Appearance
Cache Categories
Jibril uses different cache types for different things:
- Match events to the right process
- Rebuild activity for each detection
- Track process and resource links
- Connect files and network to processes
- Adjust memory use by cache size
Task Caches
| Cache | Description |
|---|---|
| tasks | Active processes (PIDs). |
| rec-tasks | Recently ended processes. |
| cmds | Command lines for processes. |
| args | Process arguments. |
| task-ref | Process relationships (ancestry, forks). |
File Caches
| Cache | Description |
|---|---|
| files | Accessed or watched files. |
| dirs | Accessed directories. |
| bases | Base directories or filenames. |
| task-file | Task-to-file access mapping. |
| file-task | File-to-task access mapping. |
Network Caches
| Cache | Description |
|---|---|
| flows | Network connections (TCP/UDP). |
| task-flow | Process-to-network mapping. |
| flow-task | Network-to-process mapping. |
| flow-ref | Related network flows (both sides of TCP). |