Technically, AgentSmith-HIDS is not a Host-based Intrusion Detection System (HIDS) due to lack of rule engine and detection function. However, it can be used as a high performance ‘Host Information Collect Agent’ as part of your own HIDS solution.
The comprehensiveness of information which can be collected by this agent was one of the most important metrics during developing this project, hence it was built to function in the kernel stack and achieve huge advantage comparing to those function in user stack, such as:
Also Read – Yarasafe : SAFE Embeddings To Match Functions In Yara
Major abilities of AgentSmith-HIDS:
About the compatibility with Kernel version
About the compatibility with Containers
Source | Nodename |
---|---|
Host | hostname |
Docker | container name |
k8s | pod name |
Composition of AgentSmith-HIDS
Execve Hook
Achieved by hooking sys_execve()/sys_execveat()/compat_sys_execve()/compat_sys_execveat(), example:
{
“uid”:”0″,
“data_type”:”59″,
“run_path”:”/opt/ltp/testcases/bin/growfiles”,
“exe”:”/opt/ltp/testcases/bin/growfiles”,
“argv”:”growfiles -W gf26 -D 0 -b -i 0 -L 60 -u -B 1000b -e 1 -r 128-32768:128 -R 512-64000 -T 4 -f gfsmallio-35861 -d /tmp/ltp-Ujxl8kKsKY “,
“pid”:”35861″,
“ppid”:”35711″,
“pgid”:”35861″,
“tgid”:”35861″,
“comm”:”growfiles”,
“nodename”:”test”,
“stdin”:”/dev/pts/1″,
“stdout”:”/dev/pts/1″,
“sessionid”:”3″,
“dip”:”192.168.165.1″,
“dport”:”61726″,
“sip”:”192.168.165.128″,
“sport”:”22″,
“sa_family”:”1″,
“pid_tree”:”1(systemd)->1384(sshd)->2175(sshd)->2177(bash)->2193(fish)->35552(runltp)->35711(ltp-pan)->35861(growfiles)”,
“tty_name”:”pts1″,
“socket_process_pid”:”2175″,
“socket_process_exe”:”/usr/sbin/sshd”,
“SSH_CONNECTION”:”192.168.165.1 61726 192.168.165.128 22″,
“LD_PRELOAD”:”/root/ldpreload/test.so”,
“user”:”root”,
“time”:”1579575429143″,
“local_ip”:”192.168.165.128″,
“hostname”:”test”,
“exe_md5″:”01272152d4901fd3c2efacab5c0e38e5”,
“socket_process_exe_md5″:”686cd72b4339da33bfb6fe8fb94a301f”
}
Connect Hook
Achieved by hooking sys_connect(), example:
{
“uid”:”0″,
“data_type”:”42″,
“sa_family”:”2″,
“fd”:”4″,
“dport”:”1025″,
“dip”:”180.101.49.11″,
“exe”:”/usr/bin/ping”,
“pid”:”6294″,
“ppid”:”1941″,
“pgid”:”6294″,
“tgid”:”6294″,
“comm”:”ping”,
“nodename”:”test”,
“sip”:”192.168.165.153″,
“sport”:”45524″,
“res”:”0″,
“sessionid”:”1″,
“user”:”root”,
“time”:”1575721921240″,
“local_ip”:”192.168.165.153″,
“hostname”:”test”,
“exe_md5″:”735ae70b4ceb8707acc40bc5a3d06e04”
}
DNS Query Hook
Achieved by hooking sys_recvfrom(), example:
{
“uid”:”0″,
“data_type”:”601″,
“sa_family”:”2″,
“fd”:”4″,
“dport”:”53″,
“dip”:”192.168.165.2″,
“exe”:”/usr/bin/ping”,
“pid”:”6294″,
“ppid”:”1941″,
“pgid”:”6294″,
“tgid”:”6294″,
“comm”:”ping”,
“nodename”:”test”,
“sip”:”192.168.165.153″,
“sport”:”53178″,
“qr”:”1″,
“opcode”:”0″,
“rcode”:”0″,
“query”:”www.baidu.com”,
“sessionid”:”1″,
“user”:”root”,
“time”:”1575721921240″,
“local_ip”:”192.168.165.153″,
“hostname”:”test”,
“exe_md5″:”39c45487a85e26ce5755a893f7e88293”
}
Create File Hook
Achieved by hooking security_inode_create(), example:
{
“uid”:”0″,
“data_type”:”602″,
“exe”:”/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64/jre/bin/java”,
