EBWi11 / Agentsmith Hids
Licence: gpl-2.0
By Kprobe technology Open Source Host-based Intrusion Detection System(HIDS), from E_Bwill.
Stars: ✭ 513
Programming Languages
c
50402 projects - #5 most used programming language
Projects that are alternatives of or similar to Agentsmith Hids
UNSW NB15
Feature coded UNSW_NB15 intrusion detection data.
Stars: ✭ 50 (-90.25%)
Mutual labels: intrusion-detection
Libellux-Up-and-Running
Libellux: Up & Running provides documentation on how-to install open-source software from source. The focus is Zero Trust Network to enhance the security for existing applications or install tools to detect and prevent threats.
Stars: ✭ 19 (-96.3%)
Mutual labels: intrusion-detection
Network Intrusion Detection
Network Intrusion Detection KDDCup '99', NSL-KDD and UNSW-NB15
Stars: ✭ 303 (-40.94%)
Mutual labels: intrusion-detection
kdd99-scikit
Solutions to kdd99 dataset with Decision tree and Neural network by scikit-learn
Stars: ✭ 50 (-90.25%)
Mutual labels: intrusion-detection
vagrant-ids
An Ubuntu 16.04 build containing Suricata, PulledPork, Bro, and Splunk
Stars: ✭ 21 (-95.91%)
Mutual labels: intrusion-detection
bsmtrace
BSM based intrusion detection system
Stars: ✭ 31 (-93.96%)
Mutual labels: intrusion-detection
DeepLearning-IDS
Network Intrusion Detection System using Deep Learning Techniques
Stars: ✭ 76 (-85.19%)
Mutual labels: intrusion-detection
Ossec Hids
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
Stars: ✭ 3,580 (+597.86%)
Mutual labels: intrusion-detection
suspicious login
Detect and warn about suspicious IPs logging into Nextcloud
Stars: ✭ 45 (-91.23%)
Mutual labels: intrusion-detection
Psad
psad: Intrusion Detection and Log Analysis with iptables
Stars: ✭ 298 (-41.91%)
Mutual labels: intrusion-detection
NIDS-Intrusion-Detection
Simple Implementation of Network Intrusion Detection System. KddCup'99 Data set is used for this project. kdd_cup_10_percent is used for training test. correct set is used for test. PCA is used for dimension reduction. SVM and KNN supervised algorithms are the classification algorithms of project. Accuracy : %83.5 For SVM , %80 For KNN
Stars: ✭ 45 (-91.23%)
Mutual labels: intrusion-detection
Expose
An Intrusion Detection System library loosely based on PHP IDS
Stars: ✭ 255 (-50.29%)
Mutual labels: intrusion-detection
TheBriarPatch
An extremely crude, lightweight Web Frontend for Suricata/Bro to be used with BriarIDS
Stars: ✭ 21 (-95.91%)
Mutual labels: intrusion-detection
pyHIDS
A HIDS (host-based intrusion detection system) for verifying the integrity of a system.
Stars: ✭ 31 (-93.96%)
Mutual labels: intrusion-detection
Maltrail
Malicious traffic detection system
Stars: ✭ 4,296 (+737.43%)
Mutual labels: intrusion-detection
Osquery
SQL powered operating system instrumentation, monitoring, and analytics.
Stars: ✭ 18,475 (+3501.36%)
Mutual labels: intrusion-detection
Security Onion
Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management
Stars: ✭ 2,956 (+476.22%)
Mutual labels: intrusion-detection
AgentSmith-HIDS
--The name of this project was inspired by the movie - The Matrix
English | 简体中文
RELEASE VERSION: https://github.com/bytedance/AgentSmith-HIDS
About AgentSmith-HIDS
Technically, AgentSmith-HIDS is not a Host-based Intrusion Detection System (HIDS) due to lack of rule engine and detection function. However, it can be used as a high performance 'Host Information Collect Agent' as part of your own HIDS solution. The comprehensiveness of information which can be collected by this agent was one of the most important metrics during developing this project, hence it was built to function in the kernel stack and achieve huge advantage comparing to those function in user stack, such as:
- Better performance, Information needed are collected in kernel stack to avoid additional supplement actions such as traversal of '/proc'; and to enhance the performance of data transportation, data collected is transferred via shared ram instead of netlink.
