Tuesday, March 14, 2017

Python new file notification

Introduction:
This post will be short. It just explains how to get notified about new file being created.

Purpose:
I want to be notified when I downloaded malware. In the last post, I discussed gathering malware using maltrieve. This is not the only way to get samples. You can have something like BroIDS running on a network tap and use it to extract PE files or whatever files you want.

Besides just collecting samples, I want notifications in Python so I can do additional processing. For PE files, you can start doing static analysis, feature extraction for machine learning, or whatever else you want.

I could edit BroIDS file extraction script or maltrieve code to do additional processing but I like my solution better.

The solution is to use Python inotify library.

Setup:
To install the inotify library, just run ‘pip install inotify’
Here’s my code:

from inotify import adapters
i = adapters.Inotify()
i.add_watch('/root/inotifytest/') #directory

for event in i.event_gen():
   if event is not None:
       (header, type_names, watch_path, filename) = event
       #according to man page "File opened for writing was closed."
       #We get notified after the file is downloaded.
       if type_names == ['IN_CLOSE_WRITE']:
           print "New file downloaded: " + watch_path + filename

Original code is from this post: https://dustinoprea.com/2015/04/24/using-inotify-to-watch-for-directory-changes-from-python/ I just modified it so I could watch for IN_CLOSE_WRITE.

In the screenshot below, you can see the script printing when new files are added. I was running maltrieve in another window.

3 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. Hello Everyone !

    USA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information.

    **DETAILS IN LEADS**
    First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term Business
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete