Tuesday, March 14, 2017

Python new file notification

Introduction:
This post will be short. It just explains how to get notified about new file being created.

Purpose:
I want to be notified when I downloaded malware. In the last post, I discussed gathering malware using maltrieve. This is not the only way to get samples. You can have something like BroIDS running on a network tap and use it to extract PE files or whatever files you want.

Besides just collecting samples, I want notifications in Python so I can do additional processing. For PE files, you can start doing static analysis, feature extraction for machine learning, or whatever else you want.

I could edit BroIDS file extraction script or maltrieve code to do additional processing but I like my solution better.

The solution is to use Python inotify library.

Setup:
To install the inotify library, just run ‘pip install inotify’
Here’s my code:

from inotify import adapters
i = adapters.Inotify()
i.add_watch('/root/inotifytest/') #directory

for event in i.event_gen():
   if event is not None:
       (header, type_names, watch_path, filename) = event
       #according to man page "File opened for writing was closed."
       #We get notified after the file is downloaded.
       if type_names == ['IN_CLOSE_WRITE']:
           print "New file downloaded: " + watch_path + filename

Original code is from this post: https://dustinoprea.com/2015/04/24/using-inotify-to-watch-for-directory-changes-from-python/ I just modified it so I could watch for IN_CLOSE_WRITE.

In the screenshot below, you can see the script printing when new files are added. I was running maltrieve in another window.

2 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete