## pyHIDS
### Presentation
[pyHIDS](https://github.com/cedricbonhomme/pyHIDS) is a
[HIDS](https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system)
(host-based intrusion detection system) for verifying the integrity of a system.
It is recommended to use Python >= 3.11.
### Features
* checks the integrity of system's files with a list of rules;
* checks the output of commands (*iptables*, ...);
* possibity to use RSA to sign to check the integrity of its database;
* alerts are written in the logs of the system;
* alerts can be sent via email to a list of users;
* alerts can be sent on IRC channels through the
[irker](https://gitlab.com/esr/irker) IRC client (which should be running as
a daemon);
* verify files with [Hashlookup](https://github.com/hashlookup),
[Pandora](https://github.com/pandora-analysis),
[MISP](https://github.com/MISP) and
[YARA](https://github.com/virustotal/yara);
* possibility to export the database in a Bloom or a Cuckoo filter.
You can define rules to specify files to be checked.
### Installation
You can use [pipx](https://pypa.github.io/pipx/).
```bash
$ pipx install pyHIDS
$ export PYHIDS_CONFIG=~/.pyHIDS/conf.cfg
```
[An example](./conf.cfg-sample) of configuration file is available.
With this file you can configure:
- the integration with Hashlookup, Pandora, MISP and YARA;
- the IRC connection for the notifications;
- the SMTP connection for the email notifications;
- the list of files to scan;
- the regular expressions to specify files to scan in a folder;
- the command's output to check.
### Usage
```bash
$ pyhids gen-keys --size 2048
Generating 2048 bits RSA keys ...
Dumping Keys
Done.
$ pyhids gen-base --sign
Generating database...
2427 files in the database.
$ pyhids run --check-signature
Verifying the integrity of the base of hashes...
Database integrity verified.
Verifying the integrity of the files...
[12/10/23 21:35:26] Error(s) : 0
[12/10/23 21:35:26] Warning(s) : 0
[12/10/23 21:35:26] HIDS finished.
```
You can skip the first step (generation of the keys) if you do not want to
sign the database with the solution provided with pyHIDS (RSA) or if you
do not want to sign the database.
Change a monitored file and relaunch the program:
```bash
$ pyhids run
Verifying the integrity of the files...
[12/10/23 14:41:51] [warning] /bin/cifsdd changed.
```
The program warns that the file has changed. When this happens, a warning is
generated in the logs of the system and an email is sent to the
administrator. If no change is detected, only the log file is updated.
Log file generated:
```bash
$ tail var/log
[09/10/23 14:41:51] [notice] /bin/cifscreds ok
[09/10/23 14:41:51] [notice] /bin/mbim-network ok
[09/10/23 14:41:51] [notice] /bin/xclip ok
[09/10/23 14:41:51] [notice] /bin/preparetips5 ok
[09/10/23 14:41:51] [notice] /bin/pamperspective ok
[12/10/23 14:41:51] [warning] /bin/cifsdd changed.
[09/10/23 14:41:51] [notice] /bin/pod2usage ok
[09/10/23 14:41:51] [notice] /bin/mkzftree ok
[09/10/23 14:41:51] Error(s) : 0
[09/10/23 14:41:51] Warning(s) : 1
[09/10/23 14:41:51] HIDS finished.
```
If you want to see the logs in ``syslog`` you have different options
depending on your system:
```bash
$ journalctl --follow
Oct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /etc/resolv.conf changed.
Oct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/mdsearch changed.
Oct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/smbcacls changed.
Oct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/smbspool changed.
Oct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/smbclient changed.
Oct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/smbcquotas changed.
Oct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/smbget changed.
Oct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/nmblookup changed.
Oct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/rpcclient changed.
Oct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/smbpasswd changed.
Oct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/dbwrap_tool changed.
Oct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/cifsdd changed.
Oct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/net changed.
Oct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/samba-regedit changed.
Oct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/testparm changed.
Oct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/smbtree changed.
```
```bash
$ journalctl --since="1 minute ago"
```
```bash
$ tail -f /var/log/syslog
```
### Other features
#### Checks with external tools
Check for known malicious files with Hashlookup, Pandora, MISP or YARA.
```bash
$ pyhids hashlookup
$ pyhids pandora
$ pyhids misp
$ pyhids yara
```
#### Export functions
```bash
$ pyhids export --bloom-filter
Bloom filter generated and stored: var/bloom/bloomfilter.bf
```
```bash
$ pyhids export --cuckoo-filter
Cuckoo filter generated and stored: var/cuckoo/cuckoofilter.cf
```
### Automatic execution
Use the time-based job scheduler, Cron, in order to schedule system scans.
