-
Notifications
You must be signed in to change notification settings - Fork 4
/
main.py
71 lines (63 loc) · 2.31 KB
/
main.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
from meatball.helpers import TaggedIpList
from bcc import BPF
from bcc.utils import printb
import argparse
import socket
import struct
import glob
import sys
import os
def process_netevent(cpu, data, size):
global lists
global args
event = b["events"].event(data)
ip_address = socket.inet_ntoa(struct.pack("I", event.address))
if args.verbose:
printb(b"\t%s (%d) %s:%d" % (
event.comm, event.pid, ip_address, socket.htons(event.port)
))
for feed in lists:
if feed.check_membership(ip_address):
if args.action == "print":
print("{} ({}) touched a bad IP ({})".format(
event.comm, event.pid, ip_address
))
elif args.action == "dump":
os.kill(event.pid, 19)
os.system("gcore -o /tmp/meatball-{}.core {} 2>/dev/null".format(event.ts, event.pid))
os.kill(event.pid, 9)
print("{} ({}) Meatball took a dump in /tmp/ ({})".format(
event.comm, event.pid, ip_address
))
elif args.action == "suspend":
os.kill(event.pid, 19)
print("{} ({}) was suspended ({}) ".format(
event.comm, event.pid, ip_address
))
elif args.action == "kill":
os.kill(event.pid, 9)
print("{} ({}) was killed by Meatball ({}) ".format(
event.comm, event.pid, ip_address
))
parser = argparse.ArgumentParser()
parser.add_argument("--action", default="print", choices={"print", "dump", "suspend", "kill"})
parser.add_argument("--verbose", action="store_true")
args = parser.parse_args()
outs = glob.glob("ip_feeds/*.txt")
lists = []
if outs:
for feed in outs:
with open(feed, 'r') as handle:
lists.append(TaggedIpList(feed, handle))
else:
raise ValueError("No feeds available. Run update_feeds.sh!")
b = BPF(src_file="meatball.c")
b.attach_kprobe(event=b.get_syscall_fnname("connect"), fn_name="probe_connect_enter")
#b.attach_kprobe(event="tcp_v4_connect", fn_name="tcp_v4")
#b.attach_kprobe(event="udp_sendmsg", fn_name="udp_v4")
b["events"].open_perf_buffer(process_netevent)
while 1:
try:
b.perf_buffer_poll()
except KeyboardInterrupt:
exit()