rules VS bpftrace

Compare rules vs bpftrace and see what are their differences.

rules

Repository of yara rules (by Yara-Rules)

bpftrace

High-level tracing language for Linux eBPF [Moved to: https://github.com/bpftrace/bpftrace] (by iovisor)
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
rules bpftrace
7 24
3,928 7,647
1.5% -
0.0 0.0
9 days ago about 2 months ago
YARA C++
GNU General Public License v3.0 only Apache License 2.0
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

rules

Posts with mentions or reviews of rules. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2022-11-25.

bpftrace

Posts with mentions or reviews of bpftrace. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2024-01-08.
  • Why would you still want to use strace in 2023? [video]
    4 projects | news.ycombinator.com | 8 Jan 2024
    Sysdig is very useful, but it's almost always broken on Fedora when I want to use it. I have recently started using https://github.com/iovisor/bpftrace instead, and so far it has covered the same use cases.
    4 projects | news.ycombinator.com | 8 Jan 2024
  • Securing PyTorch Models with eBPF
    2 projects | /r/Python | 26 Jul 2023
    In this blog, I will present secimport — a toolkit for creating and running sandboxed applications in Python that utilizes eBPF (bpftrace) to secure Python runtimes.
  • Tag Systems
    2 projects | news.ycombinator.com | 18 Apr 2023
    I haven't come across of any project like that, but in case anyone wants to implement this and doesn't know where to start, here's a way to do it on a freedesktop-compatible linux:

    Make a userspace daemon process that adds eBPF tracepoints[0] to open{,_at} etc syscalls which match files of your user directories with specific extensions (e.g. .docx).

    Associate PIDs that open those files with their .desktop entries[1]

    Store results in some database like sqlite3.[2]

    Search this database with your favorite interface, like a CLI script or a GNOME shell search provider[3].

    I have seen this Rust project on HN which does something similar but with file attribute syscalls, you can use it as reference: https://github.com/javierhonduco/sweeper

    [0]: https://github.com/iovisor/bpftrace

  • [beetrace]Trace your python process line by line with low overhead!
    2 projects | /r/Python | 13 Jan 2023
    I develop a python tool that allows you to trace a Python process line by line or the functions' entries and returns. It uses USDT(User Statically-Defined Tracing) probes with bpftrace.
  • How to check is a linux server is compromised or rooted?
    3 projects | /r/debian | 16 Sep 2022
    bpftrace and/or bpfcc-tools can also be useful (dpkg -L bpftrace to see available tools). You can monitor files being opened/written at kernel level (opensnoop*, filelife*, filetop*), connections being established (tcp*bpfcc), etc.
  • Getting notified when a process runs
    2 projects | /r/linuxquestions | 25 Jul 2022
    Similar to this method is bpftrace: https://github.com/iovisor/bpftrace/blob/master/tools/execsnoop.bt
  • Let's build a simple system calls monitoring dashboard using bpftrace and streamlit
    2 projects | dev.to | 16 Apr 2022
    This solves some of the issues we had with ptrace based implementations. Recently iovisor project came up with a tool called bpftrace which can be used as an alternative to strace with more number of additional features. bpftrace uses eBPF for core tracing and provides user-space tools to harvest the tracing data. To understand more about bpftrace read this reference guide. bpftrace is not restricted just to system calls tracing, we can also use it to trace Disk I/O operations, network operations, CPU utilization etc. Since bpftrace supports eBPF at it's core, we can use BPF scripts to write our own tracing scripts easily. If you are interested, have a look at some of the cool tracing scripts built using BPF, all these scripts can be readily used with bpftrace.
  • What can I do if my server has been hacked for crypto mining?
    2 projects | /r/linuxquestions | 27 Jan 2022
    Take a look at bpftrace tools for more examples: https://github.com/iovisor/bpftrace/tree/master/tools
  • A Thorough Introduction to Bpftrace
    2 projects | news.ycombinator.com | 9 Aug 2021
    I went to use bpftrace to solve a real problem recently, and unfortunately found I had to resort to systemtap.

    I wanted to print a debug log as it was being saved in a kernel module - that's fine, the module has an equivalent of save_log(char* foo), just probe on entrance and print that, right?

    ...except bpftrace has a hard cap of 200-odd bytes for getting char *s out with str() at a time. [1]

    Fine, so you just do some pointer math and print foo, foo+200, etc, right?

    No strlen, no printf return value, so you don't know where the end of the string is.

    At that point, I said "sod it" and broke out systemtap.

    [1] - https://github.com/iovisor/bpftrace/issues/305

What are some alternatives?

When comparing rules and bpftrace you can also consider the following projects:

ebpf_exporter - Prometheus exporter for custom eBPF metrics

bcc - BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more

kubectl-trace - Schedule bpftrace programs on your kubernetes cluster using the kubectl

el7-bpf-specs - RPM specs for building bpf related tools on CentOS 7

ClearURLs-Addon - ClearURLs is an add-on based on the new WebExtensions technology and will automatically remove tracking elements from URLs to help protect your privacy.

OpenCSD - OpenCSD: eBPF Computational Storage Device (CSD) for Zoned Namespace (ZNS) SSDs in QEMU

awesome-yara - A curated list of awesome YARA rules, tools, and people.

btrfs-fuzz - Unsupervised coverage-guided btrfs fuzzer

coreruleset - OWASP CRS (Official Repository)

ebpf-assembler - eBPF bytecode assembler and compiler

awesome-ebpf - A curated list of awesome projects related to eBPF.

streamlit - Streamlit — A faster way to build and share data apps.