diff --git a/README.md b/README.md index 24ddb9a..665ceab 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ Usage: lin_fh [--ip --port ] [--limit] lin_fh [--ip --port ] [--suidsgid] [--limit] lin_fh --suidsgid [--limit] + lin_fh --max [--limit] lin_fh --limit lin_fh --help @@ -28,15 +29,29 @@ Options: -i, --ip IP address to send output to [default: NONE] -p, --port Destination port to send output to [default: 80] -l, --limit Limit CPU use + -m, --max Max size of a text file in bytes to inspect the content + of for interesting strings [default: 100000] + - Text files will always be searched for references + to other files. -s, --suidsgid Search for suid and sgid files + - This will search the entire '/' including subdirectories + - Can take a very long time + - /dev/, /mnt/, /proc/, /sys/ directories are ignored Note: If not run as root some telemetry cannot be harvested. + + A log with data_type of 'Rootkit' will be generated if the size of file read into + memory is less that the size on disk. This is a simple possible root kit identification + method. + - See: https://github.com/sandflysecurity/sandfly-file-decloak To capture network output, start a netcat listener on your port of choice. Use the -k option with netcat to prevent netcat from closing after a TCP connection is closed. Files larger than 256MB will not be hashed. + + Text files larger than '--max' will not be inspected for interesting strings. ``` ## To compile diff --git a/src/data_def.rs b/src/data_def.rs index 8549f93..bea3aee 100644 --- a/src/data_def.rs +++ b/src/data_def.rs @@ -25,6 +25,7 @@ Usage: lin_fh [--ip --port ] [--limit] lin_fh [--ip --port ] [--suidsgid] [--limit] lin_fh --suidsgid [--limit] + lin_fh --max [--limit] lin_fh --limit lin_fh --help @@ -33,6 +34,10 @@ Options: -i, --ip IP address to send output to [default: NONE] -p, --port Destination port to send output to [default: 80] -l, --limit Limit CPU use + -m, --max Max size of a text file in bytes to inspect the content + of for interesting strings [default: 100000] + - Text files will always be searched for references + to other files. -s, --suidsgid Search for suid and sgid files - This will search the entire '/' including subdirectories - Can take a very long time @@ -40,11 +45,18 @@ Options: Note: If not run as root some telemetry cannot be harvested. + + A log with data_type of 'Rootkit' will be generated if the size of file read into + memory is less that the size on disk. This is a simple possible root kit identification + method. + - See: https://github.com/sandflysecurity/sandfly-file-decloak To capture network output, start a netcat listener on your port of choice. Use the -k option with netcat to prevent netcat from closing after a TCP connection is closed. Files larger than 256MB will not be hashed. + + Text files larger than '--max' will not be inspected for interesting strings. "; #[derive(Debug, Deserialize)] @@ -52,6 +64,7 @@ pub struct Args { flag_ip: String, flag_port: u16, flag_limit: bool, + pub flag_max: u64, pub flag_suidsgid: bool } diff --git a/src/main.rs b/src/main.rs index 6303bd2..31a3f4f 100644 --- a/src/main.rs +++ b/src/main.rs @@ -36,8 +36,6 @@ lazy_static! { pub static ref IS_ROOT: bool = Uid::effective().is_root(); } -const MAX_FILE_SIZE: u64 = 100000; - const MAX_DIR_DEPTH: usize = 5; // Max number of sub directories to traverse // file paths we want to watch all files in const WATCH_PATHS: [&str; 14] = [ @@ -447,7 +445,7 @@ fn watch_file(file_path: &Path, path: &str, mime_type: &str, size: u64, already_ TxRootkit::new(*IS_ROOT, "File".to_string(), "Rootkit".to_string(), get_now()?, path.to_string(), size, size_read); } - if size_read < MAX_FILE_SIZE { find_interesting(path, &data)? }; + if size_read < ARGS.flag_max { find_interesting(path, &data)? }; drop(data); } }