rules
bpftrace
Our great sponsors
| rules | bpftrace | |
|---|---|---|
| 7 | 24 | |
| 3,970 | 7,647 | |
| 1.9% | - | |
| 0.0 | 0.0 | |
| 11 days ago | 3 months ago | |
| YARA | C++ | |
| GNU General Public License v3.0 only | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
rules
-
Web Security Resources Request
Yara rules. https://github.com/Yara-Rules/rules
-
How to check is a linux server is compromised or rooted?
On the other hand, you could also use a Yara scanner (apt install yara) to scan for IOCs. Here's a good list of rules https://github.com/Yara-Rules/rules
-
What is the use of an Av when it can be bypassed easily?
As we can see in this pic -> https://i.postimg.cc/qRPSyjvL/Screenshot-at-2022-09-04-13-36-40.png the crypted payload also fires off a lot more of the yara rules from the Yara Rules Project, so it's just a lot "louder" in terms of static analysis too. Top section is a payload that currently does not get detected, and does not use any encryption (the other screenshot showing OneNote.exe was actually taken from my test VM with this payload, so it definitely doesn't get detected lol). Bottom is the scarecrow payload that's aes256'd and still got caught pretty quick.
- Incorporating YARA Into Security Processes?
- Python Script EXE detected as virus in VT
-
YARA Rules for Malware
this repo is well-maintained. there are others exchanged in less public settings (in which i do not participate) if you're willing to contribute samples and signatures.
- Incident report collection
bpftrace
- Why would you still want to use strace in 2023? [video]
- Ask HN: How to measure the latency numbers every programmer should know?
-
Securing PyTorch Models with eBPF
In this blog, I will present secimport — a toolkit for creating and running sandboxed applications in Python that utilizes eBPF (bpftrace) to secure Python runtimes.
-
Tag Systems
I haven't come across of any project like that, but in case anyone wants to implement this and doesn't know where to start, here's a way to do it on a freedesktop-compatible linux:
Make a userspace daemon process that adds eBPF tracepoints[0] to open{,_at} etc syscalls which match files of your user directories with specific extensions (e.g. .docx).
Associate PIDs that open those files with their .desktop entries[1]
Store results in some database like sqlite3.[2]
Search this database with your favorite interface, like a CLI script or a GNOME shell search provider[3].
I have seen this Rust project on HN which does something similar but with file attribute syscalls, you can use it as reference: https://github.com/javierhonduco/sweeper
[0]: https://github.com/iovisor/bpftrace
- eBGP tracing for newbie
-
[beetrace]Trace your python process line by line with low overhead!
I develop a python tool that allows you to trace a Python process line by line or the functions' entries and returns. It uses USDT(User Statically-Defined Tracing) probes with bpftrace.
-
How to check is a linux server is compromised or rooted?
bpftrace and/or bpfcc-tools can also be useful (dpkg -L bpftrace to see available tools). You can monitor files being opened/written at kernel level (opensnoop*, filelife*, filetop*), connections being established (tcp*bpfcc), etc.
- Beginner questions
-
Getting notified when a process runs
Similar to this method is bpftrace: https://github.com/iovisor/bpftrace/blob/master/tools/execsnoop.bt
-
Regarding bpftrace vfs_unlink, why can't I monitor the uid, and the obtained value is 0
uname -a Linux ying 5.18.5-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jun 16 14:51:11 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
What are some alternatives?
ClearURLs-Addon - ClearURLs is an add-on based on the new WebExtensions technology and will automatically remove tracking elements from URLs to help protect your privacy.
ebpf_exporter - Prometheus exporter for custom eBPF metrics
awesome-yara - A curated list of awesome YARA rules, tools, and people.
bcc - BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
coreruleset - OWASP CRS (Official Repository)
kubectl-trace - Schedule bpftrace programs on your kubernetes cluster using the kubectl
el7-bpf-specs - RPM specs for building bpf related tools on CentOS 7
OpenCSD - OpenCSD: eBPF Computational Storage Device (CSD) for Zoned Namespace (ZNS) SSDs in QEMU
btrfs-fuzz - Unsupervised coverage-guided btrfs fuzzer
streamlit - Streamlit — A faster way to build and share data apps.
awesome-ebpf - A curated list of awesome projects related to eBPF.