- Hard to be bypassed, Information collection was powered by specifically designed kernel drive, makes it almost impossible to bypass the detection for malicious software like rootkit, which can deliberately hide themselves.
- Easy to be integrated,The AgentSmith-HIDS was built to integrate with other applications and can be used not only as security tool but also a good monitoring tool, or even a good detector of your assets. The agent is capable of collecting the users, files, processes and internet connections for you, so let's imagine when you integrate it with CMDB, you could get a comprehensive map consists of your network, host, container and business (even dependencies). What if you also have a Database audit tool at hand? The map can be extended to contain the relationship between your DB, DB User, tables, fields, applications, network, host and containers etc. Thinking of the possibility of integration with network intrusion detection system and/or threat intelligence etc., higher traceability could also be achieved. It just never gets old.
- Kernel stack + User stack,AgentSmith-HIDS also provide user stack module, to further extend the functionality when working with kernel stack module.
Major abilities of AgentSmith-HIDS:
- Kernel stack module hooks execve, connect, process inject, create file, DNS query, load LKM behaviors via Kprobe,and is also capable of monitoring containers by being compatible with Linux namespace.
- User stack module utilize built in detection functions including queries of User List,Listening ports list,System RPM list,Schedule jobs
- AntiRootkit,From: Tyton ,for now add PROC_FILE_HOOK,SYSCALL_HOOK,LKM_HIDDEN,INTERRUPTS_HOOK feature,but only wark on Kernel > 3.10.
- Cred Change monitoring (sudo/su/sshd except)
- User Login monitoring
Usage scenarios/methods of AgentSmith-HIDS (to be added)
About the compatibility with Kernel version
- Kernel > 2.6.25
- AntiRootKit > 3.10
About the compatibility with Containers
| Source | Nodename |
|---|---|
| Host | hostname |
| Docker | container name |
| k8s | pod name |
Composition of AgentSmith-HIDS
- Kernel stack module (LKM) Hook key functions via Kprobe to capture information needed.
- User stack module Collect data capatured by kernel stack module, perform necessary process and send it to Kafka; Keep sending heartbeat packet to server so process integrity can be identitied; Execute commands received from server.
- Agent Server(Optional) Send commands to user stack module and monitoring the status of user stack module.
Execve Hook
Achieved by hooking sys_execve()/sys_execveat()/compat_sys_execve()/compat_sys_execveat(), example:
{
"uid":"0",
"data_type":"59",
"run_path":"/tmp",
"exe":"/opt/ltp/testcases/bin/growfiles",
"argv":"growfiles -W gf26 -D 0 -b -i 0 -L 60 -u -B 1000b -e 1 -r 128-32768:128 -R 512-64000 -T 4 -f gfsmallio-35861 -d /tmp/ltp-Ujxl8kKsKY ",
"pid":"35861",
"ppid":"35711",
"pgid":"35861",
"tgid":"35861",
"comm":"growfiles",
"nodename":"test",
"stdin":"/dev/pts/1",
"stdout":"/dev/pts/1",
"sessionid":"3",
"sip":"192.168.165.1",
"sport":"61726",
"dip":"192.168.165.128",
"dport":"22",
"sa_family":"1",
"pid_tree":"1(systemd)->1384(sshd)->2175(sshd)->2177(bash)->2193(fish)->35552(runltp)->35711(ltp-pan)->35861(growfiles)",
