A Linux Host-based Intrusion Detection System based on eBPF.
English | 中文介绍
HIDS demo
implemented by eBPF kernel technology.
Warning Just a eBPF-based DEMO, please use Tetragon / Tracee / falco instead.
Implementations & Functionalities:
Reference : eBPF Official Website
The author is analyzing the runtime security protection products implemented by cloud-native eBPF technologies such as cilium, datadog, tracee, falco, and kubeArmor from the perspective of source code. After the analysis is completed, I will continue to share the design, ideas, and functions of this product.
Current progress & Changes
See also : CFC4N's eBPF development environment
git clone https://github.com/ehids/ehids-agent.git
cd ehids
make
./bin/ehids-agent
Open another shell, execute network commands, and trigger network behavior
wget www.cnxct.com
Or compile and run the java command execution example to test the function of java RASP. Uprobe mounts the JDK_execvpe function of libjava.so, and the corresponding offset address offset is 0x19C30. For other versions, please locate the offset address by yourself.
cd examples
javac Main.java
java Main
JAVA JDK version information
~$java -version
openjdk version "1.8.0_292"
OpenJDK Runtime Environment (build 1.8.0_292-8u292-b10-0ubuntu1-b10)
OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)
root@vmubuntu:/home/cfc4n/project/ehids# ./bin/ehids
2021/12/01 19:27:08 start to run EBPFProbeUJavaRASP probe
2021/12/01 19:27:08 start to run EBPFProbeKTCP probe
2021/12/01 19:27:08 start to run EBPFProbeKTCPSec probe
2021/12/01 19:27:08 start to run EBPFProbeKUDP probe
2021/12/01 19:27:08 start to run EBPFProbeUDNS probe
2021/12/01 19:27:08 probeName:EBPFProbeKTCPSec, probeTpye:kprobe, start time:07:23:49, PID:864, UID:101, AF:2, TASK:5systemd-resolv
2021/12/01 19:27:08 probeName:EBPFProbeKUDP, probeTpye:kprobe, PID:0, comm:systemd-resolve, qname:57.22.91.101.in-addr.arpa, qclass:1, qtype:12.
2021/12/01 19:27:09 probeName:EBPFProbeKTCP, probeTpye:kprobe, start time:19:31:19, family:AF_INET, PID:409744, command:curl, UID:0, rx:67408, tx:79, dest:118.31.44.218:20480, source:172.16.71.4, type:OUT, result:True
2021/12/01 19:27:10 probeName:EBPFProbeUJavaRASP, probeTpye:uprobe, JAVA RASP exec and fork. PID:409049, command:ifconfig, mode:MODE_VFORK
The article on malicious exploitation and detection mechanism based on eBPF has been shared on the WeChat public account of Meituan Security Emergency Response Center
,Malicious utilization and detection mechanism of eBPF
It is not the official warehouse of Meituan, and is only contributed by engineers.
The repository does not contain the full HIDS version in use by Meituan, for the streamlined demo, if you need to see the full source code in detail, please click:https://www.cnxct.com/jobs/