π Network Policy Enforcement
Jibril's Network Policy Plugin provides real-time network access control at the kernel level using eBPF. Define granular traffic policies based on IP ranges, specific addresses, and domain namesβall enforced with minimal performance impact.
β‘ Kernel-Level Enforcement
Block malicious connections before they're established,
intercept DNS queries, and enforce zero-trust policies.
All at kernel level with no userspace overhead,
providing immediate protection against network threats.
π― What is Network Policy?β
The Network Policy Plugin enables administrators to define and enforce granular traffic policies based on:
π’ CIDR Blocksβ
Control access based on IP address ranges:
192.168.0.0/16- Private networks10.0.0.0/8- Internal infrastructure0.0.0.0/0- All traffic
π Specific IPsβ
Block or allow individual addresses:
8.8.8.8- DNS servers1.1.1.1- External services::1- IPv6 localhost
π Domain Namesβ
Control access by domain:
malware-c2.com- Block C2 serversphishing-site.net- Block phishingtrusted-api.com- Allow trusted APIs
βοΈ How It Worksβ
π Policy Enforcement Pipelineβ
The Network Policy Plugin integrates seamlessly with Jibril's eBPF-based network monitoring:
1. Policy Definition
Administrators define network policies in a simple YAML configuration file:
- Default policy behavior (allow or deny)
- Explicit allow rules for trusted resources
- Explicit deny rules for blocked resources
2. Kernel-Level Enforcement
Jibril loads policy rules into eBPF maps in kernel space, enabling:
- Real-time traffic filtering without userspace context switches
- Prevention of malicious connections before establishment
- DNS-level blocking of prohibited domains
- Efficient policy lookups using optimized kernel data structures
3. Comprehensive Coverage
The policy applies to all network communications:
- Outbound connections to external services
- Inbound connections from remote peers
- Container and host-level traffic
π§ Technical Implementationβ
eBPF Integrationβ
Leverages Jibril's Network eBPF logic to:
- Intercept network syscalls
- Intercept in-kernel raw packets
- Evaluate policies in kernel space
- Block connections synchronously
- Generate
dropipevents
Performance: Sub-microsecond policy evaluation and packet blocking
Zero-Trust Architectureβ
Enables implementation of zero-trust network models:
- Default deny all traffic
- Explicit allow trusted destinations
- Continuous verification
- Least privilege access
Security: Prevent lateral movement and data exfiltration
π Quick Startβ
Network Policy Configurationβ
# /etc/jibril/netpolicy.yaml
network_policy:
# Default action: allow or deny
policy: allow
# Always allow these (whitelist)
allow:
- 127.0.0.0/8 # Localhost
- ::1/128 # IPv6 localhost
- 10.0.0.0/8 # Internal network
- 172.16.0.0/12 # Private network
- 192.168.0.0/16 # Private network
- 8.8.8.8 # Google DNS
- 8.8.4.4 # Google DNS
- 1.1.1.1 # Cloudflare DNS
- google.com # Trusted domain
# Always deny these (blacklist)
deny:
- 2.2.2.2 # Blocked IP
- 3.3.3.3/32 # Blocked range
- example.com # Blocked domain
- malware-c2.net # Known C2 server
Jibril Configurationβ
Enable the network policy feature in your main configuration:
# /etc/jibril/config.yaml
features:
- hold
- procfs
- netpolicy # Enable network policy
- detect
feature_options:
netpolicy:
file: /etc/jibril/netpolicy.yaml
events:
- dropip # Log blocked connections
π Policy Eventsβ
When network policy blocks traffic, Jibril generates events:
π« dropip Eventβ
The cornerstone of Jibril's network enforcement: a dropip event is generated whenever an IP connection is blocked by policy. This provides clear and actionable insight into traffic being actively denied at the kernel level.
