chriskalix / hades Goto Github PK
View Code? Open in Web Editor NEWHades is a Host-Based Intrusion Detection System based on eBPF(mainly)
License: Apache License 2.0
Hades is a Host-Based Intrusion Detection System based on eBPF(mainly)
License: Apache License 2.0
Hi, I got a compilation error when I try to make hades_ebpf_driver.o on my ubuntu server.
Environment:
Error log
make hades_ebpf_driver.o -s --no-print-directory
In file included from src/hades.c:1:
In file included from include/hades_exec.h:7:
In file included from include/utils_buf.h:6:
In file included from include/define.h:18:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/inet_sock.h:22:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sock.h:59:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/linux/filter.h:27:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sch_generic.h:21:
/usr/src/linux-headers-5.13.0-35-generic/include/net/flow_offload.h:324:4: error: use of undeclared identifier 'KBUILD_MODNAME'
NL_SET_ERR_MSG_MOD(extack, "Mixing HW stats types for actions is not supported");
^
/usr/src/linux-headers-5.13.0-35-generic/include/linux/netlink.h:102:27: note: expanded from macro 'NL_SET_ERR_MSG_MOD'
NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg)
^
In file included from src/hades.c:1:
In file included from include/hades_exec.h:7:
In file included from include/utils_buf.h:6:
In file included from include/define.h:18:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/inet_sock.h:22:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sock.h:59:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/linux/filter.h:27:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sch_generic.h:21:
/usr/src/linux-headers-5.13.0-35-generic/include/net/flow_offload.h:324:4: error: expected ';' at end of declaration
/usr/src/linux-headers-5.13.0-35-generic/include/linux/netlink.h:102:42: note: expanded from macro 'NL_SET_ERR_MSG_MOD'
NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg)
^
In file included from src/hades.c:1:
In file included from include/hades_exec.h:7:
In file included from include/utils_buf.h:6:
In file included from include/define.h:18:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/inet_sock.h:22:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sock.h:59:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/linux/filter.h:27:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sch_generic.h:21:
/usr/src/linux-headers-5.13.0-35-generic/include/net/flow_offload.h:359:3: error: use of undeclared identifier 'KBUILD_MODNAME'
NL_SET_ERR_MSG_MOD(extack, "Driver supports only default HW stats type \"any\"");
^
/usr/src/linux-headers-5.13.0-35-generic/include/linux/netlink.h:102:27: note: expanded from macro 'NL_SET_ERR_MSG_MOD'
NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg)
^
In file included from src/hades.c:1:
In file included from include/hades_exec.h:7:
In file included from include/utils_buf.h:6:
In file included from include/define.h:18:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/inet_sock.h:22:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sock.h:59:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/linux/filter.h:27:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sch_generic.h:21:
/usr/src/linux-headers-5.13.0-35-generic/include/net/flow_offload.h:359:3: error: expected ';' at end of declaration
/usr/src/linux-headers-5.13.0-35-generic/include/linux/netlink.h:102:42: note: expanded from macro 'NL_SET_ERR_MSG_MOD'
NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg)
^
In file included from src/hades.c:1:
In file included from include/hades_exec.h:7:
In file included from include/utils_buf.h:6:
In file included from include/define.h:18:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/inet_sock.h:22:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sock.h:59:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/linux/filter.h:27:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sch_generic.h:21:
/usr/src/linux-headers-5.13.0-35-generic/include/net/flow_offload.h:363:3: error: use of undeclared identifier 'KBUILD_MODNAME'
NL_SET_ERR_MSG_MOD(extack, "Driver does not support selected HW stats type");
^
/usr/src/linux-headers-5.13.0-35-generic/include/linux/netlink.h:102:27: note: expanded from macro 'NL_SET_ERR_MSG_MOD'
NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg)
^
In file included from src/hades.c:1:
In file included from include/hades_exec.h:7:
In file included from include/utils_buf.h:6:
In file included from include/define.h:18:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/inet_sock.h:22:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sock.h:59:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/linux/filter.h:27:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sch_generic.h:21:
/usr/src/linux-headers-5.13.0-35-generic/include/net/flow_offload.h:363:3: error: expected ';' at end of declaration
/usr/src/linux-headers-5.13.0-35-generic/include/linux/netlink.h:102:42: note: expanded from macro 'NL_SET_ERR_MSG_MOD'
NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg)
^
6 errors generated.
make[2]: *** [Makefile:60: hades_ebpf_driver.o] Error 1
make[1]: *** [Makefile:49: all] Error 2
make[1]: Leaving directory '/root/Hades/plugin/driver/eBPF/kernel'
make: *** [Makefile:2: all] Error 2
Describe the bug
fd name by d_dname(just like kernel function does). For now, anonymous pipe is an empty string in Hades
while it's pipe[xxxx]
in Elkeid. This is very important when we deal with some reverse shell things. We should look into how d_name works in kernel.