In your shell enter the command:
```bash
$ crontab -e
```
Add the following line to check the integrity of the system every fifty
minutes:
```bash
*/50 * * * * pyhids run
```
After each system check, pyHIDS sends a report to the administrators.
In the case of an attacker who has deleted the cron line, for example.
### License
[pyHIDS](https://github.com/cedricbonhomme/pyHIDS) is under
[GPLv3](http://www.gnu.org/licenses/gpl-3.0.txt) license.
Copyright (C) 2010-2023 [Cédric Bonhomme](https://www.cedricbonhomme.org)
Raw data
{
"_id": null,
"home_page": "https://github.com/cedricbonhomme/pyHIDS",
"name": "pyHIDS",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.11,<4.0",
"maintainer_email": "",
"keywords": "hids,security,hashlookup,integrity",
"author": "C\u00e9dric Bonhomme",
"author_email": "cedric@cedricbonhomme.org",
"download_url": "https://files.pythonhosted.org/packages/5b/ed/fbbde61d87558d8ea3c59fb22e6348fa5b95764b76518926a859c4bedcec/pyhids-0.9.4.tar.gz",
"platform": null,
"description": "## pyHIDS\n\n### Presentation\n\n[pyHIDS](https://github.com/cedricbonhomme/pyHIDS) is a\n[HIDS](https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system)\n(host-based intrusion detection system) for verifying the integrity of a system.\n\nIt is recommended to use Python >= 3.11.\n\n\n### Features\n\n* checks the integrity of system's files with a list of rules;\n* checks the output of commands (*iptables*, ...);\n* possibity to use RSA to sign to check the integrity of its database;\n* alerts are written in the logs of the system;\n* alerts can be sent via email to a list of users;\n* alerts can be sent on IRC channels through the\n [irker](https://gitlab.com/esr/irker) IRC client (which should be running as\n a daemon);\n* verify files with [Hashlookup](https://github.com/hashlookup),\n [Pandora](https://github.com/pandora-analysis),\n [MISP](https://github.com/MISP) and\n [YARA](https://github.com/virustotal/yara);\n* possibility to export the database in a Bloom or a Cuckoo filter.\n\nYou can define rules to specify files to be checked.\n\n\n### Installation\n\nYou can use [pipx](https://pypa.github.io/pipx/).\n\n```bash\n$ pipx install pyHIDS\n$ export PYHIDS_CONFIG=~/.pyHIDS/conf.cfg\n```\n\n[An example](./conf.cfg-sample) of configuration file is available.\nWith this file you can configure:\n\n- the integration with Hashlookup, Pandora, MISP and YARA;\n- the IRC connection for the notifications;\n- the SMTP connection for the email notifications;\n- the list of files to scan;\n- the regular expressions to specify files to scan in a folder;\n- the command's output to check.\n\n\n### Usage\n\n```bash\n$ pyhids gen-keys --size 2048\nGenerating 2048 bits RSA keys ...\nDumping Keys\nDone.\n\n$ pyhids gen-base --sign\nGenerating database...\n2427 files in the database.\n\n$ pyhids run --check-signature\nVerifying the integrity of the base of hashes...\nDatabase integrity verified.\nVerifying the integrity of the files...\n[12/10/23 21:35:26] Error(s) : 0\n[12/10/23 21:35:26] Warning(s) : 0\n[12/10/23 21:35:26] HIDS finished.\n```\n\nYou can skip the first step (generation of the keys) if you do not want to\nsign the database with the solution provided with pyHIDS (RSA) or if you\ndo not want to sign the database.\n\nChange a monitored file and relaunch the program:\n\n```bash\n$ pyhids run\nVerifying the integrity of the files...\n[12/10/23 14:41:51] [warning] /bin/cifsdd changed.\n```\n\nThe program warns that the file has changed. When this happens, a warning is\ngenerated in the logs of the system and an email is sent to the\nadministrator. If no change is detected, only the log file is updated.\n\nLog file generated:\n\n```bash\n$ tail var/log\n[09/10/23 14:41:51] [notice] /bin/cifscreds ok\n[09/10/23 14:41:51] [notice] /bin/mbim-network ok\n[09/10/23 14:41:51] [notice] /bin/xclip ok\n[09/10/23 14:41:51] [notice] /bin/preparetips5 ok\n[09/10/23 14:41:51] [notice] /bin/pamperspective ok\n[12/10/23 14:41:51] [warning] /bin/cifsdd changed.\n[09/10/23 14:41:51] [notice] /bin/pod2usage ok\n[09/10/23 14:41:51] [notice] /bin/mkzftree ok\n[09/10/23 14:41:51] Error(s) : 0\n[09/10/23 14:41:51] Warning(s) : 1\n[09/10/23 14:41:51] HIDS finished.\n```\n\nIf you want to see the logs in ``syslog`` you have different options\ndepending on your system:\n\n```bash\n$ journalctl --follow\nOct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /etc/resolv.conf changed.