ChriskaliX Hades Save

Hades is a Host-Based Intrusion Detection System based on eBPF(mainly)

Project README

Hades - eBPF based HIDS

English | 中文

Hades is a Host-based Intrusion Detection System based on eBPF and netlink(cn_proc). Now it's still under development. PRs and issues are welcome!

Declaration: This project is based on Tracee and Elkeid. Thanks for these awesome open-source projects.


This is a demo backend for now, still under dev


Agent part is mainly based on Elkeid version 1.7.

Agent Part


Data Analysis





Here are 21 hooks over tracepoints/kprobes/uprobes. The fields are extended just like Elkeid(basically).

For details of these hooks.

eBPF driver hook details

Hook Status & Description ID
tracepoint/syscalls/sys_enter_execve ON 700
tracepoint/syscalls/sys_enter_execveat ON 698
tracepoint/syscalls/sys_enter_memfd_create ON 614
tracepoint/syscalls/sys_enter_prctl ON(PR_SET_NAME & PR_SET_MM) 1020
tracepoint/syscalls/sys_enter_ptrace ON(PTRACE_PEEKTEXT & PTRACE_POKEDATA) 1021
kprobe/security_socket_connect ON 1022
kprobe/security_socket_bind ON 1024
kprobe/commit_creds ON 1011
k(ret)probe/udp_recvmsg ON(53/5353 for dns data) 1025
kprobe/do_init_module ON 1026
kprobe/security_kernel_read_file ON 1027
kprobe/security_inode_create ON 1028
kprobe/security_sb_mount ON 1029
kprobe/call_usermodehelper ON 1030
kprobe/security_inode_rename ON 1031
kprobe/security_inode_link ON 1032
uprobe/trigger_sct_scan ON 1200
uprobe/trigger_idt_scan ON 1201
kprobe/security_file_permission ON 1202
uprobe/trigger_module_scan ON 1203
kprobe/security_bpf ON 1204


S stands for sync(real-time), P stands for periodicity, C stands for configuration-based

collector event details

Event Type ID
processes P 1001
crontab P 2001
sshdconfig P 3002
ssh login S 3003
user P 3004
sshconfig P 3005
yum P 3006
host detect C 3007
apps P 3008
kmod P 3009
disk P 3010
systemd P 3011
interface P 3012
iptable P 3013
bpf_program P 3014
jar P 3015
dpkg P 3016
rpm P 3017
container P 3018
socket P 5001


Netlink CN_PROC


Input Hades to get the QR code

Hades has joined 404Starlink

Open Source Agenda is not affiliated with "ChriskaliX Hades" Project. README Source: chriskaliX/Hades
Open Issues
Last Commit
1 month ago

Open Source Agenda Badge

Open Source Agenda Rating