Improve performance and reliability

[elesiuta]

polling psutil has poor performance and reliability sniffing seems to be relatively reliable but has bad performance I mentioned some ideas in c8ac1d8dd197397452f3620206846fde877da699 along with some other commits

[elesiuta]

some useful discussions (broken links to prevent cross-linking noise with my own brainstorming/notes until I actually have something): evilsocket / opensnitch/issues/116 evilsocket / opensnitch/issues/171 evilsocket / opensnitch/issues/222 (try socket-connect-bpf) evilsocket / opensnitch/issues/284 gustavo-iniguez-goya / opensnitch/issues/10 gustavo-iniguez-goya / opensnitch/issues/34 iovisor / bcc/issues/2533

[elesiuta]

some useful links: https://opensource.com/article/19/8/introduction-bpftrace http://www.brendangregg.com/blog/2015-10-31/tcpconnect-tcpaccept-bcc.html http://www.brendangregg.com/blog/2016-10-27/dtrace-for-linux-2016.html http://www.brendangregg.com/blog/2019-01-01/learn-ebpf-tracing.html http://www.brendangregg.com/DTrace/DTrace_Network_Providers.html http://www.brendangregg.com/ebpf.html http://www.brendangregg.com/Slides/LCA2017_BPF_tracing_and_more.pdf https://jvns.ca/blog/2017/07/05/linux-tracing-systems/ https://netfilter.org/projects/libnetfilter_log/index.html https://serverfault.com/questions/192893/how-i-can-identify-which-process-is-making-udp-traffic-on-linux

this may be useful but seems to be broken on my current setup iovisor / bcc/blob/master/tools/bindsnoop_example.txt will experiment more later

could potentially also use this to grab process names (easily faked, and no paths) to match with PIDs of UDP traffic caught via sniffing between polls iovisor / bcc/blob/master/tools/exitsnoop_example.txt

best solution in terms of ease of implementation, performance and reliability seems to be writing/modifying a BPF program with BCC, not sure when I'll have a chance to get around to this

[elesiuta]

update: 0a07feacb09339d43e80ecc0f51618dd6f225bf6

also may be able to use forkstat to guess potential processes that were missed (flag as guess)

[elesiuta]

another similar program: https://gitlab.com/douaneapp/Douane

also these, but not really: https://en.wikipedia.org/wiki/Application_firewall#Linux

[elesiuta]

more useful links: https://askubuntu.com/questions/97158/why-is-ubuntu-permissive-with-outgoing-connections-by-default/97172#97172 https://security.stackexchange.com/questions/76100/how-to-find-processes-that-are-hidden-from-task-manager https://security.stackexchange.com/questions/84385/can-a-trojan-hide-itself-so-its-activity-doesnt-appear-in-task-manager-process https://security.stackexchange.com/questions/103089/can-a-trojan-horse-hide-its-activity-from-tcpview

seems like there isn't really an easy way around these problems, not sure how much value there is in continuing this, but will probably still play around with it from time to time

[elesiuta]

closing issue and archiving repo indefinitely