While working on a research project, I have been able to semi-successfully match outbound packets to their source application by running psutil's get_connections and matching remote addresses with a packet's IP destination in scapy (python). The object is to recognize the source app of all outbound packets and run them through a security check. Unfortunately, it seems that get_connections has an extremely high CPU usage. Running top while my scripts work reveals python taking up between 30 and 100.5 percent of CPU consistently (well, the latter only for a brief moment). Is there a better (more efficient) way to determine what app is generating packets? If not directly, is there a more efficient way to match established connections to applications?
Asked
Active
Viewed 129 times
1
Dolphiniac
- 1,632
- 1
- 9
- 9
-
Assuming Linux, the most efficient way would be to [intercept the system calls](http://stackoverflow.com/questions/69859/how-could-i-intercept-linux-sys-calls), although it may be overkill depending on what exactly you're trying to achieve. – Aya Apr 24 '13 at 19:21
-
You can probably do this with [SELinux](http://en.wikipedia.org/wiki/Security-Enhanced_Linux) or [AppArmor](http://en.wikipedia.org/wiki/AppArmor), so you should probably take a look at those before writing your own solution. – Aya Apr 24 '13 at 19:35
-
Okay. You probably ought to include any constraints like that in the original question, including the protocol by which the local system communicates with said "external switch". – Aya Apr 24 '13 at 19:59
1 Answers
2
Have a look at the Hone Project - https://github.com/HoneProject/Linux-Sensor
RyPeck
- 7,830
- 3
- 38
- 58
-
-
It seems like it will. I got it installed, and everything is just what I'm looking for. Now to work on somehow reading in all the extra headers from the device it creates. :P – Dolphiniac May 08 '13 at 19:09
-