Closed elesiuta closed 3 years ago
some useful discussions (broken links to prevent cross-linking noise with my own brainstorming/notes until I actually have something): evilsocket / opensnitch/issues/116 evilsocket / opensnitch/issues/171 evilsocket / opensnitch/issues/222 (try socket-connect-bpf) evilsocket / opensnitch/issues/284 gustavo-iniguez-goya / opensnitch/issues/10 gustavo-iniguez-goya / opensnitch/issues/34 iovisor / bcc/issues/2533
some useful links: https://opensource.com/article/19/8/introduction-bpftrace http://www.brendangregg.com/blog/2015-10-31/tcpconnect-tcpaccept-bcc.html http://www.brendangregg.com/blog/2016-10-27/dtrace-for-linux-2016.html http://www.brendangregg.com/blog/2019-01-01/learn-ebpf-tracing.html http://www.brendangregg.com/DTrace/DTrace_Network_Providers.html http://www.brendangregg.com/ebpf.html http://www.brendangregg.com/Slides/LCA2017_BPF_tracing_and_more.pdf https://jvns.ca/blog/2017/07/05/linux-tracing-systems/ https://netfilter.org/projects/libnetfilter_log/index.html https://serverfault.com/questions/192893/how-i-can-identify-which-process-is-making-udp-traffic-on-linux
this may be useful but seems to be broken on my current setup iovisor / bcc/blob/master/tools/bindsnoop_example.txt will experiment more later
could potentially also use this to grab process names (easily faked, and no paths) to match with PIDs of UDP traffic caught via sniffing between polls iovisor / bcc/blob/master/tools/exitsnoop_example.txt
best solution in terms of ease of implementation, performance and reliability seems to be writing/modifying a BPF program with BCC, not sure when I'll have a chance to get around to this
update: 0a07feacb09339d43e80ecc0f51618dd6f225bf6
also may be able to use forkstat to guess potential processes that were missed (flag as guess)
another similar program: https://gitlab.com/douaneapp/Douane
also these, but not really: https://en.wikipedia.org/wiki/Application_firewall#Linux
more useful links: https://askubuntu.com/questions/97158/why-is-ubuntu-permissive-with-outgoing-connections-by-default/97172#97172 https://security.stackexchange.com/questions/76100/how-to-find-processes-that-are-hidden-from-task-manager https://security.stackexchange.com/questions/84385/can-a-trojan-hide-itself-so-its-activity-doesnt-appear-in-task-manager-process https://security.stackexchange.com/questions/103089/can-a-trojan-horse-hide-its-activity-from-tcpview
seems like there isn't really an easy way around these problems, not sure how much value there is in continuing this, but will probably still play around with it from time to time
closing issue and archiving repo indefinitely
polling psutil has poor performance and reliability sniffing seems to be relatively reliable but has bad performance I mentioned some ideas in c8ac1d8dd197397452f3620206846fde877da699 along with some other commits