View example dropip event
{
"uuid": "d107e277914b134436805c811b714b9b65d6cb0f0c13f210adb9d1ac8847c031",
"timestamp": "2025-10-30T16:45:39Z",
"note": "network drop ip event",
"metadata": {
"kind": "dropip",
"name": "dropip",
"format": "dropip",
"version": "1.0"
},
"background": {
"files": {
"root": {
"path": "/",
"dirs": [
{
"path": "/etc",
"base": "etc",
"files": [
{
"path": "/etc/gai.conf",
"base": "gai.conf",
"actions": ["open", "read", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 2584,
"access": "2025-10-30 12:46:28",
"change": "2025-08-13 12:30:26",
"creation": "2025-08-18 12:03:00"
}
},
{
"path": "/etc/host.conf",
"base": "host.conf",
"actions": ["open", "read", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 73,
"access": "2025-10-30 03:00:04",
"change": "2025-10-12 16:21:41",
"creation": "2025-10-26 18:49:54"
}
},
{
"path": "/etc/ld.so.cache",
"base": "ld.so.cache",
"actions": ["mmap", "open", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 97503,
"access": "2025-10-30 08:33:41",
"change": "2025-10-27 08:32:51",
"creation": "2025-10-27 08:32:51"
}
},
{
"path": "/etc/ld.so.preload",
"base": "ld.so.preload",
"actions": ["open", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 0,
"access": "2025-07-31 23:37:09",
"change": "2024-10-24 19:41:32",
"creation": "2024-10-24 19:41:32"
}
},
{
"path": "/etc/nsswitch.conf",
"base": "nsswitch.conf",
"actions": ["open", "read", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 359,
"access": "2025-10-29 18:51:41",
"change": "2025-10-12 16:21:41",
"creation": "2025-10-26 18:49:54"
}
}
]
},
{
"path": "/usr",
"base": "usr",
"dirs": [
{
"path": "/usr/bin",
"base": "bin",
"files": [
{
"path": "/usr/bin/ping",
"base": "ping",
"actions": ["mmap", "open", "close", "execve"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 155160,
"access": "2025-10-30 16:45:13",
"change": "2025-06-05 19:01:53",
"creation": "2025-07-10 13:46:26"
}
}
]
},
{
"path": "/usr/lib",
"base": "lib",
"dirs": [
{
"path": "/usr/lib/gconv",
"base": "gconv",
"files": [
{
"path": "/usr/lib/gconv/gconv-modules.cache",
"base": "gconv-modules.cache",
"actions": ["mmap", "open", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 27010,
"access": "2025-10-29 18:41:41",
"change": "2025-08-18 12:03:02",
"creation": "2025-08-18 12:03:02"
}
}
]
},
{
"path": "/usr/lib/locale",
"base": "locale",
"files": [
{
"path": "/usr/lib/locale/locale-archive",
"base": "locale-archive",
"actions": ["mmap", "open", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 3063024,
"access": "2025-10-29 18:41:36",
"change": "2025-08-18 12:03:01",
"creation": "2025-08-18 12:03:01"
}
}
]
},
{
"path": "/usr/lib/systemd",
"base": "systemd",
"files": [
{
"path": "/usr/lib/systemd/resolv.conf",
"base": "resolv.conf",
"actions": ["open", "read", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 710,
"access": "2025-10-30 01:50:07",
"change": "2025-10-13 15:05:54",
"creation": "2025-10-26 18:49:55"
}
}
]
}
],
"files": [
{
"path": "/usr/lib/ld-linux-x86-64.so.2",
"base": "ld-linux-x86-64.so.2",
"actions": ["mmap", "open", "close"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 246760,
"access": "2025-10-29 18:40:53",
"change": "2025-08-13 12:30:26",
"creation": "2025-08-18 12:03:00"
}
},
{
"path": "/usr/lib/libc.so.6",
"base": "libc.so.6",
"actions": ["mmap", "open", "read", "close"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 2149728,
"access": "2025-10-29 18:40:53",
"change": "2025-08-13 12:30:26",
"creation": "2025-08-18 12:03:01"
}
},
