Appearance
Examples
Real-world reaction patterns with production-ready code.
Crypto Miner Detection
Detect and terminate cryptocurrency miners:
yaml
- kind: crypto_miner_reaction
name: crypto_miner_terminate_and_block
enabled: true
version: 1.0
description: Detect and respond to cryptocurrency miner execution
breed: file_access
mechanism: execution
tactic: impact
technique: resource_hijacking
importance: critical
file_actions:
- execve
file_actions_how: any
bases:
- base: xmrig
- base: ethminer
- base: cgminer
reactions:
- format: js
code: |
function process(data) {
Info("CRYPTOCURRENCY MINER DETECTED");
Info("Miner: " + data.file.basename);
Info("Process: " + data.process.cmd);
let killResult = KillCurrent();
if (killResult === 0) {
Info("Miner terminated successfully");
let count = parseInt(DataGet("miners_terminated") || "0") + 1;
DataSet("miners_terminated", String(count));
Warn("Total miners terminated: " + count);
}
NetBlockIp();
}Sudoers File Modification
Detect privilege escalation attempts:
yaml
- kind: sudoers_reaction
name: sudoers_modification_response
enabled: true
version: 1.0
description: Respond to sudoers file modifications
breed: file_access
mechanism: file_access
tactic: privilege_escalation
technique: abuse_elevation_control_mechanism
importance: critical
file_actions:
- modify_related
file_actions_how: any
bases:
- dir: /etc
base: sudoers
- regex: /etc/sudoers\.d/.*
arbitrary:
- how: AND
which: pertinent
items:
- what: exe
which: irrelevant
pattern: (apk|apt|dnf|dpkg|yum)
reactions:
- format: js
code: |
function process(data) {
Error("SUDOERS MODIFICATION DETECTED");
Info("File: " + data.file.file);
Info("Process: " + data.process.cmd);
Info("User ID: " + data.process.uid);
let forensicDir = CreateTempDir("sudoers-incident-*");
if (forensicDir !== "") {
let evidence = {
timestamp: new Date().toISOString(),
file: data.file.file,
process: data.process.cmd,
uid: data.process.uid,
ancestry: data.base.background.ancestry
};
WriteFile(forensicDir + "/evidence.json", JSON.stringify(evidence, null, 2));
Info("Evidence saved: " + forensicDir);
}
let incidents = parseInt(DataGet("sudoers_incidents") || "0") + 1;
DataSet("sudoers_incidents", String(incidents));
Error("CRITICAL: Sudoers modification #" + incidents);
}Suspicious Network Tool
Detect network tools with IP arguments:
yaml
- kind: net_tool_reaction
name: suspicious_network_tool_response
enabled: true
version: 1.0
description: Detect network tools with IP arguments
breed: file_access
mechanism: execution
tactic: discovery
technique: network_service_discovery
importance: high
arbitrary:
- how: OR
which: irrelevant
items:
- what: args
which: pertinent
pattern: (\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}
file_actions:
- execve
file_actions_how: any
bases:
- base: nc
- base: curl
- base: wget
- base: ssh
reactions:
- format: js
code: |
function process(data) {
Warn("SUSPICIOUS NETWORK TOOL WITH IP");
Info("Tool: " + data.file.basename);
Info("Command: " + data.process.cmd);
let ipRegex = /(\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}/g;
let command = data.process.cmd || "";
let ips = command.match(ipRegex) || [];
if (ips.length > 0) {
Info("IPs found: " + ips.join(", "));
for (let ip of ips) {
let blockResult = NetBlockIp(ip);
if (blockResult === 0) {
Info("Blocked IP: " + ip);
}
}
DataPush("blocked_ips", ips.join(","));
}
NetBlockIp();
}Multi-Stage Incident Response
Comprehensive incident response workflow:
yaml
- kind: incident_response
name: comprehensive_security_response
enabled: true
version: 1.0
description: Multi-stage incident response
breed: file_access
mechanism: execution
tactic: execution
technique: T1204
importance: critical
arbitrary:
- how: OR
which: irrelevant
items:
- what: task_or_parent_args
which: pertinent
pattern: (--cpu-priority|--cryptonight|--donate-level|--randomx|stratum|nicehash)
file_actions:
- execve
file_actions_how: any
bases:
- regex: .*
reactions:
