rules
bpftrace
DISCONTINUED
Our great sponsors
rules | bpftrace | |
---|---|---|
7 | 24 | |
3,928 | 7,647 | |
1.5% | - | |
0.0 | 0.0 | |
9 days ago | about 2 months ago | |
YARA | C++ | |
GNU General Public License v3.0 only | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
rules
-
Web Security Resources Request
Yara rules. https://github.com/Yara-Rules/rules
-
How to check is a linux server is compromised or rooted?
On the other hand, you could also use a Yara scanner (apt install yara) to scan for IOCs. Here's a good list of rules https://github.com/Yara-Rules/rules
- Incorporating YARA Into Security Processes?
-
YARA Rules for Malware
this repo is well-maintained. there are others exchanged in less public settings (in which i do not participate) if you're willing to contribute samples and signatures.
bpftrace
-
Why would you still want to use strace in 2023? [video]
Sysdig is very useful, but it's almost always broken on Fedora when I want to use it. I have recently started using https://github.com/iovisor/bpftrace instead, and so far it has covered the same use cases.
-
Securing PyTorch Models with eBPF
In this blog, I will present secimport — a toolkit for creating and running sandboxed applications in Python that utilizes eBPF (bpftrace) to secure Python runtimes.
-
Tag Systems
I haven't come across of any project like that, but in case anyone wants to implement this and doesn't know where to start, here's a way to do it on a freedesktop-compatible linux:
Make a userspace daemon process that adds eBPF tracepoints[0] to open{,_at} etc syscalls which match files of your user directories with specific extensions (e.g. .docx).
Associate PIDs that open those files with their .desktop entries[1]
Store results in some database like sqlite3.[2]
Search this database with your favorite interface, like a CLI script or a GNOME shell search provider[3].
I have seen this Rust project on HN which does something similar but with file attribute syscalls, you can use it as reference: https://github.com/javierhonduco/sweeper
-
[beetrace]Trace your python process line by line with low overhead!
I develop a python tool that allows you to trace a Python process line by line or the functions' entries and returns. It uses USDT(User Statically-Defined Tracing) probes with bpftrace.
-
How to check is a linux server is compromised or rooted?
bpftrace and/or bpfcc-tools can also be useful (dpkg -L bpftrace to see available tools). You can monitor files being opened/written at kernel level (opensnoop*, filelife*, filetop*), connections being established (tcp*bpfcc), etc.
-
Getting notified when a process runs
Similar to this method is bpftrace: https://github.com/iovisor/bpftrace/blob/master/tools/execsnoop.bt
-
Let's build a simple system calls monitoring dashboard using bpftrace and streamlit
This solves some of the issues we had with ptrace based implementations. Recently iovisor project came up with a tool called bpftrace which can be used as an alternative to strace with more number of additional features. bpftrace uses eBPF for core tracing and provides user-space tools to harvest the tracing data. To understand more about bpftrace read this reference guide. bpftrace is not restricted just to system calls tracing, we can also use it to trace Disk I/O operations, network operations, CPU utilization etc. Since bpftrace supports eBPF at it's core, we can use BPF scripts to write our own tracing scripts easily. If you are interested, have a look at some of the cool tracing scripts built using BPF, all these scripts can be readily used with bpftrace.
-
What can I do if my server has been hacked for crypto mining?
Take a look at bpftrace tools for more examples: https://github.com/iovisor/bpftrace/tree/master/tools
-
A Thorough Introduction to Bpftrace
I went to use bpftrace to solve a real problem recently, and unfortunately found I had to resort to systemtap.
I wanted to print a debug log as it was being saved in a kernel module - that's fine, the module has an equivalent of save_log(char* foo), just probe on entrance and print that, right?
...except bpftrace has a hard cap of 200-odd bytes for getting char *s out with str() at a time. [1]
Fine, so you just do some pointer math and print foo, foo+200, etc, right?
No strlen, no printf return value, so you don't know where the end of the string is.
At that point, I said "sod it" and broke out systemtap.
What are some alternatives?
ebpf_exporter - Prometheus exporter for custom eBPF metrics
bcc - BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
kubectl-trace - Schedule bpftrace programs on your kubernetes cluster using the kubectl
el7-bpf-specs - RPM specs for building bpf related tools on CentOS 7
ClearURLs-Addon - ClearURLs is an add-on based on the new WebExtensions technology and will automatically remove tracking elements from URLs to help protect your privacy.
OpenCSD - OpenCSD: eBPF Computational Storage Device (CSD) for Zoned Namespace (ZNS) SSDs in QEMU
awesome-yara - A curated list of awesome YARA rules, tools, and people.
btrfs-fuzz - Unsupervised coverage-guided btrfs fuzzer
coreruleset - OWASP CRS (Official Repository)
ebpf-assembler - eBPF bytecode assembler and compiler
awesome-ebpf - A curated list of awesome projects related to eBPF.
streamlit - Streamlit — A faster way to build and share data apps.