logging enhancement

Author: codeyourweb

filehelper.go

@@ -20,15 +20,15 @@ import (
 // WindowsFileSystemAnalysisRoutine analyse windows filesystem every 300 seconds
 func WindowsFileSystemAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
 	for true {
-		env := ListEnvironmentPathFiles()
-		temp := ListTemporaryFiles()
+		env := ListEnvironmentPathFiles(pVerbose)
+		temp := ListTemporaryFiles(pVerbose)
 
 		for _, p := range env {
-			FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules)
+			FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "ENV")
 		}
 
 		for _, p := range temp {
-			FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules)
+			FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "TEMP")
 		}
 
 		time.Sleep(300 * time.Second)
@@ -38,19 +38,19 @@ func WindowsFileSystemAnalysisRoutine(pQuarantine string, pKill bool, pAggressiv
 // UserFileSystemAnalysisRoutine analyse windows filesystem every 60 seconds
 func UserFileSystemAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
 	for true {
-		files := ListUserWorkspaceFiles()
+		files := ListUserWorkspaceFiles(pVerbose)
 
 		for _, p := range files {
-			FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules)
+			FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "USER")
 		}
 		time.Sleep(60 * time.Second)
 	}
 }
 
 // ListUserWorkspaceFiles recursively list all files in USERPROFILE directory
-func ListUserWorkspaceFiles() (files []string) {
-	f, err := RetrivesFilesFromUserPath(os.Getenv("USERPROFILE"), true, defaultScannedFileExtensions, true)
-	if err != nil {
+func ListUserWorkspaceFiles(verbose bool) (files []string) {
+	f, err := RetrivesFilesFromUserPath(os.Getenv("USERPROFILE"), true, defaultScannedFileExtensions, true, verbose)
+	if err != nil && verbose {
 		log.Println(err)
 	}
 
@@ -61,20 +61,20 @@ func ListUserWorkspaceFiles() (files []string) {
 }
 
 // FileAnalysis sub-routine for file analysis (used in registry / task scheduler / startmenu scan)
-func FileAnalysis(path string, pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
+func FileAnalysis(path string, pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules, sourceIndex string) {
 	var err error
 	var content []byte
 	var result yara.MatchRules
 
 	content, err = ioutil.ReadFile(path)
-	if err != nil {
+	if err != nil && pVerbose {
 		log.Println(path, err)
 	}
 
 	fileHash := fmt.Sprintf("%x", md5.Sum(content))
 	if !StringInSlice(fileHash, filescanHistory) {
 		if pVerbose {
-			log.Println("[INFO] Analyzing", path)
+			log.Println("[INFO] ["+sourceIndex+"] Analyzing", path)
 		}
 
 		result, err = YaraScan(content, rules)
@@ -86,14 +86,14 @@ func FileAnalysis(path string, pQuarantine string, pKill bool, pAggressive bool,
 
 			// logging
 			for _, match := range result {
-				log.Println("[INFO]", "YARA MATCH", path, match.Namespace, match.Rule)
+				log.Println("[ALERT]", "YARA MATCH", path, match.Namespace, match.Rule)
 			}
 
 			// dump matching process to quarantine
 			if len(pQuarantine) > 0 {
 				log.Println("[INFO]", "DUMPING FILE", path)
 				err := QuarantineFile(content, filepath.Base(path), pQuarantine)
-				if err != nil && pVerbose {
+				if err != nil {
 					log.Println("[ERROR]", "Cannot quarantine file", path, err)
 				}
 			}
@@ -105,12 +105,12 @@ func FileAnalysis(path string, pQuarantine string, pKill bool, pAggressive bool,
 }
 
