Hamato-Yoshi

Hamato-Yoshi is a malware detection system for linux.
It runs as a daemon process and monitors /proc for suspicious activity.

Installation

Clone the repository from Bitbucket:

$ git clone https://mrs-magenta:7990/scm/turtles/hamato-yoshi.git

$ virtualenv -p /usr/bin/python3 venv

Activate the virtual environment with:

$ source venv/bin/activate
(venv)$

Install requirements.txt using pip:

(venv)$ pip install -r requirements.txt

(venv)$ python main.py

Hamato-Yoshi continuously takes snapshots of files in /proc/* and analyzes their changes.
When it detects a snapshot has changed, Hamato-Yoshi follows a set of rules defined in rules.csv and proc_rules.
Each rule defines actions to perform if the detected changes meet certain conditions.
In order to analyze these changes, Hamato-Yoshi is equipped with tailor-made parsers for each of the (currently partial list of) files in /proc/*.
These parsers yield a comparable structured data (usually a dict) from the contents of the file they parse.

Name		Name	Last commit message	Last commit date
Latest commit History 4 Commits
conditions		conditions
demo		demo
parsers		parsers
README.md		README.md
actions.py		actions.py
dashboard.py		dashboard.py
hamato_yoshi_types.py		hamato_yoshi_types.py
main.py		main.py
proc_rules - Copy.csv		proc_rules - Copy.csv
proc_rules.csv		proc_rules.csv
requirements.txt		requirements.txt
rules.csv		rules.csv
rules.py		rules.py
rules.yaml		rules.yaml
rules_demo.yaml		rules_demo.yaml
rules_new.yaml		rules_new.yaml
rules_test.yaml		rules_test.yaml
snapshot.py		snapshot.py
snapshot_data.py		snapshot_data.py
temp.py		temp.py
test.py		test.py
utils.py		utils.py