\nOct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/mdsearch changed.\nOct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/smbcacls changed.\nOct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/smbspool changed.\nOct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/smbclient changed.\nOct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/smbcquotas changed.\nOct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/smbget changed.\nOct 12 22:58:47 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/nmblookup changed.\nOct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:47] [warning] /bin/rpcclient changed.\nOct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/smbpasswd changed.\nOct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/dbwrap_tool changed.\nOct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/cifsdd changed.\nOct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/net changed.\nOct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/samba-regedit changed.\nOct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/testparm changed.\nOct 12 22:58:48 debian pyhids[98135]: pyHIDS - [12/10/23 22:58:48] [warning] /bin/smbtree changed.\n```\n\n```bash\n$ journalctl --since=\"1 minute ago\"\n```\n\n```bash\n$ tail -f /var/log/syslog\n```\n\n\n### Other features\n\n#### Checks with external tools\n\nCheck for known malicious files with Hashlookup, Pandora, MISP or YARA.\n\n```bash\n$ pyhids hashlookup\n$ pyhids pandora\n$ pyhids misp\n$ pyhids yara\n```\n\n#### Export functions\n\n```bash\n$ pyhids export --bloom-filter\nBloom filter generated and stored: var/bloom/bloomfilter.bf\n```\n\n```bash\n$ pyhids export --cuckoo-filter\nCuckoo filter generated and stored: var/cuckoo/cuckoofilter.cf\n```\n\n\n### Automatic execution\n\nUse the time-based job scheduler, Cron, in order to schedule system scans.\nIn your shell enter the command:\n\n```bash\n$ crontab -e\n```\n\nAdd the following line to check the integrity of the system every fifty\nminutes:\n\n```bash\n*/50 * * * * pyhids run\n```\n\nAfter each system check, pyHIDS sends a report to the administrators.\nIn the case of an attacker who has deleted the cron line, for example.\n\n\n### License\n\n[pyHIDS](https://github.com/cedricbonhomme/pyHIDS) is under\n[GPLv3](http://www.gnu.org/licenses/gpl-3.0.txt) license.\n\nCopyright (C) 2010-2023 [C\u00e9dric Bonhomme](https://www.cedricbonhomme.org)\n",
"bugtrack_url": null,
"license": "GPL-3.0-or-later",
"summary": "A host-based intrusion detection system.",
"version": "0.9.4",
"project_urls": {
"Changes": "https://github.com/cedricbonhomme/pyHIDS/blob/master/NEWS.md",
"Homepage": "https://github.com/cedricbonhomme/pyHIDS",
"Repository": "https://github.com/cedricbonhomme/pyHIDS"
},
"split_keywords": [
"hids",
"security",
"hashlookup",
"integrity"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "b621fb491fbc89eafb7ff4cbb277bfca3aa3c09b4aef9c44ce3713d8bad26c5e",
"md5": "d22d3d09e83a752e1c9fc622cd599387",
"sha256": "cd7d737f12aec88c4ae327b53acaed0a643cf631fe31062c7803d65e108f88d0"
},
"downloads": -1,
"filename": "pyhids-0.9.4-py3-none-any.whl",
"has_sig": false,
"md5_digest": "d22d3d09e83a752e1c9fc622cd599387",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.11,<4.0",
"size": 42839,
"upload_time": "2023-10-30T07:50:33",
"upload_time_iso_8601": "2023-10-30T07:50:33.384744Z",
"url": "https://files.pythonhosted.org/packages/b6/21/fb491fbc89eafb7ff4cbb277bfca3aa3c09b4aef9c44ce3713d8bad26c5e/pyhids-0.9.4-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "5bedfbbde61d87558d8ea3c59fb22e6348fa5b95764b76518926a859c4bedcec",
"md5": "37fb7e9798bf38230b78d191f4b882e1",
"sha256": "b687bd2e0754e65219c925cb3994ca3605b634a79c55e14c37383f56959cd3a2"
},
"downloads": -1,
"filename": "pyhids-0.9.4.tar.gz",
"has_sig": false,
"md5_digest": "37fb7e9798bf38230b78d191f4b882e1",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.11,<4.0",
"size": 25968,
"upload_time": "2023-10-30T07:50:36",
"upload_time_iso_8601": "2023-10-30T07:50:36.154082Z",
"url": "https://files.pythonhosted.org/packages/5b/ed/fbbde61d87558d8ea3c59fb22e6348fa5b95764b76518926a859c4bedcec/pyhids-0.9.4.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-10-30 07:50:36",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "cedricbonhomme",
"github_project": "pyHIDS",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "pyhids"
}
JSON
