eHIDS: Linux Host-based Intrusion Detection System based on eBPF

by ddos · Published · Updated

eHIDS

A Linux Host-based Intrusion Detection System based on eBPF.

Implementations & Functionalities:

  1. TCP network data capture
  2. UDP network data capture
  3. DNS information capture in uprobe mode
  4. Process data capture
  5. Uprobe way to achieve JAVA RASP command execution scene event capture
  6. Go framework implementation of eBPF, abstract implementation of multi-type events for the kprobe\uprobe mounting method.
  7. Developers only need to implement three files:
    • The kernel-mode C file.
    • The user-mode go file.
    • The user-mode event message structure and the framework will automatically load and execute.
  8. Users can implement data reporting and processing according to the logger interface, such as reporting to ES\kafka and other log centers.

Principle

Reference: eBPF Official Website

  1. In the kernel mode, eBPF code is written in C, and llvm is compiled into eBPF bytecode.
  2. User mode is written in golang, cilium/ebpf pure go class library, kernel loading of eBPF bytecode, kprobe/uprobe HOOK corresponding function.
  3. User mode uses golang for event reading, decoding, and processing.

Product Features

  1. Complete functions (network, process, file, event)
  2. Monitoring
  3. Alert
  4. Fusing
  5. Statistics
  6. Reconciliation
  7. Unified management and control

Instructions

  1. The kernel mode part is the ebpf programming code implemented by the Linux native class library and uses clang (llvm) for bytecode compilation.
  2. The user mode part is written for golang’s cilium/ebpf class library, which implements functions such as loading eBPF bytecodes to the kernel, mounting to hook points, and event reading.
  3. This project uses kprobe and uprobe respectively to realize the network event capture of TCP and UDP.

Install & Use

Tags: Linux Host-based Intrusion Detection System