But for now, we can still detect the socket...
{"timestamp":46709062078800,"cgroupid":4294968932,"pns":4026531836,"type":700,"pid":347526,"tid":347526,"uid":0,"gid":0,"ppid":344736,"sessionid":1796,"comm":"cat","pcomm":"bash","nodename":"localhost","retval":0,"md5":"7e9d213e404ad3bb82e4ebb2e1f2c1b3","username":"root","starttime":1657683598,"exe":"/usr/bin/cat","syscall":"execve","cwd":"/tmp/testspace","tty_name":"pts4","stdin":"TCP","stdout":"","dport":"666","dip":"127.0.0.1","pid_tree":"347526.cat<344736.bash<343802.node<343765.node<343756.sh<343645.bash<343640.bash<343503.sshd","cmdline":"cat","priv_esca":0,"ssh_connection":"xxxx 58446 10.0.4.13 22","ld_preload":"-1"}
In Elkeid:
{
"bootTime":"2022-01-19 19:11:31.000",
"cmdline":"cat",
"cwd":"/",
"exe":"/usr/bin/cat",
"fd_num":"1",
"name":"cat",
"pid":"12778",
"ppid":"50250",
"r_addr_ip":"10.71.5.222",
"r_addr_port":"666",
"session":"50250",
"stderr":"/dev/pts/0",
"stdin":"socket:[583396364]",
"stdout":"pipe:[583396365]",
"terminal":"/pts/0",
"username":"root"
},
In my cloud machine, it spends several minutes to start the ebpfdriver within the cgroups limitation
Describe the bug
Incorrect exe in execve(at) event
Environment
5.4.0-104-generic
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Additional context
Full testcases should be added to avoid such BUG.
CO-RE support for BTF enabled, just like tracee.
Ordered msgs in perf_event, add a function to sort the msgs in time order, so that a ppid_argv (parent pid argv) can be done properly
[BUG]pod_name is null
{"starttime":1686193822,"cgroupid":1,"pns":0,"pid":64825,"tid":64825,"uid":0,"gid":0,"ppid":0,"pgid":0,"sessionid":4294937234,"comm":"modprobe","pcomm":"","nodename":"","retval":0,"exe_hash":"-1","username":"root","exe":"-1","syscall":"execve","ppid_argv":"-1","pgid_argv":"-1","pod_name":"-1","cwd":"-1","tty_name":"-1","stdin":"-1","stdout":"-1","dport":0,"dip":"0.0.0.0","sport":0,"sip":"0.0.0.0","family":0,"socket_pid":0,"socket_argv":"-1","pid_tree":"","argv":"/sbin/modprobe ip_tables","priv_esca":0,"ssh_connection":"-1","ld_preload":"-1"}
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: AnolisOS
Description: Anolis OS release 8.8
Release: 8.8
Codename: n/a
{"starttime":1686893499,"cgroupid":1,"pns":1442590160,"pid":12152,"tid":12122,"uid":0,"gid":0,"ppid":0,"pgid":0,"sessionid":0,"comm":"consul-1.1.1-1","pcomm":"","nodename":"","retval":90,"exe_hash":"-1","username":"root","exe":"-1","syscall":"udp_recvmsg","ppid_argv":"-1","pgid_argv":"-1","pod_name":"-1","opcode":7,"rcode":10,"qtype":0,"atype":0,"dns_data":"M�\u0004AP\u0013#\u0017�//TV$����1)\n�p�f)�М%�\u001c��B� I��r�S�8��L7O�P��\u001d\u0007��F\u0014��g7�|\u0008��)�89��","sip":"10.197.192.44","sport":8301,"dip":"0.0.0.0","dport":0}
Describe the bug
As title
Describe the bug
hi, i try to run hades. when i operate commands:
sudo ./driver
and, other window : curl www.baidu.com
if it correct, it will appear, dns_data: www.baidu.com
but, the bug happened, it is no data.
so, i hope , the question will solved soon.thanks !
