Alertyx
is a powerful tool designed to automatically detect and respond to malicious behavior on a Linux system using eBPF. This README provides an overview of the project, including setup instructions, usage guidelines, and credits.
- Features
- Installation
- Usage
- Project Structure
- Screenshots & Examples
- Future Activities
- Prior Art
- eBPF Resources and Libraries
- Contributing
- Credits
- License
- ๐ ๏ธ Analysis: Comprehensive tools to analyze system events.
- ๐ Correlation: Advanced correlation capabilities to identify patterns.
- ๐ Output: Various output formats for easy integration with other tools.
- ๐ Documentation: Detailed documentation to guide you through the setup and usage.
- ๐ Hunt: Hunt for existing malicious activity.
- ๐ก๏ธ Mitigation: Mitigate all known vulnerabilities.
- ๐ต๏ธโโ๏ธ Monitoring: Actively monitor for malicious actions.
- Ensure BCC is installed.
- Install
alertyx
:- Clone this repository and build the binary (requires Go):
git clone https://github.com/sourque/alertyx cd alertyx go build
- Or download the
alertyx
binary from releases.
- Clone this repository and build the binary (requires Go):
Usage:
alertyx [command]
Available Commands:
help Help about any command
hunt Hunt for existing malicious activity
mitigate Mitigate all known vulnerabilities
monitor Actively monitor for malicious action
version Print alertyx version
Flags:
-a, --active Counter detected malicious activity (dangerous, may clobber)
-h, --help Help for alertyx
-s, --syslog Output to syslog
-v, --verbose Enable verbose output
Use "alertyx [command] --help" for more information about a command.
alertyx
gathers information from the kernel through eBPF (with BCC). These sources are analyzed with information from categorized techniques and vulnerabilities.
+------------+
| |
| CLI Output |
| |
+--------+---+
^
+-------------------------------------|------+
| | |
+--------+ | +---------+ +----------+ +---+---+ |
| | | | | | +---->+ | |
| | eBPF | | Sources +--->+ Analysis | | alertyx | |
| Kernel +---------->+ Sockets | +----------+ +--+----+ |
| | | | Users | ^ ^ |
| | | | Proc... | +-------+ | | |
| | | | | | | | v |
+--------+ | +---------+ | Techs +<-+ +---+----+ |
| | | | Output | |
| +-------+ +--------+ |
| |
+--------------------------------------------+
There is no kernelspace component (other than the eBPF data-gathering code), which means
alertyx
is more susceptible to resource exhaustion and various types of executable manipulation. However, if that happens, you'll probably know about it.
- analysis/: Tools and scripts for event analysis.
- cmd/: Command-line interface components.
- common/: Common utilities and helpers.
- correlate/: Event correlation logic.
- docs/: Project documentation.
- events/: Event definitions and handlers.
- output/: Output format definitions and handlers.
- system/: System-level utilities.
- techs/: Technology-specific components.
- utils/: General utilities.
- New Sources:
- eBPF additions
- PAM authentication
- File permission changes (for sensitive dirs like /tmp and creating new bins/suid/sgid)
- Techs/Threat Actions:
- Send lines per (bash)
- Time between shell spawn and sending commands (maybe)
- Connect() (detect if being scanned)
- Fixes:
- Pwd incorrectly reports absolute path when in mounted/chrooted environment (e.g., tmux)
- Race condition in BCC code? Imagine one open syscall on the same PID starts before another and ends after -- details would be overwritten?
- Falco: Well-made tool with a similar purpose and design, primarily in C++, large backing by Sysdig.
- BLUESPAWN: Similar tool for Windows, made by very talented and welcoming developers.
- PeaceMaker: Windows heuristic monitoring tool made by a local cyber genius.
We welcome contributions from the community! Please read our contributing guide to get started.
This project is forked from the original Alertyx project by Original Author. We thank them for their amazing work and the foundation they provided.
Alertyx is licensed under the MIT License.
Made with โค๏ธ by Your Name
If you have any questions or need further assistance, please open an issue or contact us directly. Happy monitoring! ๐