
 ```
 
 ## To compile

src/data_def.rs

@@ -25,6 +25,7 @@ Usage:
   lin_fh [--ip <ip> --port <port>] [--limit]
   lin_fh [--ip <ip> --port <port>] [--suidsgid] [--limit]
   lin_fh --suidsgid [--limit]
+  lin_fh --max <bytes> [--limit]
   lin_fh --limit
   lin_fh --help
 
@@ -33,25 +34,37 @@ Options:
   -i, --ip <ip>         IP address to send output to [default: NONE]
   -p, --port <port>     Destination port to send output to [default: 80]
   -l, --limit           Limit CPU use
+  -m, --max <bytes>     Max size of a text file in bytes to inspect the content
+                        of for interesting strings [default: 100000]
+                        - Text files will always be searched for references
+                          to other files.
   -s, --suidsgid        Search for suid and sgid files
                         - This will search the entire '/' including subdirectories
                         - Can take a very long time
                         - /dev/, /mnt/, /proc/, /sys/ directories are ignored
 
 Note:
   If not run as root some telemetry cannot be harvested.
+
+  A log with data_type of 'Rootkit' will be generated if the size of file read into
+  memory is less that the size on disk. This is a simple possible root kit identification
+  method.
+  - See: https://github.com/sandflysecurity/sandfly-file-decloak
   
   To capture network output, start a netcat listener on your port of choice.
   Use the -k option with netcat to prevent netcat from closing after a TCP connection is closed.
 
   Files larger than 256MB will not be hashed.
+
+  Text files larger than '--max' will not be inspected for interesting strings.
 ";
 
 #[derive(Debug, Deserialize)]
 pub struct Args {
     flag_ip: String,
     flag_port: u16,
     flag_limit: bool,
+    pub flag_max: u64,
     pub flag_suidsgid: bool
 }
 

src/main.rs

@@ -36,8 +36,6 @@ lazy_static! {
     pub static ref IS_ROOT: bool = Uid::effective().is_root();
 }
 
-const MAX_FILE_SIZE: u64 = 100000;
-
 const MAX_DIR_DEPTH: usize = 5;     // Max number of sub directories to traverse
 // file paths we want to watch all files in
 const WATCH_PATHS: [&str; 14] = [
@@ -447,7 +445,7 @@ fn watch_file(file_path: &Path, path: &str, mime_type: &str, size: u64, already_
                 TxRootkit::new(*IS_ROOT, "File".to_string(), "Rootkit".to_string(), 
                     get_now()?, path.to_string(), size, size_read);
             }
-            if size_read < MAX_FILE_SIZE { find_interesting(path, &data)? };
+            if size_read < ARGS.flag_max { find_interesting(path, &data)? };
             drop(data);
         }
     }