{"id":13540160,"url":"https://github.com/EBWi11/AgentSmith-HIDS","last_synced_at":"2025-04-02T07:30:42.547Z","repository":{"id":144204350,"uuid":"163095760","full_name":"EBWi11/AgentSmith-HIDS","owner":"EBWi11","description":"By Kprobe technology Open Source Host-based Intrusion Detection System(HIDS), from E_Bwill.","archived":true,"fork":false,"pushed_at":"2021-04-01T11:12:43.000Z","size":44695,"stargazers_count":588,"open_issues_count":0,"forks_count":166,"subscribers_count":29,"default_branch":"master","last_synced_at":"2024-08-01T09:26:13.010Z","etag":null,"topics":["anti-rootkit","connect-hook","create-file-hook","detect-porcess-injection","dns-query-hook","execve-hook","hids","intrusion-detection","kprobes","load-lkm-hook","security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/EBWi11.png","metadata":{"files":{"readme":"README-zh_CN.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-12-25T16:03:59.000Z","updated_at":"2024-07-16T02:26:56.000Z","dependencies_parsed_at":"2023-06-18T15:56:26.282Z","dependency_job_id":null,"html_url":"https://github.com/EBWi11/AgentSmith-HIDS","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EBWi11%2FAgentSmith-HIDS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EBWi11%2FAgentSmith-HIDS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EBWi11%2FAgentSmith-HIDS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EBWi11%2FAgentSmith-HIDS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/EBWi11","download_url":"https://codeload.github.com/EBWi11/AgentSmith-HIDS/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222810298,"owners_count":17040999,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-rootkit","connect-hook","create-file-hook","detect-porcess-injection","dns-query-hook","execve-hook","hids","intrusion-detection","kprobes","load-lkm-hook","security"],"created_at":"2024-08-01T09:01:41.769Z","updated_at":"2024-11-03T05:30:48.695Z","avatar_url":"https://github.com/EBWi11.png","language":null,"funding_links":[],"categories":["\u003ca id=\"946d766c6a0fb23b480ff59d4029ec71\"\u003e\u003c/a\u003e防护\u0026\u0026Defense","Others","\u003ca id=\"0abd611fc3e9a4d9744865ca6e47a6b2\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"ff3e0b52a1477704b5f6a94ccf784b9a\"\u003e\u003c/a\u003eIDS\u0026\u0026IPS"],"readme":"# AgentSmith-HIDS\n\n\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;\u0026emsp;--项目名称灵感来源于电影《黑客帝国》\n\n\n\n\n[![License](https://img.shields.io/badge/License-GPL%20v2-blue.svg)](https://github.com/DianrongSecurity/AgentSmith-HIDS/blob/master/LICENSE) [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)\n\n[English](README.md) | 简体中文\n\n# THIS REPO IS OLD \n# RELEASE VERSION: https://github.com/bytedance/Elkeid\n\n\n### 关于AgentSmith-HIDS\n\nAgentSmith-HIDS严格意义上并不是一个“Host-based Intrusion Detection System”,因为目前开源的部分来讲它缺乏了规则引擎和相关检测的能力,但是它可以作为一个高性能“主机信息收集工具”来构建属于你自己的HIDS。