https://github.com/assaf-r/bervie

An eBpf security program that blocks the execution of files that were flagged as malicious by the give YARA detection rules. Named in convention with the other Scottish loch tools
https://github.com/assaf-r/bervie

ebpf linux python security yara

Last synced: 24 days ago
JSON representation

An eBpf security program that blocks the execution of files that were flagged as malicious by the give YARA detection rules. Named in convention with the other Scottish loch tools

Host: GitHub
URL: https://github.com/assaf-r/bervie
Owner: Assaf-R
Created: 2025-03-24T08:38:51.000Z (11 months ago)
Default Branch: main
Last Pushed: 2025-03-27T14:21:08.000Z (11 months ago)
Last Synced: 2025-04-05T17:20:19.007Z (10 months ago)
Topics: ebpf, linux, python, security, yara
Language: Python
Homepage:
Size: 6.84 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: Readme.md

Awesome Lists containing this project

README

### Bervie
An eBpf security program that blocks the execution of files that were flagged as malicious by the give YARA detection rules. Named in convention with the other Scottish loch tools

### How does this work?
The python program - **bervie.py** - loads the bpf c program - **bervie_bpf.c** - and hooks the execve syscall with a kprobe.
The eBpf program checks if the file that is set to be executed checks any YARA detections from the given .yara file and if so blocks the execution.
The results are logged to /var/log/loch/bervieX.log

### How to run
***RUN AS ROOT***

$ pip install yara-python

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/assaf-r/bervie

Awesome Lists containing this project

README