Hades - eBPF based HIDS
English | 中文
Hades is a Host-based Intrusion Detection System based on eBPF and netlink(cn_proc). Now it's still under development. PRs and issues are welcome!
Declaration: This project is based on Tracee and Elkeid. Thanks for these awesome open-source projects.
Overview
This is a demo backend for now, still under dev
Architecture
Agent part is mainly based on Elkeid version 1.7.
Agent Part
Data Analysis
Plugins
- eBPF Driver
- Collector
- HoneyPot (gopacket-based)
- Monitor
- Scanner
- Logger
Capability
eBPF Driver
Here are 21 hooks over
tracepoints
/kprobes
/uprobes
. The fields are extended just like Elkeid(basically).
For details of these hooks.
eBPF driver hook details
Hook | Status & Description | ID |
---|---|---|
tracepoint/syscalls/sys_enter_execve | ON | 700 |
tracepoint/syscalls/sys_enter_execveat | ON | 698 |
tracepoint/syscalls/sys_enter_memfd_create | ON | 614 |
tracepoint/syscalls/sys_enter_prctl | ON(PR_SET_NAME & PR_SET_MM) | 1020 |
tracepoint/syscalls/sys_enter_ptrace | ON(PTRACE_PEEKTEXT & PTRACE_POKEDATA) | 1021 |
kprobe/security_socket_connect | ON | 1022 |
kprobe/security_socket_bind | ON | 1024 |
kprobe/commit_creds | ON | 1011 |
k(ret)probe/udp_recvmsg | ON(53/5353 for dns data) | 1025 |
kprobe/do_init_module | ON | 1026 |
kprobe/security_kernel_read_file | ON | 1027 |
kprobe/security_inode_create | ON | 1028 |
kprobe/security_sb_mount | ON | 1029 |
kprobe/call_usermodehelper | ON | 1030 |
kprobe/security_inode_rename | ON | 1031 |
kprobe/security_inode_link | ON | 1032 |
uprobe/trigger_sct_scan | ON | 1200 |
uprobe/trigger_idt_scan | ON | 1201 |
kprobe/security_file_permission | ON | 1202 |
uprobe/trigger_module_scan | ON | 1203 |
kprobe/security_bpf | ON | 1204 |
Collector
S stands for sync(real-time), P stands for periodicity, C stands for configuration-based
collector event details
Event | Type | ID |
---|---|---|
processes | P | 1001 |
crontab | P | 2001 |
sshdconfig | P | 3002 |
ssh login | S | 3003 |
user | P | 3004 |
sshconfig | P | 3005 |
yum | P | 3006 |
host detect | C | 3007 |
apps | P | 3008 |
kmod | P | 3009 |
disk | P | 3010 |
systemd | P | 3011 |
interface | P | 3012 |
iptable | P | 3013 |
bpf_program | P | 3014 |
jar | P | 3015 |
dpkg | P | 3016 |
rpm | P | 3017 |
container | P | 3018 |
socket | P | 5001 |
NCP
Netlink CN_PROC
Contact
Input Hades
to get the QR code
404Starlink
Hades has joined 404Starlink