Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/0xN3utr0n/Kanis

Advanced threat detection solution for Linux.
https://github.com/0xN3utr0n/Kanis

antivirus container-security containers docker endpoint-security ids linux malware rootkit threat-detection yara yara-scanner

Last synced: 9 days ago
JSON representation

Advanced threat detection solution for Linux.

Host: GitHub
URL: https://github.com/0xN3utr0n/Kanis
Owner: 0xN3utr0n
License: gpl-3.0
Created: 2020-04-06T22:03:37.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-12-05T23:07:51.000Z (almost 4 years ago)
Last Synced: 2024-08-02T02:13:16.580Z (3 months ago)
Topics: antivirus, container-security, containers, docker, endpoint-security, ids, linux, malware, rootkit, threat-detection, yara, yara-scanner
Language: Go
Homepage:
Size: 151 KB
Stars: 35
Watchers: 3
Forks: 4
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Kanis
[![Go Report Card](https://goreportcard.com/badge/github.com/0xN3utr0n/Kanis)](https://goreportcard.com/report/github.com/0xN3utr0n/Kanis)

Kanis is an advanced threat detection solution exclusively designed for Linux with performance and simplicity in mind. Runs locally "out-of-the-box" (even on ancient systems) along with a powerful engine, mainly based on heuristic and behavioral analysis, for event and anomaly correlation.

### Features
- Real-time binary monitoring.
- Container monitoring.
- Kernel event monitoring.
- ELF Viruses/Trojans detection.
- ELF anti-debugging techniques detection.
- Process injection detection.
- Rootkits detection (_In progress_).
- Yara integration.
- And much more... :)

### How it works
As an event-driven software, Kanis requires real-time interaction with the kernel; this is achieved through [ftrace](https://www.kernel.org/doc/Documentation/trace/ftrace.txt) and the use of [Kprobes](https://www.kernel.org/doc/Documentation/kprobes.txt), as well as [Tracepoints](https://www.kernel.org/doc/Documentation/trace/tracepoints.txt). That is, it can not only monitor syscalls, but any kernel function too. The rule engine is in charge of processing all this stream of information and make sense out of it.

Additionally, Kanis includes some modules for static heuristic analysis (such as for binaries) which further enhance the product's detection capabilities.

### Requirements
```
- Linux >=3.10 x86_64
- Kernel compiled with CONFIG_FUNCTION_TRACER flag
- Openssl (libssl-dev)
- go >=1.14
```
### Install
```
git clone https://github.com/0xN3utr0n/Kanis && cd Kanis
make
sudo make install
```

### Usage
Kanis requires root privileges in order to properly work.
```
-h This help.
-d Show debug messages (very verbose).
-e string
Enable kernel events monitoring.
Supported categories:
a ALL events.
x EXEC events.
m MOUNT events.
s SIGNAL events.
t TASK events.
p PTRACE events.
f FILE events.
n NAMESPACE events.

e.g. -e=x:t:n

-s Redirect all output to stdout.
```
Once executed, the following log files will be created (within `/var/kanis/`):
- **events.log** : Real-time kernel events.
- **kanis.log** : Errors and Kanis related messages.
- **threats.log** : Detected threats.

### Disclaimer
The project is currently in pre-alpha state, meaning that there might be some instability issues along with low detection rates or even a high number of false-positives.