Skip to content

Latest commit

Β 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

README.md

β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—    β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—
β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β•β•β•    β•šβ•β•β–ˆβ–ˆβ•”β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—
β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—         β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•
β–ˆβ–ˆβ•”β•β•β•  β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β•β• β–ˆβ–ˆβ•”β•β•β•         β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•”β•β•β•  β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—
β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•‘            β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘
β•šβ•β•β•β•β•β•β•β•šβ•β•β•β•β•β• β•šβ•β•     β•šβ•β•            β•šβ•β•   β•šβ•β•  β•šβ•β•β•šβ•β•  β•šβ•β• β•šβ•β•β•β•β•β•β•šβ•β•β•β•β•β•β•β•šβ•β•  β•šβ•β•

Cybersecurity Projects Python C License: AGPLv3

Real-time syscall tracing tool using eBPF for security observability β€” monitors process execution, file access, network connections, privilege changes, and system operations to detect suspicious behavior.

This is a quick overview β€” security theory, architecture, and full walkthroughs are in the learn modules.

What It Does

  • Real-time syscall monitoring via eBPF tracepoints (process, file, network, privilege, system)
  • 10 built-in detection rules mapped to MITRE ATT&CK techniques
  • Correlated event analysis for multi-step attacks (reverse shell detection, privilege escalation chains)
  • Multiple output formats: live color-coded stream, JSON, table summary
  • Configurable severity filtering (LOW, MEDIUM, HIGH, CRITICAL)
  • Event enrichment from /proc filesystem (parent process, username)
  • Clean signal handling and eBPF program cleanup

Quick Start

./install.sh
sudo uv run ebpf-tracer

Tip

This project uses just as a command runner. Type just to see all available commands.

Install: curl -sSf https://just.systems/install.sh | bash -s -- --to ~/.local/bin

Usage

sudo uv run ebpf-tracer                       # trace all syscalls (live mode)
sudo uv run ebpf-tracer -f json -s MEDIUM      # JSON output, MEDIUM+ severity
sudo uv run ebpf-tracer -t network             # only network events
sudo uv run ebpf-tracer --detections           # only show detection alerts
sudo uv run ebpf-tracer -c nginx               # filter by process name
sudo uv run ebpf-tracer -o events.jsonl        # write events to file while streaming

Detection Rules

ID Name Severity MITRE ATT&CK Trigger
D001 Privilege Escalation CRITICAL T1548 setuid(0) by non-root
D002 Sensitive File Read MEDIUM T1003.008 /etc/shadow access by non-root
D003 SSH Key Access MEDIUM T1552.004 SSH key file access
D004 Process Injection MEDIUM T1055.008 ptrace ATTACH/SEIZE
D005 Kernel Module Load HIGH T1547.006 init_module syscall
D006 Reverse Shell CRITICAL T1059.004 connect + shell execve sequence
D007 Persistence via Cron MEDIUM T1053.003 Write to cron directories
D008 Persistence via Systemd MEDIUM T1543.002 Write to systemd unit dirs
D009 Log Tampering MEDIUM T1070.002 Log file deletion/truncation
D010 Suspicious Mount HIGH T1611 mount syscall

Learn

This project includes step-by-step learning materials covering security theory, architecture, and implementation.

Module Topic
00 - Overview Prerequisites and quick start
01 - Concepts eBPF theory and security observability
02 - Architecture System design and data flow
03 - Implementation Code walkthrough
04 - Challenges Extension ideas and exercises

License

AGPL 3.0