/Hades-Linux

Hades is a Host-Based Intrusion Detection System based on both eBPF(kernel) and netlink/cn_proc(userspace).

Primary LanguageCApache License 2.0Apache-2.0

Hades

CO-RE

English | 中文

Hades is a Host-based Intrusion Detection System based on eBPF and Netlink/cn_proc. Now it's still under development. PRs and issues are welcome!

This project is based on Tracee and Elkeid. Thanks for these awesome open-source projects.

Architecture

Agent part is mainly based on Elkeid version 1.7. And I am going to make plugins(including the driver) compatible with Elkeid.

Agent Part

data

Data Analysis

data

Plugins

Capability

Driver-eBPF

Here are 15 hooks over tracepoints/kprobes/uprobes. The fields are extended just like Elkeid(basically).

For details of these hooks.

Also, Rootkit detection(anti_rootkit) for sys_call_table hook is updated now.

Hook Default Status(Description) ID
tracepoint/syscalls/sys_enter_execve ON 700
tracepoint/syscalls/sys_enter_execveat ON 698
tracepoint/syscalls/sys_enter_prctl ON(PR_SET_NAME & PR_SET_MM) 200
tracepoint/syscalls/sys_enter_ptrace ON(PTRACE_PEEKTEXT & PTRACE_POKEDATA) 164
tracepoint/syscalls/sys_enter_memfd_create ON 614
kprobe/security_socket_connect ON 1022
kprobe/security_socket_bind ON 1024
kprobe/commit_creds ON 1011
k(ret)probe/udp_recvmsg ON(53/5353 for dns data) 1025
kprobe/do_init_module ON 1026
security_kernel_read_file ON 1027
security_inode_create ON 1028
security_sb_mount ON 1029
kprobe/call_usermodehelper ON 1030
kprobe/security_file_ioctl ON(anti rootkit scan) 1031

Collector

S stands for sync(real-time), P stands for periodicity.

Event Type
cn_proc S
crontab P
processes P
socket P
sshconfig P
ssh login S
user P
yum P

Purpose

I maintain this project mainly for learning eBPF and HIDS

Contact

Input Hades to get the QR code~