Kippo - new malware dropped alert

checkbinaries.sh

#!/bin/bash

# Author: Felipe Molina (@felmoltor)
# Date: January 2015
# Purpose: This scripts checks for new binaries captured by kippo and send an email when an attacker drops a new one

#############################

LASTLS='lastls.txt'
CURRENTLS='currentls.txt'
KIPPODLFOLDER='/home/<user>/honey/kippo/dl/'
DSTEMAIL='[email protected]'
NEWMALWAREBASENAME='droppedfiles.7z'
NEWMALWAREZIP="$(date +%s).$(hostname -f).$NEWMALWAREBASENAME"

#############################

# Cleanup previous sent malware zip file
rm *.$NEWMALWAREBASENAME 2> /dev/null

# If last "ls -l" file does not exists, create a new one
if [[ ! -f $LASTLS ]]; then
	echo "Creating $LASTLS file"
	find $KIPPODLFOLDER -maxdepth 1 -type f ! -samefile $0 ! -name $LASTLS ! -name $CURRENTLS ! -name "*.$NEWMALWAREBASENAME" -ls  > $LASTLS	
fi

# Diff with last "ls -l" done
find  $KIPPODLFOLDER -maxdepth 1 -type f ! -samefile $0 ! -name $LASTLS ! -name $CURRENTLS ! -name "*.$NEWMALWAREBASENAME" -ls > $CURRENTLS
# If there is a deleted file in the difference, the script will try to send the deleted file, so we filter also with the "<" sign
# < 49818517 1724 -rw-r--r--   1 <user> <user> 1763484 Dec 31 01:00 ./deleted.tgz
newfiles=$(diff $LASTLS $CURRENTLS | grep -vE "^< " | awk '{print $12}')

if [[ ${#newfiles} > 0 ]]; then
	# Compress with password the new file to send attached
	7z a -pmalware $NEWMALWAREZIP $newfiles > /dev/null
	# Send an email alerting of the new binary file captured
	echo "New files were captured, sending alert mail"
	echo "Captured binaries (password is 'malware'):  $newfiles" | mutt -s "New files captured in $(hostname -f)" $DSTEMAIL -a $NEWMALWAREZIP
else
	echo "No new bad guy was fooled here :-("
fi 

cat $CURRENTLS > $LASTLS
rm $CURRENTLS