GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ehids → ebpfmanager

ehids / ebpfmanager

Licence: AGPL-3.0 License
A golang ebpf libary base on cilium/ebpf and datadog/ebpf.

Programming Languages

go
31211 projects - #10 most used programming language

Labels

hidsebpf

Projects that are alternatives of or similar to ebpfmanager

ehids
A Linux Host-based Intrusion Detection System based on eBPF.
Stars: ✭ 210 (+467.57%)
Mutual labels:  hids, ebpf
sockdump
Dump unix domain socket traffic with bpf
Stars: ✭ 160 (+332.43%)
Mutual labels:  ebpf
XDP-Firewall
An XDP firewall that is capable of filtering specific packets based off of filtering rules specified in a config file. IPv6 is supported!
Stars: ✭ 129 (+248.65%)
Mutual labels:  ebpf
uprobe-http-tracer
uprobe-based HTTP tracer for Go binaries
Stars: ✭ 45 (+21.62%)
Mutual labels:  ebpf
defense-matrix
Express security essentials deployment for Linux Servers
Stars: ✭ 61 (+64.86%)
Mutual labels:  hids
bpflock
bpflock - eBPF driven security for locking and auditing Linux machines
Stars: ✭ 54 (+45.95%)
Mutual labels:  ebpf
Libellux-Up-and-Running
Libellux: Up & Running provides documentation on how-to install open-source software from source. The focus is Zero Trust Network to enhance the security for existing applications or install tools to detect and prevent threats.
Stars: ✭ 19 (-48.65%)
Mutual labels:  hids
pixie-demos
Demos for Pixie: github.com/pixie-io/pixie
Stars: ✭ 106 (+186.49%)
Mutual labels:  ebpf
pixie
Instant Kubernetes-Native Application Observability
Stars: ✭ 3,238 (+8651.35%)
Mutual labels:  ebpf
btfhub
BTFHub, together with BTFHub Archive repository, provides BTF files for existing published kernels that don't support embedded BTF.
Stars: ✭ 100 (+170.27%)
Mutual labels:  ebpf
libs
libsinsp, libscap, the kernel module driver, and the eBPF driver sources
Stars: ✭ 92 (+148.65%)
Mutual labels:  ebpf
packiffer
lightweight cross-platform networking toolkit
Stars: ✭ 52 (+40.54%)
Mutual labels:  ebpf
pwru
Packet, where are you? -- Linux kernel networking debugger
Stars: ✭ 694 (+1775.68%)
Mutual labels:  ebpf
Elkeid
Elkeid is a Cloud-Native Host-Based Intrusion Detection solution project to provide next-generation Threat Detection and Behavior Audition with modern architecture.
Stars: ✭ 1,245 (+3264.86%)
Mutual labels:  hids
pyHIDS
A HIDS (host-based intrusion detection system) for verifying the integrity of a system.
Stars: ✭ 31 (-16.22%)
Mutual labels:  hids
kernel new features
一个深挖 Linux 内核的新功能特性,以 io_uring, cgroup, ebpf, llvm 为代表,包含开源项目,代码案例,文章,视频,架构脑图等
Stars: ✭ 1,094 (+2856.76%)
Mutual labels:  ebpf
bouheki
Tool for Preventing Data Exfiltration with eBPF
Stars: ✭ 28 (-24.32%)
Mutual labels:  ebpf
el7-bpf-specs
RPM specs for building bpf related tools on CentOS 7
Stars: ✭ 38 (+2.7%)
Mutual labels:  ebpf
libebpf
Experiemental userspace eBPF library
Stars: ✭ 14 (-62.16%)
Mutual labels:  ebpf
oxdpus
A toy tool that leverages the super powers of XDP to bring in-kernel IP filtering
Stars: ✭ 59 (+59.46%)
Mutual labels:  ebpf
View All Similar Projects ➔

介绍

HoneyGopher

ebpfmanager参照datadog/ebpf/manager包的思想,基于cilium/ebpf实现的ebpf类库封装。

相比cilium/ebpf实现配置化,自动加载,更具备面向对象思想,且实现了probe颗粒的卡开启关闭功能。 相比datadog/ebpf,实现了依赖包方式加载cilium/ebpf,而非fork方式,这点与其期望走的方向一致。且依赖cilium/ebpf版本更新到最新v0.7.0。

Work is underway to convert this library to wrap the upstream library, rather than forking.

依赖

go get -d github.com/shuLhan/go-bindata/cmd/go-bindata

说明

manager与probe是一对多关系。每个probe必须配置SectionEbpfFuncName两个属性。如果是k(ret)probeu(ret)probe,则还需要配置AttachToFuncName属性。

    // UID 可选自定义的唯一字符串
    UID string
    
    // Section elf字节码的Section名字,比如SEC("[section]"). 用于识别probe的类型[ku](ret)?probe/xdp/(raw_)?tracepoint/tc等
    // 早期datadog/ebpf类库用于manager的collectionSpec.Programs的索引。
    // 但cilium/ebpf v0.7.0中,不被返回作为programSpec map作为索引。索引改用MatchFuncName
    Section string
    
    // AttachToFuncName 被HOOK的syscall名字,忽略系统内核版本、CPU位数,比如 mkdirat 会被转换为__x64_sys_mkdirat、__ia32_sys_mkdirat等
    // Uprobe时,直接作为挂载的函数名。
    // 若不填写,则自动获取  Section 字段的最后一段作为挂载函数名   
    AttachToFuncName string
    
    // EbpfFuncName 表示字节码内内核态C函数的名字,取自字节码elf的符号表
    EbpfFuncName string
    
    // funcName 目标hook对象的函数名;私有属性,会自动计算赋值。uprobe中,若为空,则使用offset。
    funcName  string

使用方法

参考examples目录下例子,比如uprobe

package main

import (
	"github.com/ehids/ebpfmanager"
	"github.com/sirupsen/logrus"
)

var m = &manager.Manager{
	Probes: []*manager.Probe{
		{
			Section:          "uprobe/readline",
			EbpfFuncName:     "uprobe_readline",
			AttachToFuncName: "readline",
			BinaryPath:       "/usr/bin/bash",
		},
	},
}

func main() {
	// Initialize the manager
	if err := m.Init(recoverAssets()); err != nil {
		logrus.Fatal(err)
	}

	// Start the manager
	if err := m.Start(); err != nil {
		logrus.Fatal(err)
	}

	logrus.Println("successfully started, head over to /sys/kernel/debug/tracing/trace_pipe")

	// Spawn a bash and right a command to trigger the probe
	if err := trigger(); err != nil {
		logrus.Error(err)
	}

	// Close the manager
	if err := m.Stop(manager.CleanAll); err != nil {
		logrus.Fatal(err)
	}
}

案例项目

A Linux Host-based Intrusion Detection System based on eBPF.

注意

  1. v0.7.0 版本的ebpf在loadProgram函数返回的progs map中,索引已经改为C代码中函数名。 见elf_reader.go312行res[prog.Name] = prog ,这点不同于老版本。(老版本是以section名字作为索引)
  2. datadog/ebpf af587081 Nov 17, 2021 版本上实现本类库。
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].