 // ListEnvironmentPathFiles list all files in PATH directories
-func ListEnvironmentPathFiles() (files []string) {
+func ListEnvironmentPathFiles(verbose bool) (files []string) {
 	env := os.Getenv("PATH")
 	paths := strings.Split(env, ";")
 	for _, p := range paths {
-		f, err := RetrivesFilesFromUserPath(p, true, defaultScannedFileExtensions, false)
-		if err != nil {
+		f, err := RetrivesFilesFromUserPath(p, true, defaultScannedFileExtensions, false, verbose)
+		if err != nil && verbose {
 			log.Println(err)
 			continue
 		}
@@ -124,7 +124,7 @@ func ListEnvironmentPathFiles() (files []string) {
 }
 
 // ListTemporaryFiles list all files in TEMP / TMP / %SystemRoot%\Temp
-func ListTemporaryFiles() (files []string) {
+func ListTemporaryFiles(verbose bool) (files []string) {
 
 	var folders = []string{os.Getenv("TEMP")}
 	if os.Getenv("TMP") != os.Getenv("TEMP") {
@@ -136,8 +136,8 @@ func ListTemporaryFiles() (files []string) {
 	}
 
 	for _, p := range folders {
-		f, err := RetrivesFilesFromUserPath(p, true, defaultScannedFileExtensions, true)
-		if err != nil {
+		f, err := RetrivesFilesFromUserPath(p, true, defaultScannedFileExtensions, true, verbose)
+		if err != nil && verbose {
 			log.Println(err)
 			continue
 		}
@@ -190,7 +190,7 @@ func FormatPathFromComplexString(command string) (paths []string) {
 }
 
 // RetrivesFilesFromUserPath return a []string of available files from given path (includeFileExtensions is available only if listFiles is true)
-func RetrivesFilesFromUserPath(path string, listFiles bool, includeFileExtensions []string, recursive bool) ([]string, error) {
+func RetrivesFilesFromUserPath(path string, listFiles bool, includeFileExtensions []string, recursive bool, verbose bool) ([]string, error) {
 	var p []string
 
 	info, err := os.Stat(path)
@@ -213,8 +213,8 @@ func RetrivesFilesFromUserPath(path string, listFiles bool, includeFileExtension
 			}
 		} else {
 			err := filepath.Walk(path, func(walk string, info os.FileInfo, err error) error {
-				if err != nil {
-					log.Println(err)
+				if err != nil && verbose {
+					log.Println("[ERROR]", err)
 				}
 
 				if err == nil && !(info.IsDir() == listFiles) && (len(includeFileExtensions) == 0 || StringInSlice(filepath.Ext(walk), includeFileExtensions)) {
@@ -224,8 +224,8 @@ func RetrivesFilesFromUserPath(path string, listFiles bool, includeFileExtension
 				return nil
 			})
 
-			if err != nil {
-				log.Println(err)
+			if err != nil && verbose {
+				log.Println("[ERROR]", err)
 			}
 		}
 	}

main.go

@@ -51,31 +51,28 @@ func main() {
 	}
 
 	// load yara signature
-	log.Println("[INFO] Starting IRMA")
+	log.Println("[INIT] Starting IRMA")
 	yaraPath := *pYaraPath
-	yaraFiles := SearchForYaraFiles(yaraPath)
-	compiler, err := LoadYaraRules(yaraFiles)
+	yaraFiles := SearchForYaraFiles(yaraPath, *pVerbose)
+	compiler, err := LoadYaraRules(yaraFiles, *pVerbose)
 	if err != nil {
 		log.Fatal(err)
 	}
-	log.Println("Loading ", len(yaraFiles), "YARA files")
+	log.Println("[INIT] Loading ", len(yaraFiles), "YARA files")
 
