search

zeek / zeek-agent

This project is no longer maintained. There's a successor at https://github.com/zeek/zeek-agent-v2
Other
125 stars 23 forks source link

Zeek Agents supports a BPF-based process_events table #54

Open alessandrogario opened 4 years ago

Wajihulhassan commented 4 years ago

Can you elaborate more on this? Are there any benefits in terms of performance or event granularity when using BPF instead of using Linux auditd to collect the process events?

alessandrogario commented 4 years ago

Audit is able to provide a lot of metadata when generating events (example: file descriptors will emit an AUDIT_PATH record containing the path), while BPF is essentially a pure system trace caller when used for this kind of events. It may require the developer to use more tracers compared to Audit, but they are more lightweight.

One really good thing about BPF is that it does not require users to install system-wide rules that can potentially affect other consumers that are using the same event source.

A really interesting feature that can be implemented with BPF is the ability to trace libraries and executables using uprobes. This essentialls lets you trace applications such as shells or daemons like ssh and generate events when the monitored functions are called.

Wajihulhassan commented 4 years ago

I really like this idea of tracing applications at function-level because I can see its use case during threat hunting and forensic investigations. I'd love to add this functionality into Zeek-agent. Do you think it is easy to implement this service/tracer in the existing Zeek-agent architecture? Any pointers on how to go about implementing this functionality?

alessandrogario commented 4 years ago

I have been working on a library to implement this kind of functionality: https://github.com/trailofbits/ebpfpub

It works by generating code using LLVM IR, according to a simple DSL used to define how the function being traced behaves (example: number of parameters, types, when and how to acquire them, etc...). The generated function is then JITted to BPF and loaded.

You can find an example here: https://github.com/trailofbits/ebpfpub/blob/master/examples/execsnoop/src/main.cpp

alessandrogario commented 4 years ago

It is also possible to use the BCC library with the C++ API. A tutorial, for the Python bindings, can be found here: https://github.com/iovisor/bcc/blob/master/docs/tutorial_bcc_python_developer.md

In my experience, for this specific use case BCC is kind of overkill and too low level; this is the main reason I started writing the ebpfpub library.

Wajihulhassan commented 4 years ago

This is awesome! Thanks!