A Linux Host-based Intrusion Detection System based on eBPF.

Overview

eHIDS 介绍

eBPF内核技术实现的HIDS demo.

功能实现:

  1. TCP网络数据捕获
  2. UDP网络数据捕获
  3. uprobe方式的DNS信息捕获
  4. 进程数据捕获
  5. uprobe方式实现JAVA的RASP命令执行场景事件捕获
  6. eBPF的go框架实现,针对kprobe\uprobe挂载方式,多类型event进行抽象实现。
  7. 开发者只需要实现内核态C文件,用户态go文件,用户态event消息结构体三个文件即可,框架会自动加载执行。
  8. 使用者可以按照logger的interface自行实现数据的上报处理,比如上报到ES\kafka等日志中心。

原理

参考ebpf官网的介绍

  1. 内核态用C写eBPF代码,llvm编译为eBPF字节码。
  2. 用户态使用golang编写,cilium/ebpf纯go类库,做eBPF字节码的内核加载,kprobe/uprobe HOOK对应函数。
  3. 用户态使用golang做事件读取、解码、处理。

说明

  1. 内核态部分为linux原生类库实现的ebpf编程代码,使用clang(llvm)进行字节码编译。
  2. 用户态部分为golang的cilium/ebpf类库编写,实现加载eBPF字节码到内核,挂载到hook点,事件读取等功能。
  3. 本项目分别用kprobe、uprobe实现了TCP、UDP的网络事件捕获。

开发环境

  • UBUNTU 21.04 server
  • go version go1.17.2 linux/amd64
  • Ubuntu clang version 12.0.0-3ubuntu1~21.04.2
  • openjdk version "1.8.0_292"

环境安装步骤

参见CFC4N的eBPF开发环境

  • sudo apt-get install -y make gcc libssl-dev bc libelf-dev libcap-dev clang gcc-multilib llvm libncurses5-dev git pkg-config libmnl-dev bison flex graphviz
  • sudo apt-get install -y make gcc clang llvm git pkg-config dpkg-dev gcc-multilib
  • cd ~/download/
  • sudo apt update
  • sudo apt-get source linux-image-$(uname -r)
  • sudo apt-get source linux-image-unsigned-$(uname -r)
  • sudo apt install libbfd-dev libcap-dev zlib1g-dev libelf-dev libssl-dev

编译运行

编译

git clone https://github.com/cfc4n/ehids.git
cd ehids
make
./bin/ehids

运行

再开一个shell,执行网络命令,触发网络行为

wget www.cnxct.com

或者编译运行java的命令执行例子,来测试java RASP的功能。 uprobe挂载了libjava.so的 JDK_execvpe函数,对应偏移地址offset为0x19C30,其他版本请自行定位偏移地址。

cd examples
javac Main.java
java Main

JAVA JDK版本信息如下

~$java -version

openjdk version "1.8.0_292"

OpenJDK Runtime Environment (build 1.8.0_292-8u292-b10-0ubuntu1-b10)

OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)

结果

[email protected]:/home/cfc4n/project/ehids# ./bin/ehids
2021/12/01 19:27:08 start to run EBPFProbeUJavaRASP probe
2021/12/01 19:27:08 start to run EBPFProbeKTCP probe
2021/12/01 19:27:08 start to run EBPFProbeKTCPSec probe
2021/12/01 19:27:08 start to run EBPFProbeKUDP probe
2021/12/01 19:27:08 start to run EBPFProbeUDNS probe
2021/12/01 19:27:08 probeName:EBPFProbeKTCPSec, probeTpye:kprobe, start time:07:23:49, PID:864, UID:101, AF:2, TASK:5systemd-resolv
2021/12/01 19:27:08 probeName:EBPFProbeKUDP, probeTpye:kprobe, PID:0, comm:systemd-resolve, qname:57.22.91.101.in-addr.arpa, qclass:1, qtype:12.
2021/12/01 19:27:09 probeName:EBPFProbeKTCP, probeTpye:kprobe, start time:19:31:19, family:AF_INET, PID:409744, command:curl, UID:0, rx:67408, tx:79, dest:118.31.44.218:20480, source:172.16.71.4, type:OUT, result:True
2021/12/01 19:27:10 probeName:EBPFProbeUJavaRASP, probeTpye:uprobe, JAVA RASP exec and fork. PID:409049, command:ifconfig, mode:MODE_VFORK

参考

团队招聘

该仓库非美团在用HIDS版本,为精简后demo,若需要查看详细全部源码,请点击:https://www.cnxct.com/jobs/

You might also like...
A Rust crate that simplifies the integration of Rust and eBPF programs written in C.

