• Stars
    star
    278
  • Rank 148,454 (Top 3 %)
  • Language
    C
  • License
    Apache License 2.0
  • Created about 4 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Hades is a Host-Based Intrusion Detection System based on eBPF(mainly)

Hades - eBPF based HIDS

English | 中文

Hades is a Host-based Intrusion Detection System based on eBPF and netlink(cn_proc). Now it's still under development. PRs and issues are welcome!

Declaration: This project is based on Tracee and Elkeid. Thanks for these awesome open-source projects.

Overview

This is a demo backend for now, still under dev

Architecture

Agent part is mainly based on Elkeid version 1.7.

Agent Part

data

Data Analysis

data

Plugins

Capability


eBPF Driver

Here are 21 hooks over tracepoints/kprobes/uprobes. The fields are extended just like Elkeid(basically).

For details of these hooks.

eBPF driver hook details

Hook Status & Description ID
tracepoint/syscalls/sys_enter_execve ON 700
tracepoint/syscalls/sys_enter_execveat ON 698
tracepoint/syscalls/sys_enter_memfd_create ON 614
tracepoint/syscalls/sys_enter_prctl ON(PR_SET_NAME & PR_SET_MM) 1020
tracepoint/syscalls/sys_enter_ptrace ON(PTRACE_PEEKTEXT & PTRACE_POKEDATA) 1021
kprobe/security_socket_connect ON 1022
kprobe/security_socket_bind ON 1024
kprobe/commit_creds ON 1011
k(ret)probe/udp_recvmsg ON(53/5353 for dns data) 1025
kprobe/do_init_module ON 1026
kprobe/security_kernel_read_file ON 1027
kprobe/security_inode_create ON 1028
kprobe/security_sb_mount ON 1029
kprobe/call_usermodehelper ON 1030
kprobe/security_inode_rename ON 1031
kprobe/security_inode_link ON 1032
uprobe/trigger_sct_scan ON 1200
uprobe/trigger_idt_scan ON 1201
kprobe/security_file_permission ON 1202
uprobe/trigger_module_scan ON 1203
kprobe/security_bpf ON 1204


Collector

S stands for sync(real-time), P stands for periodicity, C stands for configuration-based

collector event details

Event Type ID
processes P 1001
crontab P 2001
sshdconfig P 3002
ssh login S 3003
user P 3004
sshconfig P 3005
yum P 3006
host detect C 3007
apps P 3008
kmod P 3009
disk P 3010
systemd P 3011
interface P 3012
iptable P 3013
bpf_program P 3014
jar P 3015
dpkg P 3016
rpm P 3017
container P 3018
socket P 5001


NCP

Netlink CN_PROC


Contact

Input Hades to get the QR code

404Starlink

Hades has joined 404Starlink