JavaScriptDude
commented
3 years ago Feel free to close this any time.
Open JavaScriptDude opened 3 years ago
JavaScriptDude
commented
3 years ago Feel free to close this any time.
vesche
commented
3 years ago Very cool! I'm glad you're getting good use out of this tool & extending it to fit your needs.
I like some of the changes, especially adding optional geolocation to the IP addresses. I will look into adding that. Although, I probably wouldn't pull in the code to flag certain regions. This tool is mostly for simple inspection and diagnostic purposes, alerting / flagging is more in the domain of a tool like Little Snitch / opensnitch.
I also like the switch option to silence the output for use when logging. I will add that. :+1:
If I get a chance tomorrow I'll look at making some updates, if I can't cherry pick the changes directly to give you proper credit I will give you a shout-out in the README.
~vesche
P.S. In your fork you can remove fnmatch from your requirements.txt as it's part of the standard library.
protectroot-com
commented
3 years ago Hi, have either of you considered adding file hash support? Knowing /usr/bin/sshd is running is helpful, but the file hash would help people see processName match/missmatch across many servers and containers. Rare hashes could be reason to upgrade or investigate malicious files.
JavaScriptDude
commented
3 years ago I have a modified version here that writes to a SQLite DB and has filtering capabilities. You could instrument that version to record SSH process information and then write a separate program to collate the SQLite data and analyze in real time. .
vesche
commented
3 years ago Just wanted to post an update here. Sorry for the delay on this, I work full time as a software engineer and have lots of other projects. v1.2.1 is live here with some of these updates: https://pypi.org/project/histstat/
@protectroot-com I added file hash support (--hash) as you recommended (md5 & sha256). It slows down the execution a bit to run a file hash on a process binary for each network connection, but it does work! Thanks for the idea.
@JavaScriptDude I added quiet mode for logging and am working on adding the optional IP geolocation. I gave you a shout out in the "Thanks" section of the README. The work you've done on your fork is really awesome. In version 1.3 (hopefully coming soon) I hope to add the IP geolocation, SQLite output option, and the interface specification.
Thanks for the patience & I'm so glad y'all are getting some use out of this little command-line tool! All the best, ~vesche
JavaScriptDude
commented
3 years ago @vesche Thanks for the note and the cool program.
protectroot-com
commented
3 years ago cheers!
JavaScriptDude
commented
2 years ago FYI - Just released a new version after I found my original filtering design wanting. I wrote a new package called WherEval (https://pypi.org/project/whereval/) which allows passing complex SQL like where clauses as CLI parameters for filtering of live data.
Good day.
Thanks for making this library.
I have made a fork with some big enhancements. Please take a look when you get a chance.
Let me know if you would like to pull in some of these updates.