\n由于AgentSmit-HIDS的特点(**从内核态获取尽可能全的数据**),对比用户态的HIDS拥有巨大的优势:\n\n* **性能更优**,通过内核态驱动来获取信息,无需诸如遍历/proc这样的行为进行数据补全;传输方案使用共享内存,而不是netlink,相对来说也有更好的性能表现。\n* **难以绕过**,由于我们的信息获取是来自于内核态驱动,因此面对很多刻意隐藏自己的行为如rootkit难以绕过我们的监控。\n* **为联动而生**,我们不仅可以作为安全工具,也可以作为监控,或者梳理内部资产。我们通过内核模块对进程/用户/文件/网络连接进行梳理,如果有CMDB的信息,那么联动后你将会得到一张从网络到主机/容器/业务信息的调用/依赖关系图;如果你们还有DB Audit Tool,那么联动后你可以得到DB User/库表字段/应用/网络/主机容器的关系;等等,还可以和NIDS/威胁情报联动,达到溯源的目的。\n* **用户态+内核态**,AgentSmith-HIDS同时拥有内核态和用户态的模块,可以形成互补。\n\n\n\n### AgentSmith-HIDS实现了以下的主要功能:\n\n* 内核模块通过kprobeHook了**execve,connect,process inject, create file,DNS query,load LKM**的行为,并且通过对Linux namespace兼容的方式实现了对容器行为的信息收集\n* 用户态支持自定义检测模块,目前已内置:**系统用户列表查询**,**系统端口监听列表查询**,**系统RPM LIST查询**,**系统定时任务查询**\n* **部分Rootkit检测能力**,From: [Tyton](https://github.com/nbulischeck/tyton) ,目前已经移植了**PROC_FILE_HOOK**,**SYSCALL_HOOK**,**LKM_HIDDEN**,**INTERRUPTS_HOOK**,目前仅支持Kernel \u003e 3.10。\n* cred 变化检测 (sudo/su/sshd除外)\n* 用户登陆监控\n\n\n### AgentSmith-HIDS的使用场景/方式(待补充)\n\n* [如何利用AgentSmith-HIDS检测反弹shell](doc/How-to-use-AgentSmith-HIDS-to-detect-reverse-shell/如何利用AgentSmith-HIDS检测反弹shell.md)\n\n\n\n### 关于内核版本兼容性\n\n* Kernel \u003e 2.6.25\n* AntiRootKit \u003e 3.10\n\n\n\n### 对容器的兼容\n\n| 行为源 | Nodename |\n| ------ | -------------- |\n| Host | hostname |\n| Docker | container name |\n| k8s | pod name |\n\n\n\n\n### AgentSmith-HIDS的组成部分\n\n* **内核驱动模块(LKM)**,通过kprobe hook关键函数,进行数据捕获;\n* **用户态Agent**,收取驱动捕获的指令并进行处理,然后将数据发送到Kafka;并向Server发送心跳确认存活,以及接受Server下发的指令进行执行;\n* **Agent Server端**,向Agent下发指令,以及来查看当前Agent状态数量等信息;(可选组件)\n\n\n\n### Execve Hook\n\n通过Hook **sys_execve()/sys_execveat()/compat_sys_execve()/compat_sys_execveat()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/tmp\",\n \"exe\":\"/opt/ltp/testcases/bin/growfiles\",\n \"argv\":\"growfiles -W gf26 -D 0 -b -i 0 -L 60 -u -B 1000b -e 1 -r 128-32768:128 -R 512-64000 -T 4 -f gfsmallio-35861 -d /tmp/ltp-Ujxl8kKsKY \",\n \"pid\":\"35861\",\n \"ppid\":\"35711\",\n \"pgid\":\"35861\",\n \"tgid\":\"35861\",\n \"comm\":\"growfiles\",\n \"nodename\":\"test\",\n \"stdin\":\"/dev/pts/1\",\n \"stdout\":\"/dev/pts/1\",\n \"sessionid\":\"3\",\n \"sip\":\"192.168.165.1\",\n \"sport\":\"61726\",\n \"dip\":\"192.168.165.128\",\n \"dport\":\"22\",\n \"sa_family\":\"1\",\n \"pid_tree\":\"1(systemd)-\u003e1384(sshd)-\u003e2175(sshd)-\u003e2177(bash)-\u003e2193(fish)-\u003e35552(runltp)-\u003e35711(ltp-pan)-\u003e35861(growfiles)\",\n \"tty_name\":\"pts1\",\n \"socket_process_pid\":\"2175\",\n \"socket_process_exe\":\"/usr/sbin/sshd\",\n \"SSH_CONNECTION\":\"192.168.165.1 61726 192.168.165.128 22\",\n \"LD_PRELOAD\":\"/root/ldpreload/test.so\",\n \"user\":\"root\",\n \"time\":\"1579575429143\",\n \"local_ip\":\"192.168.165.128\",\n \"hostname\":\"test\",\n \"exe_md5\":\"01272152d4901fd3c2efacab5c0e38e5\",\n \"socket_process_exe_md5\":\"686cd72b4339da33bfb6fe8fb94a301f\"\n}\n```\n\n### Bind Hook\n\n通过Hook **sys_bind()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"49\",\n \"sa_family\":\"2\",\n \"exe\":\"/usr/bin/python2.7\",\n \"pid\":\"109640\",\n \"ppid\":\"215496\",\n \"pgid\":\"109640\",\n \"tgid\":\"109640\",\n \"comm\":\"python\",\n \"nodename\":\"n225-117-018\",\n \"sip\":\"0.0.0.0\",\n \"sport\":\"8000\",\n \"res\":\"0\",\n \"sessionid\":\"30\",\n \"user\":\"root\",\n \"time\":\"1587540231936\",\n \"local_ip_str\":\"10.225.117.18\",\n \"hostname_str\":\"n225-117-018\",\n \"exe_md5\":\"4f458165a2129ba549f1b6605ee87e74\"\n}\n```\n\n\n### Connect Hook\n\n通过Hook **tcp_v4_connect()/tcp_v6_connect()/ip4_datagram_connect()/ip6_datagram_connect()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"42\",\n \"sa_family\":\"2\",\n \"connect_type\":\"4\",\n \"dport\":\"1025\",\n \"dip\":\"180.101.49.11\",\n \"exe\":\"/usr/bin/ping\",\n \"pid\":\"6294\",\n \"ppid\":\"1941\",\n \"pgid\":\"6294\",\n \"tgid\":\"6294\",\n \"comm\":\"ping\",\n \"nodename\":\"test\",\n \"sip\":\"192.168.165.153\",\n \"sport\":\"45524\",\n \"res\":\"0\",\n \"sessionid\":\"1\",\n \"user\":\"root\",\n \"time\":\"1575721921240\",\n \"local_ip\":\"192.168.165.153\",\n \"hostname\":\"test\",\n \"exe_md5\":\"735ae70b4ceb8707acc40bc5a3d06e04\"\n}\n```\n\n\n\n### DNS Query Hook\n\n通过Hook **udp_recvmsg()/udpv6_recvmsg()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"601\",\n \"sa_family\":\"2\",\n \"dport\":\"53\",\n \"dip\":\"192.168.165.2\",\n \"exe\":\"/usr/bin/ping\",\n \"pid\":\"6294\",\n \"ppid\":\"1941\",\n \"pgid\":\"6294\",\n \"tgid\":\"6294\",\n \"comm\":\"ping\",\n \"nodename\":\"test\",\n \"sip\":\"192.168.165.153\",\n \"sport\":\"53178\",\n \"qr\":\"1\",\n \"opcode\":\"0\",\n \"rcode\":\"0\",\n \"query\":\"www.baidu.com\",\n \"sessionid\":\"1\",\n \"user\":\"root\",\n \"time\":\"1575721921240\",\n \"local_ip\":\"192.168.165.153\",\n \"hostname\":\"test\",\n \"exe_md5\":\"39c45487a85e26ce5755a893f7e88293\"\n}\n```\n\n\n### Create File Hook\n\n通过Hook **security_inode_create()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"602\",\n \"exe\":\"/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64/jre/bin/java\",\n \"file_path\":\"/tmp/kafka-logs/replication-offset-checkpoint.tmp\",\n \"pid\":\"3341\",\n \"ppid\":\"1\",\n \"pgid\":\"2657\",\n \"tgid\":\"2659\",\n \"comm\":\"kafka-scheduler\",\n \"nodename\":\"test\",\n \"sessionid\":\"3\",\n \"user\":\"root\",\n \"time\":\"1575721984257\",\n \"local_ip\":\"192.168.165.153\",\n \"hostname\":\"test\",\n \"exe_md5\":\"215be70a38c3a2e14e09d637c85d5311\",\n \"create_file_md5\":\"d41d8cd98f00b204e9800998ecf8427e\"\n}\n```\n\n\n\n### Process