A Linux Host-based Intrusion Detection System based on eBPF.

Overview

eHIDS 介绍

eBPF内核技术实现的HIDS demo.

功能实现:

  1. TCP网络数据捕获
  2. UDP网络数据捕获
  3. uprobe方式的DNS信息捕获
  4. 进程数据捕获
  5. uprobe方式实现JAVA的RASP命令执行场景事件捕获
  6. eBPF的go框架实现,针对kprobe\uprobe挂载方式,多类型event进行抽象实现。
  7. 开发者只需要实现内核态C文件,用户态go文件,用户态event消息结构体三个文件即可,框架会自动加载执行。
  8. 使用者可以按照logger的interface自行实现数据的上报处理,比如上报到ES\kafka等日志中心。

原理

参考ebpf官网的介绍

  1. 内核态用C写eBPF代码,llvm编译为eBPF字节码。
  2. 用户态使用golang编写,cilium/ebpf纯go类库,做eBPF字节码的内核加载,kprobe/uprobe HOOK对应函数。
  3. 用户态使用golang做事件读取、解码、处理。

说明

  1. 内核态部分为linux原生类库实现的ebpf编程代码,使用clang(llvm)进行字节码编译。
  2. 用户态部分为golang的cilium/ebpf类库编写,实现加载eBPF字节码到内核,挂载到hook点,事件读取等功能。
  3. 本项目分别用kprobe、uprobe实现了TCP、UDP的网络事件捕获。

开发环境

  • UBUNTU 21.04 server
  • go version go1.17.2 linux/amd64
  • Ubuntu clang version 12.0.0-3ubuntu1~21.04.2
  • openjdk version "1.8.0_292"

环境安装步骤

参见CFC4N的eBPF开发环境

  • sudo apt-get install -y make gcc libssl-dev bc libelf-dev libcap-dev clang gcc-multilib llvm libncurses5-dev git pkg-config libmnl-dev bison flex graphviz
  • sudo apt-get install -y make gcc clang llvm git pkg-config dpkg-dev gcc-multilib
  • cd ~/download/
  • sudo apt update
  • sudo apt-get source linux-image-$(uname -r)
  • sudo apt-get source linux-image-unsigned-$(uname -r)
  • sudo apt install libbfd-dev libcap-dev zlib1g-dev libelf-dev libssl-dev

编译运行

编译

git clone https://github.com/cfc4n/ehids.git
cd ehids
make
./bin/ehids

运行

再开一个shell,执行网络命令,触发网络行为

wget www.cnxct.com

或者编译运行java的命令执行例子,来测试java RASP的功能。 uprobe挂载了libjava.so的 JDK_execvpe函数,对应偏移地址offset为0x19C30,其他版本请自行定位偏移地址。

cd examples
javac Main.java
java Main

JAVA JDK版本信息如下

~$java -version

openjdk version "1.8.0_292"

OpenJDK Runtime Environment (build 1.8.0_292-8u292-b10-0ubuntu1-b10)

OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)

结果

[email protected]:/home/cfc4n/project/ehids# ./bin/ehids
2021/12/01 19:27:08 start to run EBPFProbeUJavaRASP probe
2021/12/01 19:27:08 start to run EBPFProbeKTCP probe
2021/12/01 19:27:08 start to run EBPFProbeKTCPSec probe
2021/12/01 19:27:08 start to run EBPFProbeKUDP probe
2021/12/01 19:27:08 start to run EBPFProbeUDNS probe
2021/12/01 19:27:08 probeName:EBPFProbeKTCPSec, probeTpye:kprobe, start time:07:23:49, PID:864, UID:101, AF:2, TASK:5systemd-resolv
2021/12/01 19:27:08 probeName:EBPFProbeKUDP, probeTpye:kprobe, PID:0, comm:systemd-resolve, qname:57.22.91.101.in-addr.arpa, qclass:1, qtype:12.
2021/12/01 19:27:09 probeName:EBPFProbeKTCP, probeTpye:kprobe, start time:19:31:19, family:AF_INET, PID:409744, command:curl, UID:0, rx:67408, tx:79, dest:118.31.44.218:20480, source:172.16.71.4, type:OUT, result:True
2021/12/01 19:27:10 probeName:EBPFProbeUJavaRASP, probeTpye:uprobe, JAVA RASP exec and fork. PID:409049, command:ifconfig, mode:MODE_VFORK

参考

团队招聘

该仓库非美团在用HIDS版本,为精简后demo,若需要查看详细全部源码,请点击:https://www.cnxct.com/jobs/

Issues
  • Linux ubuntu 5.13.0-39-generic 运行报错不支持 ringbuf_proc

    Linux ubuntu 5.13.0-39-generic 运行报错不支持 ringbuf_proc

    报错: couldn't init manager: error:program kretprobe_copy_process: CO-RE relocations: relocate unnamed or anonymous type struct#170[""]: not supported , couldn't load eBPF programs, cs:&{map[ringbuf_proc:RingBuf(keySize=0, valueSize=0, maxEntries=16777216, flags=0)] map[kretprobe_copy_process:0xc0001c00a0] LittleEndian}

