eHIDS: Linux Host-based Intrusion Detection System based on eBPF
eHIDS
A Linux Host-based Intrusion Detection System based on eBPF.
Implementations & Functionalities:
- TCP network data capture
- UDP network data capture
- DNS information capture in uprobe mode
- Process data capture
- Uprobe way to achieve JAVA RASP command execution scene event capture
- Go framework implementation of eBPF, abstract implementation of multi-type events for the kprobe\uprobe mounting method.
- Developers only need to implement three files:
- The kernel-mode C file.
- The user-mode go file.
- The user-mode event message structure and the framework will automatically load and execute.
- Users can implement data reporting and processing according to the logger interface, such as reporting to ES\kafka and other log centers.
Principle
Reference: eBPF Official Website
- In the kernel mode, eBPF code is written in C, and llvm is compiled into eBPF bytecode.
- User mode is written in golang, cilium/ebpf pure go class library, kernel loading of eBPF bytecode, kprobe/uprobe HOOK corresponding function.
- User mode uses golang for event reading, decoding, and processing.
Product Features
- Complete functions (network, process, file, event)
- Monitoring
- Alert
- Fusing
- Statistics
- Reconciliation
- Unified management and control
Instructions
- The kernel mode part is the ebpf programming code implemented by the Linux native class library and uses clang (llvm) for bytecode compilation.
- The user mode part is written for golang’s cilium/ebpf class library, which implements functions such as loading eBPF bytecodes to the kernel, mounting to hook points, and event reading.
- This project uses kprobe and uprobe respectively to realize the network event capture of TCP and UDP.
