Tree [r1] /
History



File Date Author Commit
src 2011-01-20 l4m3rx [r1] Malmon first alfa relase
LICENSE 2011-01-20 l4m3rx [r1] Malmon first alfa relase
README 2011-01-20 l4m3rx [r1] Malmon first alfa relase
install.sh 2011-01-20 l4m3rx [r1] Malmon first alfa relase

Read Me

		malmon - MALware MONitor

------
About:
------
malmon is a small peace of software witch is very useful
for web hosting server (and not only).
It uses inotify (pyinotify) no monitor file system activity
and checks every new / movied / modified file (there's a file
size limit , so we can check only files smaller then X size).
Currently there two type of checks:
    1). md5 sum check.
	We have a db of md5 sums of some known
	malware/exploits/backdoors and stuff like that
	and we compare them to the md5 sum of the new/
	modified file.
    2). hex signature check.
	We check the file content and match it
	agains another db with known hex signatures.

    N.B.) Currently all definitions we are getting are
	  from the LMD project (http://rfxn.com)
	  This project is based on their ideas and way
	  of detection.


---------
Features:
---------
    1). Realtime file system monitoring.
    2). md5 sum checks.
    3). hex signature based checks.
    4). exclude file (exclude list).
    5). auto definition update at start.
    6). Check only files smaller them some
	size (size limit is set in the config)
    7). Shitlist added. A list of forbiden filenames
	This will move all files with name found in
	the shitlist, without doing any checks.

---------------
What's to come:
---------------
    1). Add MIME Type check.
    2). Add spam-filter like checks.
	    We will analyze the file, and match
	    any strings that are often found in
	    malware/backdoors/exploits.
	    Every sting will have factor, and
	    after the analyze is done, we check
	    what factor has the file get, and if
	    its bigger then allowed we'll add
	    warning to the log/stdout (depending
	    in what mode is the daemon running)
    3). Separate the md5sums and hex sig. files
	    from the rfxn project and make our own.
    4). Add walk option, so the daemon can
	    the foliders and check files older
	    then X something (days/hours and so on)
    5). Add support to monitor multiple directories
	    at the same time.
    6). Add multiple analazying thread for servers
	    with more file activity.
    7). Add warn/paranoid mode option.
	    In paranoid mode (default) we mode all
	    infections to the quarantine dir.
	    In warn mode, we will only print them
	    in the log/stdout, without moving them.
    8). Make definitions update while running, not
	    only at start.



-------
Layout:
-------
/usr/local/sbin/malmon       - The daemon
/etc/malmon                  - Configuration dir
/etc/malmon/malmon.conf      - Config file
/etc/malmon/black.list       - Backlist file (supports reg expr)
/etc/malmon/exclude.list     - Exclude list (supports reg expr)
/var/cache/malmon            - The daemon cache directory
/var/cache/malmon/infections - Where to move all infected files.


-----
Deps:
-----
malmon depends only on 2 things.
1). inotify kernel support (CONFIG_INOTIFY_USER=y)
2). pyinotify module (http://pyinotify.sourceforge.net/)

If you have them both, you're good to go :]




......... i'm 2 lazy to finish the README now .... more - later.