{
"path": "/usr/lib/libcap.so.2.76",
"base": "libcap.so.2.76",
"actions": ["mmap", "open", "read", "close"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 43064,
"access": "2025-10-29 18:41:41",
"change": "2025-04-13 21:43:22",
"creation": "2025-04-26 02:57:40"
}
},
{
"path": "/usr/lib/libgcc_s.so.1",
"base": "libgcc_s.so.1",
"actions": ["mmap", "open", "read", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 906056,
"access": "2025-10-29 18:41:41",
"change": "2025-08-13 14:30:10",
"creation": "2025-08-18 12:03:02"
}
},
{
"path": "/usr/lib/libidn2.so.0.4.0",
"base": "libidn2.so.0.4.0",
"actions": ["mmap", "open", "read", "close"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 132992,
"access": "2025-10-30 15:27:39",
"change": "2024-01-27 12:07:14",
"creation": "2024-02-14 03:14:15"
}
},
{
"path": "/usr/lib/libm.so.6",
"base": "libm.so.6",
"actions": ["mmap", "open", "read", "close"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 1100400,
"access": "2025-10-29 18:41:41",
"change": "2025-08-13 12:30:26",
"creation": "2025-08-18 12:03:01"
}
},
{
"path": "/usr/lib/libnss_mymachines.so.2",
"base": "libnss_mymachines.so.2",
"actions": ["mmap", "open", "read", "close"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 375840,
"access": "2025-10-30 03:00:04",
"change": "2025-10-13 15:05:54",
"creation": "2025-10-26 18:49:54"
}
},
{
"path": "/usr/lib/libnss_resolve.so.2",
"base": "libnss_resolve.so.2",
"actions": ["mmap", "open", "read", "close"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 211304,
"access": "2025-10-30 03:00:04",
"change": "2025-10-13 15:05:54",
"creation": "2025-10-26 18:49:54"
}
},
{
"path": "/usr/lib/libunistring.so.5.2.0",
"base": "libunistring.so.5.2.0",
"actions": ["mmap", "open", "read", "close"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 1976368,
"access": "2025-10-30 15:27:39",
"change": "2024-12-27 18:30:19",
"creation": "2025-01-06 03:01:07"
}
}
]
},
{
"path": "/usr/share",
"base": "share",
"dirs": [
{
"path": "/usr/share/locale",
"base": "locale",
"files": [
{
"path": "/usr/share/locale/locale.alias",
"base": "locale.alias",
"actions": ["open", "read", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 2998,
"access": "2025-10-29 18:41:41",
"change": "2025-08-13 12:30:26",
"creation": "2025-08-18 12:03:01"
}
}
]
}
]
}
]
}
]
}
},
"flows": {
"ip_version": 4,
"protocols": [
{
"proto": "ICMP",
"pairs": [
{
"nodes": {
"local": {
"address": "192.168.100.2",
"name": "gateway.home",
"names": ["192.168.100.2", "gateway.home", "gateway.home"]
},
"remote": {
"address": "108.139.182.88",
"name": "www.uol.com.br",
"names": [
"108.139.182.88",
"dftex7xfha8fh.cloudfront.net",
"www.uol.com.br"
]
}
},
"port_matrix": [
{
"phase": {
"direction": "egress",
"status": "ongoing"
}
}
]
}
],
"icmps": [
{
"type": "EchoRequest",
"code": "0"
}
]
}
]
},
"ancestry": [
{
"start": "2025-10-28T13:24:32-03:00",
"exit": "running",
"retcode": 0,
"uid": 0,
"pid": 1,
"ppid": 0,
"comm": "systemd",
"cmd": "systemd",
"exe": "/usr/lib/systemd/systemd",
"args": "/sbin/init",
"envs": "TERM=linux"
},
{
"start": "2025-10-28T13:24:43-03:00",
"exit": "running",
"retcode": 0,
"uid": 0,
"pid": 629,
"ppid": 1,
"comm": "sshd",
"cmd": "sshd",
"exe": "/usr/bin/sshd",
"args": "",
"envs": ""
},
{
"start": "2025-10-30T13:45:10-03:00",
"exit": "running",
"retcode": 0,
"uid": 0,
"pid": 290110,
"ppid": 629,
"comm": "sshd-session",
"cmd": "sshd-session",
"exe": "/usr/lib/ssh/sshd-session",
"args": "/usr/lib/ssh/sshd-session -D -R",
"envs": "PATH=..."
