mirror of
https://github.com/evilsocket/opensnitch.git
synced 2025-03-04 00:24:40 +01:00
4ce8b0e57c
Improved process detections by monitoring new processes execution. It allow us to know the path of a process before a socket is opened. Closes #617 Other improvements: - If we fail to retrieve the path of a process, then we'll use the comm name of the connection/process. - Better kernel connections detection. - If debugfs is not loaded, we'll try to mount it, to allow to use eBPF monitor method. Future work (help wanted): - Extract command line arguments from the kernel (sys_execve, or mm struct). - Monitor other functions (execveat, clone*, fork, etc). - Send these events to the server (GUI), and display all the commands an application has executed. |
||
|---|---|---|
| .. | ||
| arm-clang-asm-fix.patch | ||
| file.patch | ||
| Makefile | ||
| opensnitch-dns.c | ||
| opensnitch-procs.c | ||
| opensnitch.c | ||
| README | ||
opensnitch.c is an eBPF program. Compilation requires getting kernel source. sudo apt install clang llvm libelf-dev libzip-dev flex bison libssl-dev bc rsync python3 cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch*.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch*.o /etc/opensnitchd/ cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf The kernel where you intend to run it must have some options activated: $ grep BPF /boot/config-$(uname -r) CONFIG_CGROUP_BPF=y CONFIG_BPF=y CONFIG_BPF_SYSCALL=y CONFIG_BPF_EVENTS=y CONFIG_KPROBES=y CONFIG_KPROBE_EVENTS=y