This crate simplifies the compilation of eBPF programs written in C integrating clang with Rust and the cargo build system with functions that can be

eBPF implementation that runs on top of Windows
eBPF implementation that runs on top of Windows

eBPF for Windows eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such

ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

ebpfkit-monitor ebpfkit-monitor is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It

A very basic eBPF Load Balancer in a few lines of C

An eBPF Load Balancer from scratch As seen at eBPF Summit 2021. This is not production ready :-) This uses libbpf as a git submodule. If you clone thi

skbtracer on ebpf

skbtracer skbtracer 基于 ebpf 技术的 skb 网络包路径追踪利器, 实现代码基于 BCC (required Linux Kernel 4.15+) 使用样例 skbtracer.py # trace

some experiments with ebpf

Learning eBPF and some kernel tracing, probe DNS + TCP connection with portable bpf prog. DevEnv Ubuntu 20.04 Install go Install make, clang, llvm Ins

Small utility that leverages eBPF to dump the traffic of a unix domain socket

UnixDump UnixDump is a small eBPF powered utility that can be used to dump unix socket traffic. System requirements This project was developed on a Ub

Tool for Preventing Data Exfiltration with eBPF

bouheki: Tool for Preventing Data Exfiltration with eBPF bouheki is a KSRI implementation using LSM Hook by eBPF. Flexibility to apply restricted netw

The Beginner's Guide to eBPF Programming for Networking

The Beginner's Guide to eBPF Programming for Networking As seen at Cloud Native eBPF Day 2021. Setup Create a container that we can issue curl request

Comments
  • Linux ubuntu 5.13.0-39-generic 运行报错不支持 ringbuf_proc

    Linux ubuntu 5.13.0-39-generic 运行报错不支持 ringbuf_proc

    报错: couldn't init manager: error:program kretprobe_copy_process: CO-RE relocations: relocate unnamed or anonymous type struct#170[""]: not supported , couldn't load eBPF programs, cs:&{map[ringbuf_proc:RingBuf(keySize=0, valueSize=0, maxEntries=16777216, flags=0)] map[kretprobe_copy_process:0xc0001c00a0] LittleEndian}

    内核版本: Linux ubuntu 5.13.0-39-generic #44~20.04.1-Ubuntu SMP Thu Mar 24 16:43:35 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

    opened by xhylgogo 7
  • 运行时报错

    运行时报错

    2022/03/25 14:21:54 https://github.com/ehids/ehids-agent 2022/03/25 14:21:54 process pid: 212631 2022/03/25 14:21:54 start to run EBPFProbeProc module 2022/03/25 14:21:54 start to run EBPFProbeUDNS module 2022/03/25 14:21:54 start to run EBPFProbeUJavaRASP module 2022/03/25 14:21:54 start to run EBPFProbeBPFCall module 2022/03/25 14:21:54 start to run EBPFProbeKTCP module 2022/03/25 14:21:54 start to run EBPFProbeKTCPSec module 2022/03/25 14:21:54 start to run EBPFProbeKUDP module 2022/03/25 14:21:54 couldn't init manager: error:map ringbuf_proc: map create without BTF: invalid argument , couldn't load eBPF programs, cs:&{map[ringbuf_proc:RingBuf(keySize=0, valueSize=0, maxEntries=16777216, flags=0)] map[kretprobe_copy_process:0xc000165220] LittleEndian}

    Linux VM-16-8-ubuntu 5.4.0-96-generic #109-Ubuntu SMP Wed Jan 12 16:49:16 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux [email protected]:/home/tools/ehids-agent# cat /etc/issue Ubuntu 20.04 LTS \n \l

    bug 
    opened by fwxiong 1
  • 程序无法在arm64架构上无法正确运行

    程序无法在arm64架构上无法正确运行

    编译好的程序在ARM 的linux系统上无法运行? 请问能分享关于这个项目的微信群吗?感谢

    system:

    orangepi-r1plus-lts:~:% uname -a Linux orangepi-r1plus-lts 5.15.76-rockchip64 #22.08.8 SMP PREEMPT Sun Oct 30 10:57:32 CET 2022 aarch64 GNU/Linux

