Giter Club home page Giter Club logo

alertyx's Introduction

Alertyx

Alertyx is a powerful tool designed to automatically detect and respond to malicious behavior on a Linux system using eBPF. This README provides an overview of the project, including setup instructions, usage guidelines, and credits.

Table of Contents

Features

  • ๐Ÿ› ๏ธ Analysis: Comprehensive tools to analyze system events.
  • ๐Ÿš€ Correlation: Advanced correlation capabilities to identify patterns.
  • ๐Ÿ“Š Output: Various output formats for easy integration with other tools.
  • ๐Ÿ“š Documentation: Detailed documentation to guide you through the setup and usage.
  • ๐Ÿ” Hunt: Hunt for existing malicious activity.
  • ๐Ÿ›ก๏ธ Mitigation: Mitigate all known vulnerabilities.
  • ๐Ÿ•ต๏ธโ€โ™‚๏ธ Monitoring: Actively monitor for malicious actions.

Installation

  1. Ensure BCC is installed.
  2. Install alertyx:
    • Clone this repository and build the binary (requires Go):
      git clone https://github.com/sourque/alertyx
      cd alertyx
      go build
    • Or download the alertyx binary from releases.

Usage

Usage:
  alertyx [command]

Available Commands:
  help        Help about any command
  hunt        Hunt for existing malicious activity
  mitigate    Mitigate all known vulnerabilities
  monitor     Actively monitor for malicious action
  version     Print alertyx version

Flags:
  -a, --active    Counter detected malicious activity (dangerous, may clobber)
  -h, --help      Help for alertyx
  -s, --syslog    Output to syslog
  -v, --verbose   Enable verbose output

Use "alertyx [command] --help" for more information about a command.

Information

alertyx gathers information from the kernel through eBPF (with BCC). These sources are analyzed with information from categorized techniques and vulnerabilities.

                                                +------------+
                                                |            |
                                                | CLI Output |
                                                |            |
                                                +--------+---+
                                                         ^
                   +-------------------------------------|------+
                   |                                     |      |
+--------+         | +---------+    +----------+     +---+---+  |
|        |         | |         |    |          +---->+       |  |
|        |   eBPF  | | Sources +--->+ Analysis |     | alertyx |  |
| Kernel +---------->+ Sockets |    +----------+     +--+----+  |
|        |         | | Users   |               ^        ^       |
|        |         | | Proc... |    +-------+  |        |       |
|        |         | |         |    |       |  |        v       |
+--------+         | +---------+    | Techs +<-+    +---+----+  |
                   |                |       |       | Output |  |
                   |                +-------+       +--------+  |
                   |                                            |
                   +--------------------------------------------+

There is no kernelspace component (other than the eBPF data-gathering code), which means alertyx is more susceptible to resource exhaustion and various types of executable manipulation. However, if that happens, you'll probably know about it.

Project Structure

  • analysis/: Tools and scripts for event analysis.
  • cmd/: Command-line interface components.
  • common/: Common utilities and helpers.
  • correlate/: Event correlation logic.
  • docs/: Project documentation.
  • events/: Event definitions and handlers.
  • output/: Output format definitions and handlers.
  • system/: System-level utilities.
  • techs/: Technology-specific components.
  • utils/: General utilities.

Screenshots & Examples

Example of alertyx Running

Fun Future Activities

  • New Sources:
    • eBPF additions
    • PAM authentication
    • File permission changes (for sensitive dirs like /tmp and creating new bins/suid/sgid)
  • Techs/Threat Actions:
    • Send lines per (bash)
    • Time between shell spawn and sending commands (maybe)
    • Connect() (detect if being scanned)
  • Fixes:
    • Pwd incorrectly reports absolute path when in mounted/chrooted environment (e.g., tmux)
    • Race condition in BCC code? Imagine one open syscall on the same PID starts before another and ends after -- details would be overwritten?

Prior Art

  • Falco: Well-made tool with a similar purpose and design, primarily in C++, large backing by Sysdig.
  • BLUESPAWN: Similar tool for Windows, made by very talented and welcoming developers.
  • PeaceMaker: Windows heuristic monitoring tool made by a local cyber genius.

eBPF Resources and Libraries

Contributing

We welcome contributions from the community! Please read our contributing guide to get started.

Credits

This project is forked from the original Alertyx project by Original Author. We thank them for their amazing work and the foundation they provided.

License

Alertyx is licensed under the MIT License.


Made with โค๏ธ by Your Name


If you have any questions or need further assistance, please open an issue or contact us directly. Happy monitoring! ๐Ÿ“ˆ

alertyx's People

Contributors

sourque avatar davidhoenisch avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.