- format: js
code: |
function process(data) {
let incidentId = "INC-" + new Date().getTime();
Error("CRITICAL INCIDENT DETECTED");
Info("Incident ID: " + incidentId);
Info("Process: " + data.process.cmd);
// Phase 1: Containment
let killResult = KillCurrent();
let networkResult = NetBlockIp();
let actions = [];
if (killResult === 0) actions.push("process_terminated");
if (networkResult === 0) actions.push("network_blocked");
// Phase 2: Evidence Collection
let forensicDir = CreateTempDir("incident-" + incidentId + "-*");
if (forensicDir !== "") {
let evidence = {
incident_id: incidentId,
timestamp: new Date().toISOString(),
process: data.process,
file: data.file,
ancestry: data.base.background.ancestry,
flows: data.base.background.flows,
actions_taken: actions
};
WriteFile(forensicDir + "/evidence.json", JSON.stringify(evidence, null, 2));
Info("Evidence: " + forensicDir);
}
// Phase 3: Tracking
let incidentRecord = {
id: incidentId,
timestamp: new Date().toISOString(),
severity: "critical",
status: "contained",
actions: actions,
evidence: forensicDir
};
DataSet("incident_" + incidentId, JSON.stringify(incidentRecord));
let total = parseInt(DataGet("total_incidents") || "0") + 1;
DataSet("total_incidents", String(total));
Error("Incident " + incidentId + " contained. Total: " + total);
}Testing Template
Safe testing pattern:
yaml
- kind: test_reaction
name: my_reaction_test
enabled: false
version: 1.0
description: Test reaction safely
breed: file_access
mechanism: file_access
importance: low
bases:
- dir: /tmp/test_reactions
base: test_trigger.txt
file_actions:
- unlink
reactions:
- format: js
code: |
function process(data) {
Info("=== REACTION TEST ===");
// Test logging
Info("Info logging works");
Warn("Warning logging works");
Error("Error logging works");
// Test data store
DataSet("test_key", "test_value");
let value = DataGet("test_key");
Info("Data store: " + (value === "test_value" ? "PASS" : "FAIL"));
DataDelete("test_key");
// Test file operations
let tmpDir = CreateTempDir("test-*");
if (tmpDir !== "") {
let testFile = tmpDir + "/test.txt";
let content = "Test at " + new Date().toISOString();
let writeResult = WriteFile(testFile, content);
let readContent = ReadFile(testFile);
Info("File I/O: " + (readContent === content ? "PASS" : "FAIL"));
}
Info("=== TEST COMPLETE ===");
}Shell Script Example
System backup on critical file access:
yaml
- kind: shell_backup_reaction
name: system_backup_on_critical_access
enabled: true
version: 1.0
description: Backup when critical files accessed
breed: file_access
mechanism: file_access
tactic: impact
technique: T1485
importance: critical
bases:
- dir: /etc
regex: (passwd|shadow|group|sudoers)$
file_actions:
- write
- modify_related
file_actions_how: any
reactions:
- format: shell
code: |
#!/bin/bash
if command -v jq >/dev/null 2>&1; then
FILE_PATH=$(echo "$REACTION_DATA" | jq -r '.file.file // "unknown"')
PROCESS_CMD=$(echo "$REACTION_DATA" | jq -r '.process.cmd // "unknown"')
else
FILE_PATH="unknown"
PROCESS_CMD="unknown"
fi
echo "CRITICAL FILE MODIFICATION: $FILE_PATH"
echo "Process: $PROCESS_CMD"
BACKUP_DIR="/var/backups/jibril/$(date +%Y%m%d_%H%M%S)"
mkdir -p "$BACKUP_DIR"
for file in /etc/passwd /etc/shadow /etc/group /etc/sudoers; do
[ -f "$file" ] && cp "$file" "$BACKUP_DIR/" 2>/dev/null
done
cat > "$BACKUP_DIR/incident_report.txt" << EOF
Timestamp: $(date -Iseconds)
Modified File: $FILE_PATH
Process: $PROCESS_CMD
EOF
echo "Backup completed: $BACKUP_DIR"
logger "Jibril: Emergency backup at $BACKUP_DIR"Key Takeaways
- Production Patterns - Use proven patterns for security automation
- Proper Syntax - Pay attention to
arbitrarywithwhich: pertinent|irrelevant - Error Handling - Always check return values and use
Errno() - Testing First - Start with
enabled: falsein safe environments - Data Persistence - Use data store for tracking across reactions
- Network Dependencies - Network functions require netpolicy feature