Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/sourque/louis
Linux EDR written in Golang and based on eBPF.
https://github.com/sourque/louis
Last synced: 3 months ago
JSON representation
Linux EDR written in Golang and based on eBPF.
- Host: GitHub
- URL: https://github.com/sourque/louis
- Owner: sourque
- License: gpl-2.0
- Created: 2020-09-09T02:41:11.000Z (about 4 years ago)
- Default Branch: master
- Last Pushed: 2022-05-24T15:28:00.000Z (over 2 years ago)
- Last Synced: 2024-06-18T21:38:27.198Z (5 months ago)
- Language: Go
- Homepage:
- Size: 836 KB
- Stars: 224
- Watchers: 10
- Forks: 41
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - sourque/louis - Linux EDR written in Golang and based on eBPF. (Go)
README
# louis
`louis` is a simple tool using eBPF to automatically detect and respond to malicious behavior on a Linux system.
## Usage
```
Usage:
louis [command]
Available Commands:
help Help about any command
hunt hunt for existing malicious activity
mitigate mitigate all known vulnerabilities
monitor actively monitor for malicious action
version print louis version
Flags:
-a, --active counter detected malicious activity (dangerous, may clobber)
-h, --help help for louis
-s, --syslog output to syslog
-v, --verbose enable verbose output
Use "louis [command] --help" for more information about a command.
```
## Information
louis gathers information from the kernel through eBPF (with BCC). These sources are analyzed with information from categorized techniques and vulnerabilities.
```
+------------+
| |
| CLI Output |
| |
+--------+---+
^
+-------------------------------------|------+
| | |
+--------+ | +---------+ +----------+ +---+---+ |
| | | | | | +---->+ | |
| | | | Sources +--->+ Analysis | | louis | |
| | eBPF | | | | | | | |
| Kernel +---------->+ Sockets | +----------+ +--+----+ |
| | | | Users | ^ ^ |
| | | | Proc... | +-------+ | | |
| | | | | | | | v |
+--------+ | +---------+ | Techs +<-+ +---+----+ |
| | | | Output | |
| +-------+ +--------+ |
| |
+--------------------------------------------+
```
> There is no kernelspace component (other than the eBPF data-gathering code), which means `louis` is more susceptible to resource exhaustion and various types of executable manipulation. However, if that happens, you'll probably know about it.
## Installation
1. Ensure [BCC](https://github.com/iovisor/bcc) is installed.
2. Install `louis`.
- Clone this repository and build the binary (requires Go):
```
git clone https://github.com/sourque/louis && cd louis && go build
```
- Or download the `louis` binary from releases.
## Screenshots & Examples
## Fun future activities
- New Sources
- eBPF additions
- pam authentication
- file permission changes (for sensitive dirs (tmp) and creating new bins/suid/sgid)
- Techs/threat actions
- sendlines per
## Prior Art
- https://github.com/falcosecurity/falco well-made tool with a similar purpose and design. primarily c++. large backing by sysdig
- https://github.com/ION28/BLUESPAWN similar tool for Windows, made by very talented & welcoming devs
- https://github.com/D4stiny/PeaceMaker Windows heuristic monitoring tool made by a local cyber genius
## eBPF Resources and Libraries
- https://github.com/iovisor/gobpf
- https://github.com/iovisor/bcc
- http://www.brendangregg.com/Perf/bcc_tracing_tools.png