“file_path”:”/tmp/kafka-logs/replication-offset-checkpoint.tmp”,
“pid”:”3341″,
“ppid”:”1″,
“pgid”:”2657″,
“tgid”:”2659″,
“comm”:”kafka-scheduler”,
“nodename”:”test”,
“sessionid”:”3″,
“user”:”root”,
“time”:”1575721984257″,
“local_ip”:”192.168.165.153″,
“hostname”:”test”,
“exe_md5″:”215be70a38c3a2e14e09d637c85d5311”,
“create_file_md5″:”d41d8cd98f00b204e9800998ecf8427e”
}
Process Inject Hook
Achieved by hooking sys_ptrace(), example:
{
“uid”:”0″,
“data_type”:”101″,
“ptrace_request”:”4″,
“target_pid”:”7402″,
“addr”:”00007ffe13011ee6″,
“data”:”-a”,
“exe”:”/root/ptrace/ptrace”,
“pid”:”7401″,
“ppid”:”1941″,
“pgid”:”7401″,
“tgid”:”7401″,
“comm”:”ptrace”,
“nodename”:”test”,
“sessionid”:”1″,
“user”:”root”,
“time”:”1575722717065″,
“local_ip”:”192.168.165.153″,
“hostname”:”test”,
“exe_md5″:”863293f9fcf1af7afe5797a4b6b7aa0a”
}
Load LKM File Hook
Achieved by hooking load_module(), example:
{
“uid”:”0″,
“data_type”:”603″,
“exe”:”/usr/bin/kmod”,
“lkm_file”:”/root/ptrace/ptrace”,
“pid”:”29461″,
“ppid”:”9766″,
“pgid”:”29461″,
“tgid”:”29461″,
“comm”:”insmod”,
“nodename”:”test”,
“sessionid”:”13″,
“user”:”root”,
“time”:”1577212873791″,
“local_ip”:”192.168.165.152″,
“hostname”:”test”,
“exe_md5″:”0010433ab9105d666b044779f36d6d1e”,
“load_file_md5″:”863293f9fcf1af7afe5797a4b6b7aa0a”
}
Cred Change Hook
Achieved by Hook commit_creds(),example:
{
“uid”:”0″,
“data_type”:”604″,
“exe”:”/tmp/tt”,
“pid”:”27737″,
“ppid”:”26865″,
“pgid”:”27737″,
“tgid”:”27737″,
“comm”:”tt”,
“old_uid”:”1000″,
“nodename”:”test”,
“sessionid”:”42″,
“user”:”root”,
“time”:”1578396197131″,
“local_ip”:”192.168.165.152″,
“hostname”:”test”,
“exe_md5″:”d99a695d2dc4b5099383f30964689c55”
}
User Login Alert
{
“data_type”:”1001″,
“status”:”Failed”,
“type”:”password”,
“user_exsit”:”false”,
“user”:”sad”,
“from_ip”:”192.168.165.1″,
“port”:”63089″,
“processor”:”ssh2″,
“time”:”1578405483119″,
“local_ip”:”192.168.165.128″,
“hostname”:”localhost.localdomain”
}
PROC File Hook Alert
{
“uid”:”-1″,
“data_type”:”700″,
“module_name”:”autoipv6″,
“hidden”:”0″,
“time”:”1578384987766″,
“local_ip”:”192.168.165.152″,
“hostname”:”test”
}
Syscall Hook Alert
{
“uid”:”-1″,
“data_type”:”701″,
“module_name”:”diamorphine”,
“hidden”:”1″,
“syscall_number”:”78″,
“time”:”1578384927606″,
“local_ip”:”192.168.165.152″,
“hostname”:”test”
}
LKM Hidden Alert
{
“uid”:”-1″,
“data_type”:”702″,
“module_name”:”diamorphine”,
“hidden”:”1″,
“time”:”1578384927606″,
“local_ip”:”192.168.165.152″,
“hostname”:”test”
}
Interrupts Hook Alert
{
“uid”:”-1″,
“data_type”:”703″,
“module_name”:”syshook”,
“hidden”:”1″,
“interrupt_number”:”2″,
“time”:”1578384927606″,
“local_ip”:”192.168.165.152″,
“hostname”:”test”
}
About Performance of AgentSmith-HIDS
Testing Environment:
CPU | Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz 2 Core |
---|---|
RAM | 2GB |
OS/Kernel | Centos7 / 3.10.0-1062.7.1.el7.x86_64 |
Testing Result:
Hook Handler | Average Delay(us) |
---|---|
execve_entry_handler | 10.4 |
connect_handler | 7.5 |
connect_entry_handler | 0.06 |
recvfrom_handler | 9.2 |
recvfrom_entry_handler | 0.17 |
fsnotify_post_handler | 0.07 |
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…