jxb5151
commented
8 years ago I really like this idea! Thank you.
@mpurzynski if my understanding is correct, you could just invoke on your sensor with something like the following...
fsf_client.py --delete --source mysensor --suppress-report --archive all-on-alert --watchdir /data/submissions
I did a bit of testing and noticed that certain arguments the client is given are not passed on line 160:
fsf = FSFClient(event.src_path, event.src_path, "", "", "none", "", "", file)Could you modify the submission so that those arguments are always taken into account when the client is invoked in this manner? Basically how it is done on line 236 of the submission. event.src_path should just reflect the filename as well.
Once we work through that, @akniffe1 @drnr53 @compsecmonkey it would be a good idea I think to test on the instance there to ensure watchdog can keep up. I think it can, just want to be safe :)
It would also be really cool if we could add some code that checks to see if the daemon is running and kick back if it already is. This would enable people to just set this up as a cronjob with their desired parameters. That can be a feature request for later as well.
mpurzynski
Processes all files that land in a directory. Isolates FSF from things like Bro - it is not longer necessary to run fsf client directly from Bro, so when fsf deadlocks the NSM process is not impacted. Makes it possible to run with Suricata, which can (only) write to directory. Is (possibly) compatible with other DFIR software out there.
Powered by python-watchdog module, so should be portable.