{"id":13546140,"url":"https://github.com/polyverse/zerotect","last_synced_at":"2026-01-17T17:44:42.012Z","repository":{"id":55262881,"uuid":"207154610","full_name":"polyverse/zerotect","owner":"polyverse","description":"An attack/exploit Detector that utilizes Polymorphism and Diversity","archived":false,"fork":false,"pushed_at":"2022-06-11T03:19:10.000Z","size":5386,"stargazers_count":27,"open_issues_count":2,"forks_count":7,"subscribers_count":8,"default_branch":"main","last_synced_at":"2024-11-03T14:35:06.378Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/polyverse.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-09-08T18:21:18.000Z","updated_at":"2024-03-18T03:19:52.000Z","dependencies_parsed_at":"2022-08-14T18:15:01.986Z","dependency_job_id":null,"html_url":"https://github.com/polyverse/zerotect","commit_stats":null,"previous_names":[],"tags_count":65,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polyverse%2Fzerotect","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polyverse%2Fzerotect/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polyverse%2Fzerotect/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/polyverse%2Fzerotect/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/polyverse","download_url":"https://codeload.github.com/polyverse/zerotect/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246860274,"owners_count":20845636,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T12:00:32.464Z","updated_at":"2026-01-17T17:44:41.969Z","avatar_url":"https://github.com/polyverse.png","language":"Rust","funding_links":[],"categories":["Threat Detection and Forensics"],"sub_categories":["Packing, Obfuscation, Encryption, Anti-analysis"],"readme":"# zerotect\n\n[![Build Status](https://travis-ci.org/polyverse/zerotect.svg?branch=master)](https://travis-ci.org/polyverse/zerotect)\n\n[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](CODE_OF_CONDUCT.md)\n\n## Table of Contents\n\n* [What is Zerotect](#what-is-zerotect)\n* [Install Zerotect](#install-zerotect)\n* [Usage](#usage)\n  * [Recommended usage](#recommended-usage)\n    * [Understanding the minimal configuration](#understanding-the-minimal-configuration)\n  * [All CLI options](#all-cli-options)\n* [Partners/Integrations](#partnersintegrations)\n  * [Micro Focus ArcSight](#micro-focus-arcsight)\n  * [PagerDuty](#pagerduty)\n* [Zerotect Log](#zerotect-log)\n* [Contributing](#contributing)\n* [Zero Day Reward Program](#zero-day-reward-program)\n\n## What is Zerotect\n\nDetecting malicious scans can be the first indicator of a potential attack.\nWatching for things like port scans is commonplace in security circles, but how\ndo you detect a BROP attack, or any other kind of buffer-overflow attack for\nthat matter?\n\nZerotect is a small open source agent that monitors kernel logs to\nlook for conclusive proof of memory-based exploits from the side-effects of those\nattacks. These appear in the form of process crashes (faults). Zerotect doesn't\nactively intercept network traffic, but instead, passively monitors kernel logs for\nanomalies. This means the attack surface of your servers isn't increased, and the stability\nof Zerotect doesn't affect the stability of anything else on the system.\n\nWhen anomalies are detected, Zerotect can report these anomalies to a variety of analytics\ntools. Our intent is to support a variety of tools, and integrations with those tools. Please\nfile a Feature Request with examples of how you'd like to configure it and use it.\n\n## Install Zerotect\n\nSee [Installation](/install/README.md) for details on how to install/run Zerotect as a proper monitor in a production environment.\n\nTo install quickly:\n\n```.bash\ncurl -s -L https://github.com/polyverse/zerotect/releases/latest/download/install.sh | sh\n```\n\n## Partners/Integrations\n\nZerotect by itself provides limited actionable value. The best value is derived when Zerotect is one of many signals that a larger monitoring/observability strategy is processing. This could be a SOC, a SIEM, an alerting system or just a simple log aggregator.\n\nTo that end Zerotect supports a number of outbound integrations (i.e. where it sends its data) listed below.\n\n### Micro Focus ArcSight\n\n[Zerotect on ArcSight Marketplace](https://marketplace.microfocus.com/arcsight/content/zerotect)\n\nZerotect sends events to ArcSight through the Syslog SmartConnector. It is easy to configure in a single command. For more details read the [Administration Guide](/integrations/ArcSight/MF_Polyverse_ZeroTect_0.4_ArcSight_CEF_Integration_Guide_2020.pdf).\n\n### PagerDuty\n\n[Zerotect integration with PagerDuty](https://www.pagerduty.com/integrations/zerotect/)\n\nZerotect can send detected events to the PagerDuty Events API V2 through a single configuration. View the [PagerDuty Integration Guide](/integrations/PagerDuty/README.md) for details.\n\n## Zerotect Log\n\nZerotect stores activities in the log file located in /var/log/zerotect.log. Examine this log file for further investigation of potential attacks.\n\nThe authoritative log format is defined in [schema.json](/reference/schema.json).\n\nYou may use it to generate parsers. The schema contains documentation comments, explanations of fields, and so forth.\n\n## Contributing\n\nWe believe that open-source and robust community contributions make everyone safer,\ntherefore we accept pretty much ALL contributions so long as: (a) They don't break an\nexisting use-case or dependency and (b) They don't do something that is wildly out of scope of the project.\n\nPlease read our [Code of Conduct](CODE_OF_CONDUCT.md), and our [Contribution Guidelines](CONTRIBUTING.md) before starting work on a new feature or bug.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpolyverse%2Fzerotect","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpolyverse%2Fzerotect","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpolyverse%2Fzerotect/lists"}