    内核版本: Linux ubuntu 5.13.0-39-generic #44~20.04.1-Ubuntu SMP Thu Mar 24 16:43:35 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

    opened by xhylgogo 7
  • 运行时报错

    运行时报错

    2022/03/25 14:21:54 https://github.com/ehids/ehids-agent 2022/03/25 14:21:54 process pid: 212631 2022/03/25 14:21:54 start to run EBPFProbeProc module 2022/03/25 14:21:54 start to run EBPFProbeUDNS module 2022/03/25 14:21:54 start to run EBPFProbeUJavaRASP module 2022/03/25 14:21:54 start to run EBPFProbeBPFCall module 2022/03/25 14:21:54 start to run EBPFProbeKTCP module 2022/03/25 14:21:54 start to run EBPFProbeKTCPSec module 2022/03/25 14:21:54 start to run EBPFProbeKUDP module 2022/03/25 14:21:54 couldn't init manager: error:map ringbuf_proc: map create without BTF: invalid argument , couldn't load eBPF programs, cs:&{map[ringbuf_proc:RingBuf(keySize=0, valueSize=0, maxEntries=16777216, flags=0)] map[kretprobe_copy_process:0xc000165220] LittleEndian}

    Linux VM-16-8-ubuntu 5.4.0-96-generic #109-Ubuntu SMP Wed Jan 12 16:49:16 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux [email protected]:/home/tools/ehids-agent# cat /etc/issue Ubuntu 20.04 LTS \n \l

    bug 
    opened by fwxiong 1
Releases(v0.1.0)
Owner
CFC4N
醉后不知天在水,满船清梦压星河。
CFC4N
Linux Application Level Firewall based on eBPF and NFQUEUE.

eBPFSnitch eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern

Harpo Roeder 641 Jun 17, 2022
pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

pwru (packet, where are you?) pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allo

Cilium 788 Jun 28, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 16 May 6, 2022
Source-code based coverage for eBPF programs actually running in the Linux kernel

bpfcov Source-code based coverage for eBPF programs actually running in the Linux kernel This project provides 2 main components: libBPFCov.so - an ou

elastic 109 May 24, 2022
bpflock - eBPF driven security for locking and auditing Linux machines

bpflock - Lock Linux machines bpflock - eBPF driven security for locking and auditing Linux machines. This is a Work In Progress: bpflock is currently

The Linux lock machine projects 64 Jun 7, 2022
Parca-agent - eBPF based always-on profiler auto-discovering targets in Kubernetes and systemd, zero code changes or restarts needed!

Parca Agent Parca Agent is an always-on sampling profiler that uses eBPF to capture raw profiling data with very low overhead. It observes user-space

Parca 155 Jun 30, 2022
Linux Terminal Service Manager (LTSM) is a set of service programs that allows remote computers to connect to a Linux operating system computer using a remote terminal session (over VNC or RDP)

Linux Terminal Service Manager (LTSM) is a set of service programs that allows remote computers to connect to a Linux operating system computer using a remote terminal session (over VNC)

null 14 Jan 5, 2022
libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

Falco 97 Jun 22, 2022
eBPF bytecode assembler and compiler

An eBPF bytecode assembler and compiler that * Assembles the bytecode to object code. * Compiles the bytecode to C macro preprocessors. Symbolic

Emil Masoumi 6 Jan 23, 2022
Example how to run eBPF probes without a usermode process using fentry

Pinning eBPF Probes Simple example to demonstrate how to pin kernel function and syscall probes. Overview From my reading of the kernel code, KProbe a

pat_h/to/file 3 Jun 7, 2021
A Rust crate that simplifies the integration of Rust and eBPF programs written in C.

This crate simplifies the compilation of eBPF programs written in C integrating clang with Rust and the cargo build system with functions that can be

Simone Margaritelli 19 Mar 16, 2022
eBPF implementation that runs on top of Windows

eBPF for Windows eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such

Microsoft 1.4k Jun 27, 2022
ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

ebpfkit-monitor ebpfkit-monitor is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It

Guillaume Fournier 57 Jun 27, 2022
A very basic eBPF Load Balancer in a few lines of C

An eBPF Load Balancer from scratch As seen at eBPF Summit 2021. This is not production ready :-) This uses libbpf as a git submodule. If you clone thi

Liz Rice 136 Jun 16, 2022
skbtracer on ebpf

skbtracer skbtracer 基于 ebpf 技术的 skb 网络包路径追踪利器, 实现代码基于 BCC (required Linux Kernel 4.15+) 使用样例 skbtracer.py # trace

DavadDi 45 Jun 18, 2022
some experiments with ebpf

Learning eBPF and some kernel tracing, probe DNS + TCP connection with portable bpf prog. DevEnv Ubuntu 20.04 Install go Install make, clang, llvm Ins

null 9 Jun 19, 2022
Small utility that leverages eBPF to dump the traffic of a unix domain socket

UnixDump UnixDump is a small eBPF powered utility that can be used to dump unix socket traffic. System requirements This project was developed on a Ub

Guillaume Fournier 5 Dec 1, 2021
Tool for Preventing Data Exfiltration with eBPF

bouheki: Tool for Preventing Data Exfiltration with eBPF bouheki is a KSRI implementation using LSM Hook by eBPF. Flexibility to apply restricted netw

mrtc0 44 Jun 13, 2022
The Beginner's Guide to eBPF Programming for Networking

The Beginner's Guide to eBPF Programming for Networking As seen at Cloud Native eBPF Day 2021. Setup Create a container that we can issue curl request

Liz Rice 66 Jun 21, 2022