Is your feature request related to a problem? Please describe.
Nope
Describe the solution you'd like
Inspired by tetragon. In Hades, we could integrate dynamic deny policy in peticular fields, like networking, file_opening, etc. with ebpf. Use iptables to implement dynamic network policy even without ebpf for some incident response situtation.
Describe alternatives you've considered
Additional context
Nope
Is your feature request related to a problem? Please describe.
Deploy eBPF modules in product env.
Describe the solution you'd like
Additional context
https://github.com/aquasecurity/btfhub
https://github.com/cilium/cilium
Describe the bug
Environment
uname -r
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
use Ringbuf as default map over kernel version 5.8. Since ringbuf get better performance and ordered the msgs
ATT
Describe the bug
my env is:
os: ubuntu20.10
kern: 5.8
clang: clang-11
and i try to :make core, it's normally.
but, when i exec: curl www.baidu.com
i can't any dns relative log.
so, can you slove this problem, i think it's a bug.
hope , the bug can be solved soon. thanks!
In some situation, udp-related syscall is called very frequently. The kprobe itself may become the limitation of the performace. Let the ebpfmanager unload the probe.
Here are some important filters:
All of the filters should be done in kernel space and interact with userspace by BPF_MAP
OS: debian 11
Kernel version: 5.10
Is your feature request related to a problem? Please describe.
Nope
Describe the solution you'd like
compatible vmlinux.h or generate it.
Describe alternatives you've considered
None
Additional context
Git actions added
Describe the bug
dport always 512 in Centos 8(CORE)
Environment
To Reproduce
reverse shell
Expected behavior
port just like we use in the command
Describe the bug
特定系统下有乱码
{"starttime":79570157046599,"cgroupid":4294968467,"pns":0,"type":700,"pid":31760,"tid":31760,"uid":0,"gid":0,"ppid":0,"pgid":0,"sessionid":0,"comm":"cat","pcomm":"","nodename":"","retval":0,"exe_hash":"-3","username":"root","timestamp":1660032991,"exe":"-1","syscall":"execve","ppid_argv":"-3","pgid_argv":"-3","pod_name":"-3","cwd":"-1","tty_name":"��(\u0004�����sC�����","stdin":"-1","stdout":"-1","dport":0,"dip":"-1","family":0,"socket_pid":0,"socket_argv":"-3","pid_tree":"4294967295.��\u0007\u0002������\u0007\u0002���","argv":"cat /sys/class/dmi/id/product_serial","priv_esca":0,"ssh_connection":"-1","ld_preload":"-1"}
Environment
To Reproduce
cd Hades/plugin/driver/eBPF/
go run .
think about this
sys_enter_execveat: load program: invalid argument: unrecognized bpf_ld_imm64 insn , couldn't load eBPF programs
on kernel 4.19
有没有交流群?小白一个,希望技术探讨类的主题还是即时通讯比较方便。
Describe the bug
A clear and concise description of what the bug is.
在700事件的时候经常遭遇字符串大小太长,导致无法正常输出,通常是解码stdout,遇到是socket:时就会报错。请教一下大佬是啥子原因
Environment
5.13.0-1019-gcp
To Reproduce
Steps to reproduce the behavior:
Expected behavior
感觉应该是stdin和stdout处理有些问题,想看具体是socket还是pipe,但由于报错,导致有关socket的事件都展示不出来
Screenshots
Additional context
Add any other context about the problem here.
自己debug到这里【plugins/user/decoder/decoder.go】
可以加一下群不,最近在学习ebpf这块,thx~
Describe the bug
After the push of incorrect execve, the Execve(at) values are incorrect
Environment
uname -r
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
Is your feature request related to a problem? Please describe.
Nope
Describe the solution you'd like
Test-case for every event and add these into CI/CD
Describe alternatives you've considered
Additional context
Let the plugin collector support windows
connect sport & sip are required
icmp required
return value (ret)
honeypot (port scanning)
closed
需要内核支持BTF,感觉在真正使用上不如elf,是准备在低版本内核机器上使用netlink吗?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.