Alertyx is a powerful tool designed to automatically detect and respond to malicious behavior on a Linux system using eBPF. This README provides an overview of the project, including setup instructions, usage guidelines, and credits.

• Features
• Installation
• Usage
• Project Structure
• Screenshots & Examples
• Future Activities
• Prior Art
• eBPF Resources and Libraries
• Contributing
• Credits
• License

• 🛠️ Analysis: Comprehensive tools to analyze system events.
• 🚀 Correlation: Advanced correlation capabilities to identify patterns.
• 📊 Output: Various output formats for easy integration with other tools.
• 📚 Documentation: Detailed documentation to guide you through the setup and usage.
• 🔍 Hunt: Hunt for existing malicious activity.
• 🛡️ Mitigation: Mitigate all known vulnerabilities.
• 🕵️‍♂️ Monitoring: Actively monitor for malicious actions.

1. Ensure BCC is installed.
2. Install alertyx:
   • Clone this repository and build the binary (requires Go):

     git clone https://github.com/sourque/alertyx
     cd alertyx
     go build

   • Or download the alertyx binary from releases.

Usage:
  alertyx [command]

Available Commands:
  help        Help about any command
  hunt        Hunt for existing malicious activity
  mitigate    Mitigate all known vulnerabilities
  monitor     Actively monitor for malicious action
  version     Print alertyx version

Flags:
  -a, --active    Counter detected malicious activity (dangerous, may clobber)
  -h, --help      Help for alertyx
  -s, --syslog    Output to syslog
  -v, --verbose   Enable verbose output

Use "alertyx [command] --help" for more information about a command.

alertyx gathers information from the kernel through eBPF (with BCC). These sources are analyzed with information from categorized techniques and vulnerabilities.

                                                +------------+
                                                |            |
                                                | CLI Output |
                                                |            |
                                                +--------+---+
                                                         ^
                   +-------------------------------------|------+
                   |                                     |      |
+--------+         | +---------+    +----------+     +---+---+  |
|        |         | |         |    |          +---->+       |  |
|        |   eBPF  | | Sources +--->+ Analysis |     | alertyx |  |
| Kernel +---------->+ Sockets |    +----------+     +--+----+  |
|        |         | | Users   |               ^        ^       |
|        |         | | Proc... |    +-------+  |        |       |
|        |         | |         |    |       |  |        v       |
+--------+         | +---------+    | Techs +<-+    +---+----+  |
                   |                |       |       | Output |  |
                   |                +-------+       +--------+  |
                   |                                            |
                   +--------------------------------------------+

There is no kernelspace component (other than the eBPF data-gathering code), which means alertyx is more susceptible to resource exhaustion and various types of executable manipulation. However, if that happens, you'll probably know about it.

• analysis/: Tools and scripts for event analysis.
• cmd/: Command-line interface components.
• common/: Common utilities and helpers.
• correlate/: Event correlation logic.
• docs/: Project documentation.
• events/: Event definitions and handlers.
• output/: Output format definitions and handlers.
• system/: System-level utilities.
• techs/: Technology-specific components.
• utils/: General utilities.

• New Sources:
  • eBPF additions
  • PAM authentication
  • File permission changes (for sensitive dirs like /tmp and creating new bins/suid/sgid)
• Techs/Threat Actions:
  • Send lines per (bash)
  • Time between shell spawn and sending commands (maybe)
  • Connect() (detect if being scanned)
• Fixes:
  • Pwd incorrectly reports absolute path when in mounted/chrooted environment (e.g., tmux)
  • Race condition in BCC code? Imagine one open syscall on the same PID starts before another and ends after -- details would be overwritten?

• Falco: Well-made tool with a similar purpose and design, primarily in C++, large backing by Sysdig.
• BLUESPAWN: Similar tool for Windows, made by very talented and welcoming developers.
• PeaceMaker: Windows heuristic monitoring tool made by a local cyber genius.

• iovisor/gobpf
• iovisor/bcc
• Brendan Gregg's BCC Tracing Tools

We welcome contributions from the community! Please read our contributing guide to get started.

This project is forked from the original Alertyx project by Original Author. We thank them for their amazing work and the foundation they provided.

Alertyx is licensed under the MIT License.

Made with ❤️ by Your Name

If you have any questions or need further assistance, please open an issue or contact us directly. Happy monitoring! 📈