Components

config

Context from userland to eBPF programs (log-level, run-mode, etc.

data

- Data storage and retrieval common logic - Implements eBPF virtual maps and nested virtual maps. - Implements trie data structure for efficient prefix matching

jibril

- The heart of the project - The main extension with multiple plugins

hold

• Holds the execution until ctrl+c or SIGTERM is received.

• Used for detection recipes needing continuous monitoring.

procfs

• Reads /proc files during startup for existing processes.

• Populates eBPF maps with existing data.

printers

• Implements different end points (printers).

• Simplest printer is stdout, which prints to the standard output.

• The varlog printer logs output to /var/log/{loader,jibril}.log.

netpolicy

• Enforces network policies based on CIDRs and domain names.

• Able to drop DNS resolutions synchronously.

detect

• Tracks every task and file and the actions performed on them.

• Correlates tasks and files with other resources.

• Provides the common ground for detection recipes.

jbconfig & pause

• Provides extra process information on detection events, such as:

  • Distribution Flavor (including containers).

  • Package (of triggerer) name and version.

  • File's (binary, libraries) package names and versions.

  • and more.

attenuator

• Either blocks or amend detections for false-positives using AI.

stdout

Prints events to the standard output.

varlog

Logs output to /var/log/jibril.log.

dropip

Alerts when network flows are dropped by existing policy due to CIDR or domain name restrictions

dropdomain

Alerts when domain resolutions are dropped by existing policy due to domain name restrictions

flow

One event per existing network flow (all flows)

capabilities_modification

Detects changes to file capabilities

code_modification_through_procfs

Detects code modifications via /proc

core_pattern_access

Monitors access to core pattern configurations

cpu_fingerprint

Identifies unique CPU fingerprints for anomaly detection

credentials_files_access

Tracks access to credential files

filesystem_fingerprint

Detects changes in filesystem signatures

java_debug_lib_load

Monitors loading of Java debug libraries

java_instrument_lib_load

Tracks loading of Java instrumentation libraries

machine_fingerprint

Identifies unique machine fingerprints

os_fingerprint

Detects changes in OS signatures

os_network_fingerprint

Monitors OS network-related fingerprints

os_status_fingerprint

Tracks OS status changes

package_repo_config_modification

Detects modifications in package repository configurations

pam_config_modification

Monitors changes to PAM configurations

sched_debug_access

Detects access to scheduler debug interfaces

shell_config_modification

Tracks changes to shell configurations

ssl_certificate_access

Monitors access to SSL certificates

sudoers_modification

Detects changes to sudoers files

sysrq_access

Tracks access to sysrq functionalities

unprivileged_bpf_config_access

Detects access to unprivileged BPF configurations

global_shlib_modification

Monitors modifications to global shared libraries

environ_read_from_procfs

Detects environment variables reading from procfs

binary_self_deletion

Detects executable self-deletion

crypto_miner_files

Detects access to files related to crypto mining

auth_logs_tamper

Detects authentication log files tampering

binary_executed_by_loader

Detects binaries executed via the ELF loader

code_on_the_fly

Monitors dynamic code execution

credentials_text_lookup

Detects processes scanning memory for credential-related text

denial_of_service_tools

Detects the use of denial-of-service tools

exec_from_unusual_dir

Tracks executions from non-standard directories

file_attribute_change

Detects changes to file attributes

hidden_elf_exec

Identifies hidden ELF executions

interpreter_shell_spawn

Monitors the spawning of interpreter shells

net_filecopy_tool_exec

Detects the execution of network file copy tools

net_mitm_tool_exec

Identifies man-in-the-middle network tool executions

net_scan_tool_exec

Detects network scanning tool executions

net_sniff_tool_exec

Monitors the use of network sniffing tools

net_suspicious_tool_exec

Detects suspicious network tool executions

net_suspicious_tool_shell

Identifies suspicious tool shells in network contexts

passwd_usage

Tracks the usage of the passwd command

runc_suspicious_exec

Detects suspicious executions related to runc

webserver_exec

Detects web server daemon startup

webserver_shell_exec

Detects shell spawned by webserver

crypto_miner_execution

Detects execution of crypto miners

adult_domain_access

Detects access to adult content domains

algorithmic_domains

Detects access to domain names likely generated by algorithms

badware_domain_access

Detects access to known malware or suspicious domains

cloud_metadata_access

Detects access to cloud metadata services

dyndns_domain_access

Detects access to dynamic DNS services

fake_domain_access

Detects access to fake or spoofed domains

gambling_domain_access

Detects access to gambling-related domains

general_new_domains

Detects access to recently registered domains

phishing_domains

Detects access to domains related to phishing

piracy_domain_access

Detects access to piracy-related domains

plaintext_communication

Detects unencrypted network communications

threat_domain_access

Detects access to known threat domains

tracking_domain_access

Detects access to tracking and analytics domains

vpnlike_domain_access

Detects access to VPN-like service domains