"tty_name":"pts1",
"socket_process_pid":"2175",
"socket_process_exe":"/usr/sbin/sshd",
"SSH_CONNECTION":"192.168.165.1 61726 192.168.165.128 22",
"LD_PRELOAD":"/root/ldpreload/test.so",
"user":"root",
"time":"1579575429143",
"local_ip":"192.168.165.128",
"hostname":"test",
"exe_md5":"01272152d4901fd3c2efacab5c0e38e5",
"socket_process_exe_md5":"686cd72b4339da33bfb6fe8fb94a301f"
}
Bind Hook
Achieved by hooking sys_bind(), example:
{
"uid":"0",
"data_type":"49",
"sa_family":"2",
"exe":"/usr/bin/python2.7",
"pid":"109640",
"ppid":"215496",
"pgid":"109640",
"tgid":"109640",
"comm":"python",
"nodename":"n225-117-018",
"sip":"0.0.0.0",
"sport":"8000",
"res":"0",
"sessionid":"30",
"user":"root",
"time":"1587540231936",
"local_ip_str":"10.225.117.18",
"hostname_str":"n225-117-018",
"exe_md5":"4f458165a2129ba549f1b6605ee87e74"
}
Connect Hook
Achieved by hooking tcp_v4_connect()/tcp_v6_connect()/ip4_datagram_connect()/ip6_datagram_connect(), example:
{
"uid":"0",
"data_type":"42",
"sa_family":"2",
"connect_type":"4",
"dport":"1025",
"dip":"180.101.49.11",
"exe":"/usr/bin/ping",
"pid":"6294",
"ppid":"1941",
"pgid":"6294",
"tgid":"6294",
"comm":"ping",
"nodename":"test",
"sip":"192.168.165.153",
"sport":"45524",
"res":"0",
"sessionid":"1",
"user":"root",
"time":"1575721921240",
"local_ip":"192.168.165.153",
"hostname":"test",
"exe_md5":"735ae70b4ceb8707acc40bc5a3d06e04"
}
DNS Query Hook
Achieved by hooking udp_recvmsg()/udpv6_recvmsg(), example:
{
"uid":"0",
"data_type":"601",
"sa_family":"2",
"dport":"53",
"dip":"192.168.165.2",
"exe":"/usr/bin/ping",
"pid":"6294",
"ppid":"1941",
"pgid":"6294",
"tgid":"6294",
"comm":"ping",
"nodename":"test",
"sip":"192.168.165.153",
"sport":"53178",
"qr":"1",
"opcode":"0",
"rcode":"0",
"query":"www.baidu.com",
"sessionid":"1",
"user":"root",
"time":"1575721921240",
"local_ip":"192.168.165.153",
"hostname":"test",
"exe_md5":"39c45487a85e26ce5755a893f7e88293"
}
Create File Hook
Achieved by hooking security_inode_create(), example:
{
"uid":"0",
"data_type":"602",
"exe":"/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64/jre/bin/java",
"file_path":"/tmp/kafka-logs/replication-offset-checkpoint.tmp",
"pid":"3341",
"ppid":"1",
"pgid":"2657",
"tgid":"2659",
"comm":"kafka-scheduler",
"nodename":"test",
"sessionid":"3",
"user":"root",
"time":"1575721984257",
"local_ip":"192.168.165.153",
"hostname":"test",
"exe_md5":"215be70a38c3a2e14e09d637c85d5311",
"create_file_md5":"d41d8cd98f00b204e9800998ecf8427e"
}
Process Inject Hook
Achieved by hooking sys_ptrace(), example:
{
"uid":"0",
"data_type":"101",
"ptrace_request":"4",
"target_pid":"7402",
"addr":"00007ffe13011ee6",
"data":"-a",
"exe":"/root/ptrace/ptrace",
"pid":"7401",
"ppid":"1941",
"pgid":"7401",
"tgid":"7401",
"comm":"ptrace",
"nodename":"test",
"sessionid":"1",
"user":"root",
"time":"1575722717065",
"local_ip":"192.168.165.153",
"hostname":"test",
"exe_md5":"863293f9fcf1af7afe5797a4b6b7aa0a"
}
Load LKM File Hook
Achieved by hooking load_module(), example:
{
"uid":"0",
"data_type":"603",
"exe":"/usr/bin/kmod",
"lkm_file":"/root/ptrace/ptrace",
"pid":"29461",
"ppid":"9766",
"pgid":"29461",
"tgid":"29461",
"comm":"insmod",
"nodename":"test",
"sessionid":"13",
"user":"root",
"time":"1577212873791",