 	// compile yara rules
 	rules, err := CompileRules(compiler)
 	if err != nil {
 		log.Fatal(err)
 	}
-	log.Println(len(rules.GetRules()), "YARA rules compiled")
-
-	log.Println("Scanning file in Windows temporary folders")
-
-	log.Println("Starting routine (Memory / Registry / StartMenu / Task Scheduler / Filesystem)")
+	log.Println("[INIT]", len(rules.GetRules()), "YARA rules compiled")
+	log.Println("[INFO] Start scanning Memory / Registry / StartMenu / Task Scheduler / Filesystem")
 	go MemoryAnalysisRoutine(*pDump, *pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
-	//go RegistryAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
-	//go StartMenuAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
-	//go TaskSchedulerAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
-	//go WindowsFileSystemAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
-	//go UserFileSystemAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
+	go RegistryAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
+	go StartMenuAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
+	go TaskSchedulerAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
+	go WindowsFileSystemAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
+	go UserFileSystemAnalysisRoutine(*pQuarantine, *pKill, *pAggressive, *pNotifications, *pVerbose, rules)
 
 	for true {
 		time.Sleep(3600 * time.Second)

procsmemory.go

@@ -58,21 +58,23 @@ func MemoryAnalysisRoutine(pDump string, pQuarantine string, pKill bool, pAggres
 
 				// logging
 				for _, match := range result {
-					log.Println("[INFO]", "YARA MATCH", proc.ProcessName, "PID:", fmt.Sprint(proc.PID), match.Namespace, match.Rule)
+					log.Println("[ALERT]", "YARA MATCH", proc.ProcessName, "PID:", fmt.Sprint(proc.PID), match.Namespace, match.Rule)
 				}
 
 				// dump matching process to quarantine
 				if len(pQuarantine) > 0 {
 					log.Println("[INFO]", "DUMPING PID", proc.PID)
 					err := QuarantineProcess(proc, pQuarantine)
-					if err != nil && pVerbose {
+					if err != nil {
 						log.Println("[ERROR]", "Cannot quarantine PID", proc.PID, err)
 					}
 				}
 
 				// killing process
 				if pKill {
-					log.Println("[INFO]", "KILLING PID", proc.PID)
+					if pVerbose {
+						log.Println("[INFO]", "KILLING PID", proc.PID)
+					}
 					KillProcessByID(proc.PID, pVerbose)
 				}
 

windowslnkparser.go

@@ -13,29 +13,31 @@ import (
 // StartMenuAnalysisRoutine analyse system artefacts every 15 seconds
 func StartMenuAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
 	for true {
-
-		lnk, errors := ListStartMenuLnkPersistence()
-		if errors != nil {
+		lnk, errors := ListStartMenuLnkPersistence(pVerbose)
+		if errors != nil && pVerbose {
 			for _, err := range errors {
 				log.Println("[ERROR]", err)
 			}
 		}
 
-		for _, p := range lnk {
-			FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules)
+		for _, l := range lnk {
+			paths := FormatPathFromComplexString(l)
+			for _, p := range paths {
+				FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "STARTMENU")
+			}
 		}
 
 		time.Sleep(15 * time.Second)
 	}
 }
 
 // ListStartMenuFolders return a []string of all available StartMenu folders
-func ListStartMenuFolders() (startMenu []string, err error) {
+func ListStartMenuFolders(verbose bool) (startMenu []string, err error) {
 	var usersDir []string
 
 	startMenu = append(startMenu, os.Getenv("SystemDrive")+`\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp`)
 
-	usersDir, err = RetrivesFilesFromUserPath(os.Getenv("SystemDrive")+`\Users`, false, nil, false)
+	usersDir, err = RetrivesFilesFromUserPath(os.Getenv("SystemDrive")+`\Users`, false, nil, false, verbose)
 	if err != nil {
 		return startMenu, err
 	}
@@ -48,16 +50,16 @@ func ListStartMenuFolders() (startMenu []string, err error) {
 }
 
 // ListStartMenuLnkPersistence check for every *.lnk in Windows StartMenu folders and extract every executable path in those links
-func ListStartMenuLnkPersistence() (exePath []string, errors []error) {
+func ListStartMenuLnkPersistence(verbose bool) (exePath []string, errors []error) {
 
