Reactions

Automated response system for security detection events.

Overview

Reactions transform Jibril from passive monitoring into active defense. When a security event is detected, reactions automatically execute custom code to respond, remediate, or gather intelligence.

Capabilities:

• Block malicious network traffic in real-time
• Terminate suspicious processes before harm
• Collect forensic evidence automatically
• Isolate compromised systems from network
• Trigger emergency procedures during critical incidents

How It Works

1. Security Threat Detected - Event matches a detection recipe
2. Event Detection - Reported in all configured printers
3. Reaction Trigger - Associated reactions triggered in parallel
4. Context Injection - Complete event context made available
5. Code Execution - Reaction executes in isolated environment
6. Response Actions - Blocks IPs, kills processes, logs data

Supported Formats

JavaScript (Recommended)

• Runtime: Google V8 engine with isolated contexts
• Performance: Fast compilation and execution
• Features: Rich built-in helper functions
• Isolation: Secure execution environment
• Data Access: Full event data through JSON objects

Shell Scripts

• Runtime: Standard /bin/sh execution
• Flexibility: Full system access
• Environment: Event data via REACTION_DATA variable
• Security: Restricted permissions in temporary directories

Key Capabilities

Logging

Info("Detected suspicious file access");
Warn("High risk network connection");
Error("Critical security violation");

Network Policy

NetBlockIp("192.168.1.100");
NetBlockDomain("malicious-site.com");
NetBlockIp(); // Block all from event context

Process Management

KillCurrent();  // Terminate offending process
KillParent();   // Stop parent process
KillProcess(1234);  // Kill specific PID

File Operations

let config = ReadFile("/etc/app/config.json");
WriteFile("/var/log/security/incident.log", data);
let fileInfo = Stat("/suspicious/file");

Data Storage

DataSet("incident_count", "5");
DataPush("blocked_ips", "192.168.1.100");
let count = DataGet("incident_count");

Emergency Actions

PowerOff();  // System shutdown
Panic();     // Kernel panic

Event Context

Every reaction receives comprehensive event context:

Global Variables:

• kind - Detection event type
• name - Detection recipe name
• uuid - Unique event identifier
• data - Complete event details (JSON)

Event Data Structure:

{
  "uuid": "event-unique-identifier",
  "timestamp": "2025-07-23T10:30:00Z",
  "metadata": {
    "kind": "file_access",
    "name": "suspicious_file_access",
    "importance": "high",
    "tactic": "credential_access",
    "technique": "credentials_from_files"
  },
  "base": {
    "background": {
      "ancestry": [...],
      "flows": {...}
    }
  },
  "file": {
    "file": "/etc/passwd",
    "actions": ["read", "write"],
    "basename": "passwd"
  }
}

Integration with Recipes

Reactions are defined within detection recipes (Alchemies):

- kind: malicious_file_access
  name: detect_passwd_tampering
  # ... detection criteria ...
  reactions:
    - format: js
      code: |
        function process(data) {
          Info("Password file accessed by: " + data.process.cmd);

          let result = KillCurrent();
          if (result === 0) {
            Info("Malicious process terminated");
          }

          DataSet("last_passwd_access", new Date().toISOString());
        }