"local_ip":"192.168.165.152",
"hostname":"test",
"exe_md5":"0010433ab9105d666b044779f36d6d1e",
"load_file_md5":"863293f9fcf1af7afe5797a4b6b7aa0a"
}
Cred Change Hook
Achieved by Hook commit_creds(),example:
{
"uid":"0",
"data_type":"604",
"exe":"/tmp/tt",
"pid":"27737",
"ppid":"26865",
"pgid":"27737",
"tgid":"27737",
"comm":"tt",
"old_uid":"1000",
"nodename":"test",
"sessionid":"42",
"user":"root",
"time":"1578396197131",
"local_ip":"192.168.165.152",
"hostname":"test",
"exe_md5":"d99a695d2dc4b5099383f30964689c55"
}
User Login Alert
{
"data_type":"1001",
"status":"Failed",
"type":"password",
"user_exsit":"false",
"user":"sad",
"from_ip":"192.168.165.1",
"port":"63089",
"processor":"ssh2",
"time":"1578405483119",
"local_ip":"192.168.165.128",
"hostname":"localhost.localdomain"
}
PROC File Hook Alert
{
"uid":"-1",
"data_type":"700",
"module_name":"autoipv6",
"hidden":"0",
"time":"1578384987766",
"local_ip":"192.168.165.152",
"hostname":"test"
}
Syscall Hook Alert
{
"uid":"-1",
"data_type":"701",
"module_name":"diamorphine",
"hidden":"1",
"syscall_number":"78",
"time":"1578384927606",
"local_ip":"192.168.165.152",
"hostname":"test"
}
LKM Hidden Alert
{
"uid":"-1",
"data_type":"702",
"module_name":"diamorphine",
"hidden":"1",
"time":"1578384927606",
"local_ip":"192.168.165.152",
"hostname":"test"
}
Interrupts Hook Alert
{
"uid":"-1",
"data_type":"703",
"module_name":"syshook",
"hidden":"1",
"interrupt_number":"2",
"time":"1578384927606",
"local_ip":"192.168.165.152",
"hostname":"test"
}
About Performance of AgentSmith-HIDS
Testing Environment(VM):
| CPU | Intel(R) Xeon(R) Platinum 8260 CPU @ 2.40GHz 4Core |
|---|---|
| RAM | 8GB |
| OS/Kernel | Debian9 / 4.14.81.bm.19-amd64 |
Testing Load:
ltp -f syscalls
Testing Result(1min):
| Hook Handler | Average Delay(us) | TP99(us) | TP95(us) | TP90(us) |
|---|---|---|---|---|
| connect_entry_handler | 0.2914 | 6.7627 | 0.355 | 0.3012 |
| connect_handler | 2.1406 | 18.3801 | 12.102 | 7.832 |
| execve_entry_handler | 5.9320 | 13.7034 | 9.908 | 8.334 |
| execve_handler | 6.8826 | 26.0584 | 15.9976 | 12.6260 |
| security_inode_create_entry_handler | 1.9963 | 9.3042 | 6.7730 | 4.6816 |
| security_inode_create_handler | 4.2114 | 13.2165 | 8.83775 | 6.534 |
Original Testing Data:
cyclictest testing
cyclictest -p 90 - m -c 0 -i 200 -n -h 100 -q -l 1000000
Uninstall Smith:
# Total: 000999485
# Min Latencies: 00002
# Avg Latencies: 00007
# Max Latencies: 13905
# Histogram Overflows: 00515
install Smith:
# Total: 000999519
# Min Latencies: 00002
# Avg Latencies: 00007
# Max Latencies: 15216
# Histogram Overflows: 00481
time -v /opt/ltp/testcases/bin/execve05 -n 30000
10 times
Install Smith:
| Average User Time(s) | Average System Time(s) |
|---|---|
| 22.329 | 14.885 |
Uninstall Smith:
| Average User Time(s) | Average System Time(s) |
|---|---|
| 22.271 | 14.395 |
Documents for deployment and testing purpose:
Special Thanks(Not in order)
Wechat of developer
Wechat channel of '灾难控制局'
We would constantly provide information about the functionalities of AgentSmith-HIDS via this channel, a good place to receive the most updated news:)
License
AgentSmith-HIDS kernel module are distributed under the GNU GPLv2 license.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].