},
{
"start": "2025-10-30T13:45:10-03:00",
"exit": "running",
"retcode": 0,
"uid": 1000,
"pid": 290113,
"ppid": 290110,
"comm": "sshd-session",
"cmd": "sshd-session",
"exe": "/usr/lib/ssh/sshd-session",
"args": "/usr/lib/ssh/sshd-session -D -R",
"envs": "PATH=..."
},
{
"start": "2025-10-30T13:45:10-03:00",
"exit": "running",
"retcode": 0,
"uid": 1000,
"pid": 290114,
"ppid": 290113,
"comm": "bash",
"cmd": "bash",
"exe": "/usr/bin/bash",
"args": "-bash",
"envs": "HOME=/home/rafaeldtinoco PATH=..."
},
{
"start": "2025-10-30T13:45:36-03:00",
"exit": "2025-10-30T13:45:36-03:00",
"retcode": 256,
"uid": 1000,
"pid": 290198,
"ppid": 290114,
"comm": "ping",
"cmd": "ping",
"exe": "/usr/bin/ping",
"args": "ping -4 www.uol.com.br",
"envs": "SHELL=/bin/bash HISTCONTROL=ignoreboth:erasedups ..."
}
]
},
"ip": "108.139.182.88",
"names": ["108.139.182.88", "dftex7xfha8fh.cloudfront.net", "www.uol.com.br"],
"flow": {
"ip_version": 4,
"proto": "ICMP",
"icmp": {
"type": "EchoRequest",
"code": "0"
},
"local": {
"address": "192.168.100.2",
"name": "gateway.home",
"names": ["192.168.100.2", "gateway.home", "gateway.home"]
},
"remote": {
"address": "108.139.182.88",
"name": "www.uol.com.br",
"names": [
"108.139.182.88",
"dftex7xfha8fh.cloudfront.net",
"www.uol.com.br"
]
},
"flags": {
"ingress": false,
"egress": true,
"incoming": false,
"outgoing": false,
"started": false,
"ongoing": true,
"ended": false,
"terminator": false,
"terminated": false
},
"phase": {
"direction": "egress",
"status": "ongoing"
}
}
}
Use case: Instantly track and investigate blocked connections, uncover lateral movement, or monitor attempts to reach malicious destinations in real time.
When network policy rules are set for domain names, Jibril intercepts DNS resolutions and enforces the corresponding policy instantly at the kernel level. This means any IP address resolved from a blocked domain is immediately subject to the policy, leaving no opportunity for applications to bypass controls or communicate with forbidden destinations.
π‘ Use Casesβ
π‘οΈ Malware C2 Blockingβ
Block known command-and-control servers:
- Threat intelligence feeds
- Malware domain lists
- IP reputation databases
Benefit: Prevent data exfiltration and backdoor communication
π° Zero-Trust Networksβ
Implement strict network segmentation:
- Default deny all traffic
- Explicit allow trusted services
- Continuous verification
Benefit: Minimize attack surface and lateral movement
π£ Phishing Protectionβ
Block access to phishing domains:
- Known phishing campaigns
- Suspicious domain patterns
- Typosquatting domains
Benefit: Protect users from credential theft
π Data Loss Preventionβ
Control outbound connections:
- Block file-sharing sites
- Restrict cloud storage
- Monitor data transfers
Benefit: Prevent unauthorized data exfiltration
Note:
Jibril comes preloaded with over 2 million domains known for bad reputations. These domains are integrated into internal detection recipes and will trigger a detection event rather than automatically blocking traffic via policy rules.
-
Define a custom reaction to block traffic using alchemies. Traffic will be blocked as soon as the event is detected.
-
Add all the domains to the
denylist in your policy file. The traffic will be blocked from the very first packet (and adropipevent will be generated).
π Best Practicesβ
β Recommendedβ
- Start with
policy: allowto learn traffic patterns - Always allow localhost and internal networks
- Use threat intelligence feeds for deny lists
- Test in staging before production
- Document all policy rules
- Regularly update deny lists
β οΈ Avoidβ
- Jumping directly to
policy: denywithout testing - Blocking internal infrastructure accidentally
- Forgetting to allow DNS servers
- Overly restrictive rules breaking applications
- No monitoring before enforcement
- Undocumented policy decisions
- Stale deny lists