Giter VIP home page Giter VIP logo

louis's Introduction

louis

louis is a simple tool using eBPF to automatically detect and respond to malicious behavior on a Linux system.

Usage

Usage:
  louis [command]

Available Commands:
  help        Help about any command
  hunt        hunt for existing malicious activity
  mitigate    mitigate all known vulnerabilities
  monitor     actively monitor for malicious action
  version     print louis version

Flags:
  -a, --active    counter detected malicious activity (dangerous, may clobber)
  -h, --help      help for louis
  -s, --syslog    output to syslog
  -v, --verbose   enable verbose output

Use "louis [command] --help" for more information about a command.

Information

louis gathers information from the kernel through eBPF (with BCC). These sources are analyzed with information from categorized techniques and vulnerabilities.

                                                +------------+
                                                |            |
                                                | CLI Output |
                                                |            |
                                                +--------+---+
                                                         ^
                   +-------------------------------------|------+
                   |                                     |      |
+--------+         | +---------+    +----------+     +---+---+  |
|        |         | |         |    |          +---->+       |  |
|        |         | | Sources +--->+ Analysis |     | louis |  |
|        |   eBPF  | |         |    |          |     |       |  |
| Kernel +---------->+ Sockets |    +----------+     +--+----+  |
|        |         | | Users   |               ^        ^       |
|        |         | | Proc... |    +-------+  |        |       |
|        |         | |         |    |       |  |        v       |
+--------+         | +---------+    | Techs +<-+    +---+----+  |
                   |                |       |       | Output |  |
                   |                +-------+       +--------+  |
                   |                                            |
                   +--------------------------------------------+

There is no kernelspace component (other than the eBPF data-gathering code), which means louis is more susceptible to resource exhaustion and various types of executable manipulation. However, if that happens, you'll probably know about it.

Installation

  1. Ensure BCC is installed.
  2. Install louis.
    • Clone this repository and build the binary (requires Go): 
      git clone https://github.com/sourque/louis && cd louis && go build
    • Or download the louis binary from releases.

Screenshots & Examples

Example of Louis Running

Fun future activities

  • New Sources
    • eBPF additions
    • pam authentication
    • file permission changes (for sensitive dirs (tmp) and creating new bins/suid/sgid)
  • Techs/threat actions
    • sendlines per (bash)
    • time between shell spawn and sending commands (maybe)
    • connect() (detect if being scanned)
  • Fixes
    • Pwd incorrectly reports absolute path when in mounted/chrooted environment (ex. tmux)
    • Race condition in bcc code? Imagine one open syscall on the same pid starts before another, and ends after -- details would be overwritten?

Prior Art

eBPF Resources and Libraries

louis's People

Contributors

sourque avatar

Stargazers

Shreethaar Arunagirinathan avatar winger avatar Teodor Janez Podobnik avatar Bryan Onel avatar Yusuf Ozturk avatar avatar avatar avatar Omar A. avatar avatar avatar D3n13d avatar avatar forsun23 avatar Casuall avatar Mockingjay avatar avatar zz avatar avatar zer0-1s avatar avatar avatar 0x25w avatar avatar Fplyth0ner avatar Tripse avatar avatar avatar Ethan Michalak avatar Manuel Montes de Oca avatar shangzebei avatar u2i avatar Isadore Will avatar Svetlana Deborah avatar Susan Theisen avatar Phyllis Grimaldo avatar Ryuchen avatar Kathleen Chad avatar tfxidian avatar 勾陈 avatar Tracy_梓朋 avatar avatar wxc avatar Octa avatar avatar avatar avatar Ethan Carter avatar Omar A avatar :) avatar h7hac9 avatar yangbh avatar avatar avatar avatar avatar Laura Fuchs avatar SteamedFish avatar Leonismoe avatar avatar Howbin avatar avatar TonghuaRoot(童话) avatar avatar 言肆 avatar avatar recar avatar melchior81 avatar avatar LordCasser avatar Pluto avatar PockyRay avatar spoock avatar coderHAcoder avatar septs avatar Tom Tom avatar 0xbug avatar avatar avatar avatar Marduk avatar Abell avatar avatar marnitto avatar avatar BubbleGvm avatar jxz avatar Nan3r avatar 0x777 avatar avatar avatar poions avatar Manish Singh avatar LSA avatar cances avatar Yuri avatar 若鸟 avatar Jas502n avatar Li Ray avatar Wing avatar

Watchers

Hilko Bengen avatar James Cloos avatar avatar iefuzzer avatar Brandon avatar winger avatar avatar avatar h7hac9 avatar Fplyth0ner avatar Safin Singh avatar

Forkers

khanh8910 w01fb0ss ne0ke718 hecg119 changheluor007 fengjixuchui shuixi2013 zhou88qiao h1d3r 0x6b7966 thurday b1gw00d killvxk ring2003 isiaon cybermonitor bitefoo ranchoice mrong319 gysf666 chennqqi evilares harry1080 arryboom cnguoyj johto89 tungnguyen4869 phyllisbgrimaldo susanmtheisen svetlanadeborah isadorewi pspglb int2ecall alex-dengx orangice1997 wubonetcn davidhoenisch mrquiet sacx yusufozturk yangdengyuan gnusec

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.