    检查发现系统好像支持ebpf orangepi-r1plus-lts:~:% llc --version LLVM (http://llvm.org/): LLVM version 11.0.1

    Optimized build. Default target: aarch64-unknown-linux-gnu Host CPU: cortex-a53

    Registered Targets: aarch64 - AArch64 (little endian) aarch64_32 - AArch64 (little endian ILP32) aarch64_be - AArch64 (big endian) amdgcn - AMD GCN GPUs arm - ARM arm64 - ARM64 (little endian) arm64_32 - ARM64 (little endian ILP32) armeb - ARM (big endian) avr - Atmel AVR Microcontroller bpf - BPF (host endian) bpfeb - BPF (big endian) bpfel - BPF (little endian) hexagon - Hexagon ...

    error:

    报错如下: orangepi-r1plus-lts:~:% sudo ./ehids-agent
    2022/11/23 18:13:10 process pid: 6089 2022/11/23 18:13:10 start to run EBPFProbeUJavaRASP module 2022/11/23 18:13:10 start to run EBPFProbeBPFCall module 2022/11/23 18:13:10 start to run EBPFProbeKTCP module 2022/11/23 18:13:10 start to run EBPFProbeKTCPSec module 2022/11/23 18:13:10 start to run EBPFProbeKUDP module 2022/11/23 18:13:10 start to run EBPFProbeProc module 2022/11/23 18:13:10 start to run EBPFProbeUDNS module 2022/11/23 18:13:10 couldn't init manager: error:program java_JDK_execvpe: CO-RE relocations: no BTF found for kernel version 5.15.76-rockchip64: not supported , couldn't load eBPF programs, cs:&{map[jdk_execvpe_events:PerfEventArray(keySize=0, valueSize=0, maxEntries=0, flags=0)] map[java_JDK_execvpe:0x400006ac80] LittleEndian} 2022/11/23 18:13:10 couldn't init manager: error:program getaddrinfo_entry: CO-RE relocations: no BTF found for kernel version 5.15.76-rockchip64: not supported , couldn't load eBPF programs, cs:&{map[currres:Hash(keySize=4, valueSize=8, maxEntries=1024, flags=0) events:PerfEventArray(keySize=0, valueSize=0, maxEntries=0, flags=0) start:Hash(keySize=4, valueSize=84, maxEntries=1024, flags=0)] map[getaddrinfo_entry:0x4000284460 getaddrinfo_return:0x4000284500] LittleEndian} 2022/11/23 18:13:10 couldn't init manager: error:program kprobe__security_socket_connect: CO-RE relocations: no BTF found for kernel version 5.15.76-rockchip64: not supported , couldn't load eBPF programs, cs:&{map[ipv4_events:PerfEventArray(keySize=0, valueSize=0, maxEntries=0, flags=0) ipv6_events:PerfEventArray(keySize=0, valueSize=0, maxEntries=0, flags=0) other_socket_events:PerfEventArray(keySize=0, valueSize=0, maxEntries=0, flags=0)] map[kprobe__security_socket_connect:0x400006b0e0] LittleEndian} 2022/11/23 18:13:10 couldn't init manager: error:program kprobe__tcp_set_state: CO-RE relocations: no BTF found for kernel version 5.15.76-rockchip64: not supported , couldn't load eBPF programs, cs:&{map[conns:Hash(keySize=8, valueSize=40, maxEntries=10240, flags=0) events:PerfEventArray(keySize=0, valueSize=0, maxEntries=0, flags=0)] map[kprobe__tcp_set_state:0x400026a960] LittleEndian} 2022/11/23 18:13:10 couldn't init manager: error:program trace_ret_udp_recvmsg: CO-RE relocations: no BTF found for kernel version 5.15.76-rockchip64: not supported , couldn't load eBPF programs, cs:&{map[dns_data:PerCPUArray(keySize=4, valueSize=532, maxEntries=1, flags=0) dns_events:PerfEventArray(keySize=0, valueSize=0, maxEntries=0, flags=0) tbl_udp_msg_hdr:Hash(keySize=8, valueSize=8, maxEntries=10240, flags=0)] map[trace_ret_udp_recvmsg:0x400006b400 trace_udp_recvmsg:0x400006b360] LittleEndian} 2022/11/23 18:13:10 couldn't init manager: error:program tracepoint_sys_enter_bpf: CO-RE relocations: no BTF found for kernel version 5.15.76-rockchip64: not supported , couldn't load eBPF programs, cs:&{map[bpf_context:LRUHash(keySize=8, valueSize=424, maxEntries=2048, flags=0) bpf_context_gen:Array(keySize=4, valueSize=424, maxEntries=1, flags=0) bufs:PerCPUArray(keySize=4, valueSize=4096, maxEntries=3, flags=0) events:PerfEventArray(keySize=0, valueSize=0, maxEntries=4, flags=0)] map[tracepoint_sys_enter_bpf:0x40002852c0] LittleEndian} 2022/11/23 18:13:10 couldn't init manager: error:program kretprobe_copy_process: CO-RE relocations: no BTF found for kernel version 5.15.76-rockchip64: not supported , couldn't load eBPF programs, cs:&{map[ringbuf_proc:RingBuf(keySize=0, valueSize=0, maxEntries=16777216, flags=0)] map[kretprobe_copy_process:0x4000285ea0] LittleEndian}