Inject Hook\n\n通过Hook **sys_ptrace()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"101\",\n \"ptrace_request\":\"4\",\n \"target_pid\":\"7402\",\n \"addr\":\"00007ffe13011ee6\",\n \"data\":\"-a\",\n \"exe\":\"/root/ptrace/ptrace\",\n \"pid\":\"7401\",\n \"ppid\":\"1941\",\n \"pgid\":\"7401\",\n \"tgid\":\"7401\",\n \"comm\":\"ptrace\",\n \"nodename\":\"test\",\n \"sessionid\":\"1\",\n \"user\":\"root\",\n \"time\":\"1575722717065\",\n \"local_ip\":\"192.168.165.153\",\n \"hostname\":\"test\",\n \"exe_md5\":\"863293f9fcf1af7afe5797a4b6b7aa0a\"\n}\n```\n\n\n### Load LKM File Hook\n\n通过Hook **load_module()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"603\",\n \"exe\":\"/usr/bin/kmod\",\n \"lkm_file\":\"/root/ptrace/ptrace\",\n \"pid\":\"29461\",\n \"ppid\":\"9766\",\n \"pgid\":\"29461\",\n \"tgid\":\"29461\",\n \"comm\":\"insmod\",\n \"nodename\":\"test\",\n \"sessionid\":\"13\",\n \"user\":\"root\",\n \"time\":\"1577212873791\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"0010433ab9105d666b044779f36d6d1e\",\n \"load_file_md5\":\"863293f9fcf1af7afe5797a4b6b7aa0a\"\n}\n```\n\n\n### Cred Change Hook\n\n通过Hook **commit_creds()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"604\",\n \"exe\":\"/tmp/tt\",\n \"pid\":\"27737\",\n \"ppid\":\"26865\",\n \"pgid\":\"27737\",\n \"tgid\":\"27737\",\n \"comm\":\"tt\",\n \"old_uid\":\"1000\",\n \"nodename\":\"test\",\n \"sessionid\":\"42\",\n \"user\":\"root\",\n \"time\":\"1578396197131\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"d99a695d2dc4b5099383f30964689c55\"\n}\n```\n\n\n### User Login Alert\n```json\n{\n \"data_type\":\"1001\",\n \"status\":\"Failed\",\n \"type\":\"password\",\n \"user_exsit\":\"false\",\n \"user\":\"sad\",\n \"from_ip\":\"192.168.165.1\",\n \"port\":\"63089\",\n \"processor\":\"ssh2\",\n \"time\":\"1578405483119\",\n \"local_ip\":\"192.168.165.128\",\n \"hostname\":\"localhost.localdomain\"\n}\n```\n\n\n### PROC File Hook Alert\n```json\n{\n \"uid\":\"-1\",\n \"data_type\":\"700\",\n \"module_name\":\"autoipv6\",\n \"hidden\":\"0\",\n \"time\":\"1578384987766\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\"\n}\n```\n\n\n### Syscall Hook Alert\n```json\n{\n \"uid\":\"-1\",\n \"data_type\":\"701\",\n \"module_name\":\"diamorphine\",\n \"hidden\":\"1\",\n \"syscall_number\":\"78\",\n \"time\":\"1578384927606\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\"\n}\n```\n\n\n### LKM Hidden Alert\n```json\n{\n \"uid\":\"-1\",\n \"data_type\":\"702\",\n \"module_name\":\"diamorphine\",\n \"hidden\":\"1\",\n \"time\":\"1578384927606\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\"\n}\n```\n\n\n### Interrupts Hook Alert\n```json\n{\n \"uid\":\"-1\",\n \"data_type\":\"703\",\n \"module_name\":\"syshook\",\n \"hidden\":\"1\",\n \"interrupt_number\":\"2\",\n \"time\":\"1578384927606\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\"\n}\n```\n\n\n### 关于性能\n\n测试环境(VM):\n\n| CPU | Intel(R) Xeon(R) Platinum 8260 CPU @ 2.40GHz 4核 |\n| --------- | ------------------------------------------------ |\n| RAM | 8GB |\n| OS/Kernel | Debian9 / 4.14.81.bm.19-amd64 |\n\n测试负载:\n\n`ltp -f syscalls`\n\n测试结果(1min):\n\n| Hook Handler | Average Delay(us) | TP99(us) | TP95(us) | TP90(us) |\n| ---------------------- | ----------------- | ----|----|----|\n| connect_entry_handler| 0.2914 |6.7627|0.355|0.3012|\n| connect_handler | 2.1406 |18.3801|12.102|7.832|\n| execve_entry_handler | 5.9320 |13.7034|9.908|8.334|\n| execve_handler | 6.8826 |26.0584|15.9976|12.6260|\n| security_inode_create_entry_handler| 1.9963|9.3042|6.7730|4.6816|\n| security_inode_create_handler| 4.2114|13.2165|8.83775|6.534|\n\n原始测试数据:\n\n[Benchmark Data](https://github.com/EBWi11/AgentSmith-HIDS/tree/master/benchmark_data)\n\n\n使用cyclictest进行测试\n\n`cyclictest -p 90 - m -c 0 -i 200 -n -h 100 -q -l 1000000`\n\nUninstall Smith:\n```\n# Total: 000999485\n# Min Latencies: 00002\n# Avg Latencies: 00007\n# Max Latencies: 13905\n# Histogram Overflows: 00515\n```\n\ninstall Smith:\n```\n# Total: 000999519\n# Min Latencies: 00002\n# Avg Latencies: 00007\n# Max Latencies: 15216\n# Histogram Overflows: 00481\n```\n\n\n**time -v /opt/ltp/testcases/bin/execve05 -n 30000**\n\n10 times\n\nInstall Smith:\n\n| Average User Time(s) | Average System Time(s) |\n| ---------------------- | ----------------- |\n|22.329|14.885|\n\nUninstall Smith:\n\n| Average User Time(s) | Average System Time(s) |\n| ---------------------- | ----------------- |\n|22.271|14.395|\n\n### 部署及测试文档\n\n[Quick Start](https://github.com/EBWi11/AgentSmith-HIDS/blob/master/doc/AgentSmith-HIDS-Quick-Start-zh_CN.md)\n\n\n\n\n### 致谢(排名不分先后)\n\n[yuzunzhi](https://github.com/yuzunzhi)\n\n[hapood](https://github.com/hapood)\n\n[HF-Daniel](https://github.com/HF-Daniel)\n\n[smcdef](https://github.com/smcdef)\n\n\n### 作者微信\n\n**使用过程中遇到任何问题请提ISSUE,其他讨论可加微信**\n\n**使用过程中遇到任何问题请提ISSUE,其他讨论可加微信**\n\n**使用过程中遇到任何问题请提ISSUE,其他讨论可加微信**\n\n\u003cimg src=\"doc/wechat.jpg\" width=\"50%\" height=\"50%\"/\u003e\n\n**使用过程中遇到任何问题请提ISSUE,其他讨论可加微信**\n\n**使用过程中遇到任何问题请提ISSUE,其他讨论可加微信**\n\n**使用过程中遇到任何问题请提ISSUE,其他讨论可加微信**\n\n\n\n\n### 灾难控制局微信公众号\n\n会时不时有一些AgentSmith-HIDS的更新介绍和能力详解,有兴趣的可以关注:\n\n\u003cimg src=\"doc/SecDamageControl.jpg\" width=\"50%\" height=\"50%\"/\u003e\n\n\n## License\n\nAgentSmith-HIDS kernel module are distributed under the GNU GPLv2 license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FEBWi11%2FAgentSmith-HIDS","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FEBWi11%2FAgentSmith-HIDS","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FEBWi11%2FAgentSmith-HIDS/lists"}