This post will be short. It just explains how to get notified about new file being created.
I want to be notified when I downloaded malware. In the last post, I discussed gathering malware using maltrieve. This is not the only way to get samples. You can have something like BroIDS running on a network tap and use it to extract PE files or whatever files you want.
Besides just collecting samples, I want notifications in Python so I can do additional processing. For PE files, you can start doing static analysis, feature extraction for machine learning, or whatever else you want.
I could edit BroIDS file extraction script or maltrieve code to do additional processing but I like my solution better.
The solution is to use Python inotify library.
To install the inotify library, just run ‘pip install inotify’Here’s my code:
from inotify import adapters
i = adapters.Inotify()
for event in i.event_gen():
if event is not None:
(header, type_names, watch_path, filename) = event
#according to man page "File opened for writing was closed."
#We get notified after the file is downloaded.
if type_names == ['IN_CLOSE_WRITE']:print "New file downloaded: " + watch_path + filename
Original code is from this post: https://dustinoprea.com/2015/04/24/using-inotify-to-watch-for-directory-changes-from-python/ I just modified it so I could watch for IN_CLOSE_WRITE.
In the screenshot below, you can see the script printing when new files are added. I was running maltrieve in another window.