    opened by perlh 2
  • couldn't init manager: error:program trace_ret_udp_recvmsg: load program: invalid argument: R1 type=ctx expected=fp

    couldn't init manager: error:program trace_ret_udp_recvmsg: load program: invalid argument: R1 type=ctx expected=fp

    couldn't init manager: error:program trace_ret_udp_recvmsg: load program: invalid argument: R1 type=ctx expected=fp;

    图片

    图片

    无效的参数 初始化 trace_ret_udp_recvmsg 函数的时候

    系统 ubuntu22.04 内核版本 5.15.0-50-generic

    opened by heatice 1
Releases(v0.1.0)
Owner
CFC4N
醉后不知天在水,满船清梦压星河。
CFC4N
Linux Application Level Firewall based on eBPF and NFQUEUE.

eBPFSnitch eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern

Harpo Roeder 664 Nov 19, 2022
pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

pwru (packet, where are you?) pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allo

Cilium 1k Nov 26, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 15 Nov 9, 2022
Source-code based coverage for eBPF programs actually running in the Linux kernel

bpfcov Source-code based coverage for eBPF programs actually running in the Linux kernel This project provides 2 main components: libBPFCov.so - an ou

elastic 113 Nov 23, 2022
bpflock - eBPF driven security for locking and auditing Linux machines

bpflock - Lock Linux machines bpflock - eBPF driven security for locking and auditing Linux machines. This is a Work In Progress: bpflock is currently

The Linux lock machine projects 113 Nov 28, 2022
Parca-agent - eBPF based always-on profiler auto-discovering targets in Kubernetes and systemd, zero code changes or restarts needed!

Parca Agent Parca Agent is an always-on sampling profiler that uses eBPF to capture raw profiling data with very low overhead. It observes user-space

Parca 239 Dec 3, 2022
Linux Terminal Service Manager (LTSM) is a set of service programs that allows remote computers to connect to a Linux operating system computer using a remote terminal session (over VNC or RDP)

Linux Terminal Service Manager (LTSM) is a set of service programs that allows remote computers to connect to a Linux operating system computer using a remote terminal session (over VNC)

null 33 Nov 28, 2022
libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

Falco 129 Nov 29, 2022
eBPF bytecode assembler and compiler

An eBPF bytecode assembler and compiler that * Assembles the bytecode to object code. * Compiles the bytecode to C macro preprocessors. Symbolic

Emil Masoumi 6 Jan 23, 2022
Example how to run eBPF probes without a usermode process using fentry

Pinning eBPF Probes Simple example to demonstrate how to pin kernel function and syscall probes. Overview From my reading of the kernel code, KProbe a

pat_h/to/file 3 Jun 7, 2021