-	startMenuFolders, err := ListStartMenuFolders()
+	startMenuFolders, err := ListStartMenuFolders(verbose)
 	if err != nil {
-		log.Println(err)
+		errors = append(errors, err)
 	}
 
 	for _, path := range startMenuFolders {
 
-		files, err := RetrivesFilesFromUserPath(path, true, []string{".lnk"}, false)
+		files, err := RetrivesFilesFromUserPath(path, true, []string{".lnk"}, false, verbose)
 
 		if err != nil {
 			errors = append(errors, fmt.Errorf("%s - %s", path, err.Error()))

windowsregistry.go

@@ -22,14 +22,17 @@ type RegistryValue struct {
 func RegistryAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
 	for true {
 		values, errors := EnumRegistryPeristence()
-		for _, err := range errors {
-			log.Println("[ERROR]", err)
+
+		if pVerbose {
+			for _, err := range errors {
+				log.Println("[ERROR]", err)
+			}
 		}
 
 		for _, k := range values {
 			paths := FormatPathFromComplexString(k.value)
 			for _, p := range paths {
-				FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules)
+				FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "REGISTRY")
 			}
 		}
 

windowstaskscheduler.go

@@ -31,15 +31,15 @@ type ExecAction struct {
 func TaskSchedulerAnalysisRoutine(pQuarantine string, pKill bool, pAggressive bool, pNotifications bool, pVerbose bool, rules *yara.Rules) {
 	for true {
 		tasks, err := GetTasks()
-		if err != nil {
+		if err != nil && pVerbose {
 			log.Println("[ERROR]", err)
 		}
 
 		for _, t := range tasks {
 			for _, e := range t.ActionList {
 				paths := FormatPathFromComplexString(e.Path)
 				for _, p := range paths {
-					FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules)
+					FileAnalysis(p, pQuarantine, pKill, pAggressive, pNotifications, pVerbose, rules, "TASKS")
 				}
 			}
 		}

yaraProcessing.go

@@ -5,7 +5,6 @@ import (
 	"log"
 	"os"
 	"path/filepath"
-	"strings"
 
 	"github.com/hillu/go-yara"
 )
@@ -21,37 +20,29 @@ func PerformYaraScan(data []byte, rules *yara.Rules, verbose bool) yara.MatchRul
 }
 
 // SearchForYaraFiles search *.yar file by walking recursively from specified input path
-func SearchForYaraFiles(path string) (rules []string) {
-	filepath.Walk(path, func(walk string, info os.FileInfo, err error) error {
-		if err != nil {
-			log.Println(err)
-		}
-
-		if err == nil && !info.IsDir() && info.Size() > 0 && len(filepath.Ext(walk)) > 0 && strings.ToLower(filepath.Ext(walk)) == ".yar" {
-			rules = append(rules, walk)
-		}
-
-		return nil
-	})
-
+func SearchForYaraFiles(path string, verbose bool) (rules []string) {
+	rules, err := RetrivesFilesFromUserPath(path, true, []string{".yar"}, true, verbose)
+	if err != nil && verbose {
+		log.Println(err)
+	}
 	return rules
 }
 
 // LoadYaraRules compile yara rules from specified paths and return a pointer to the yara compiler
-func LoadYaraRules(path []string) (compiler *yara.Compiler, err error) {
+func LoadYaraRules(path []string, verbose bool) (compiler *yara.Compiler, err error) {
 	compiler, err = yara.NewCompiler()
 	if err != nil {
 		return nil, errors.New("Failed to initialize YARA compiler")
 	}
 
 	for _, dir := range path {
 		f, err := os.Open(dir)
-		if err != nil {
+		if err != nil && verbose {
 			log.Println("[ERROR]", "Could not open rule file ", dir, err)
 		}
 
 		namespace := filepath.Base(dir)[:len(filepath.Base(dir))-4]
-		if err = compiler.AddFile(f, namespace); err != nil {
+		if err = compiler.AddFile(f, namespace); err != nil && verbose {
 			log.Println("[ERROR]", "Could not load rule file ", dir, err)
 		}
 		f.Close()