Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/sourque/louis
Linux EDR written in Golang and based on eBPF.
https://github.com/sourque/louis
Last synced: 24 days ago
JSON representation
Linux EDR written in Golang and based on eBPF.
- Host: GitHub
- URL: https://github.com/sourque/louis
- Owner: sourque
- License: gpl-2.0
- Created: 2020-09-09T02:41:11.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2022-05-24T15:28:00.000Z (over 2 years ago)
- Last Synced: 2024-08-05T17:29:43.399Z (4 months ago)
- Language: Go
- Homepage:
- Size: 836 KB
- Stars: 228
- Watchers: 11
- Forks: 42
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - sourque/louis - Linux EDR written in Golang and based on eBPF. (Go)
README
# louis
`louis` is a simple tool using eBPF to automatically detect and respond to malicious behavior on a Linux system.
## Usage
```
Usage:
louis [command]Available Commands:
help Help about any command
hunt hunt for existing malicious activity
mitigate mitigate all known vulnerabilities
monitor actively monitor for malicious action
version print louis versionFlags:
-a, --active counter detected malicious activity (dangerous, may clobber)
-h, --help help for louis
-s, --syslog output to syslog
-v, --verbose enable verbose outputUse "louis [command] --help" for more information about a command.
```## Information
louis gathers information from the kernel through eBPF (with BCC). These sources are analyzed with information from categorized techniques and vulnerabilities.
```
+------------+
| |
| CLI Output |
| |
+--------+---+
^
+-------------------------------------|------+
| | |
+--------+ | +---------+ +----------+ +---+---+ |
| | | | | | +---->+ | |
| | | | Sources +--->+ Analysis | | louis | |
| | eBPF | | | | | | | |
| Kernel +---------->+ Sockets | +----------+ +--+----+ |
| | | | Users | ^ ^ |
| | | | Proc... | +-------+ | | |
| | | | | | | | v |
+--------+ | +---------+ | Techs +<-+ +---+----+ |
| | | | Output | |
| +-------+ +--------+ |
| |
+--------------------------------------------+
```> There is no kernelspace component (other than the eBPF data-gathering code), which means `louis` is more susceptible to resource exhaustion and various types of executable manipulation. However, if that happens, you'll probably know about it.
## Installation
1. Ensure [BCC](https://github.com/iovisor/bcc) is installed.
2. Install `louis`.
- Clone this repository and build the binary (requires Go):
```
git clone https://github.com/sourque/louis && cd louis && go build
```
- Or download the `louis` binary from releases.## Screenshots & Examples
![Example of Louis Running](./docs/example.gif)
## Fun future activities
- New Sources
- eBPF additions
- pam authentication
- file permission changes (for sensitive dirs (tmp) and creating new bins/suid/sgid)
- Techs/threat actions
- sendlines per## Prior Art
- https://github.com/falcosecurity/falco well-made tool with a similar purpose and design. primarily c++. large backing by sysdig
- https://github.com/ION28/BLUESPAWN similar tool for Windows, made by very talented & welcoming devs
- https://github.com/D4stiny/PeaceMaker Windows heuristic monitoring tool made by a local cyber genius## eBPF Resources and Libraries
- https://github.com/iovisor/gobpf
- https://github.com/iovisor/bcc
- http://www.brendangregg.com/Perf/bcc_tracing_tools.png