Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added eBPF networking plugins and events. #3887

Merged
merged 2 commits into from
Nov 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions artifacts/definitions/Linux/Events/DNS.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: Linux.Events.DNS
description: |
This artifact uses eBPF to track DNS requests from various processes.

NOTE: This event is generated from network traffic - it is unable to
view DoH traffic.

type: CLIENT_EVENT

precondition: |
SELECT OS From info() where OS = 'linux'

parameters:
- name: ExcludeDestIP
description: Only show events with a different DestIP
type: regex
default: "Change this to your default DNS Server IP"
- name: Records
description: Only show events matching these DNS records
type: regex
default: .
- name: ProcessNameFilter
description: Filter Events by Process Name
type: regex
default: .
- name: IncludeDNSDetails
type: bool
description: If set we include more details like HTTP Headers
- name: IncludeProcessInfo
type: bool
description: If set we include more process information.

sources:
- query: |
SELECT System.Timestamp AS Timestamp,
System.ProcessName AS ProcessName,
System.ProcessID AS Pid,
if(condition=IncludeProcessInfo,
then=process_tracker_get(id=System.ProcessID).Data) AS ProcessInfo,
EventData.src AS src_ip,
EventData.src_port AS src_port,
EventData.dst AS dest_ip,
EventData.dst_port AS dest_port,
EventData.proto_dns.questions.name AS name,
EventData.proto_dns.questions.type AS type,
EventData.proto_dns.answers.IP AS IP,
if(condition=IncludeDNSDetails,
then=EventData) AS _DNSData
FROM watch_ebpf(events="net_packet_dns")
WHERE NOT dest_ip =~ ExcludeDestIP
AND if(condition=Records, then=EventData.proto_dns =~ Records, else=TRUE)
AND ProcessName =~ ProcessNameFilter
1 change: 0 additions & 1 deletion artifacts/definitions/Linux/Events/EBPF.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ parameters:
type: csv
default: |
Event,Desc,Enabled
accept4,A process accepted a connection from remote,Y
bpf_attach,A bpf program is attached,Y
chdir,Process changes directory,N
fchownat,File ownership is changed,Y
Expand Down
55 changes: 55 additions & 0 deletions artifacts/definitions/Linux/Events/HTTPConnections.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
name: Linux.Events.HTTPConnections
description: |
This artifact uses eBPF to track HTTP and parse connections from
various processes.

NOTE: This event is generated from network traffic - it is unable to
view TLS encrypted data.

If the process tracker is enabled we also show more information
about the process.

type: CLIENT_EVENT

precondition: |
SELECT OS From info() where OS = 'linux'

parameters:
- name: HostFilter
description: Filter Events by Host header
type: regex
default: .
- name: URLFilter
description: Filter Events by URL
type: regex
default: .
- name: ProcessNameFilter
description: Filter Events by Process Name
type: regex
default: .
- name: IncludeHeaders
type: bool
description: If set we include more details like HTTP Headers
- name: IncludeProcessInfo
type: bool
description: If set we include more process information.

sources:
- query: |
SELECT System.Timestamp AS Timestamp,
System.ProcessName AS ProcessName,
System.ProcessID AS Pid,
if(condition=IncludeProcessInfo,
then=process_tracker_get(id=System.ProcessID).Data) AS ProcessInfo,
EventData.metadata.src_ip AS src_ip,
EventData.metadata.src_port AS src_port,
EventData.metadata.dst_ip AS dest_ip,
EventData.metadata.dst_port AS dest_port,
EventData.http_request.host AS host,
EventData.http_request.uri_path AS uri_path,
if(condition=IncludeHeaders,
then=EventData.http_request) AS _HTTPRequest
FROM watch_ebpf(events="net_packet_http_request")
WHERE host =~ HostFilter
AND uri_path =~ URLFilter
AND ProcessName =~ ProcessNameFilter
2 changes: 1 addition & 1 deletion artifacts/definitions/Linux/Events/TrackProcesses.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Linux.Events.TrackProcesses
description: |
This artifact uses ebpfg and pslist to keep track of running
This artifact uses ebpf and pslist to keep track of running
processes using the Velociraptor process tracker.

The process tracker keeps track of exited processes, and resolves
Expand Down
8 changes: 4 additions & 4 deletions artifacts/definitions/Windows/NTFS/MFT.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ sources:
LastModified0x10, LastModified0x30,
LastRecordChange0x10, LastRecordChange0x30,
LastAccess0x10,LastAccess0x30,
HasADS, SI_Lt_FN, uSecZeros, Copied,
HasADS, SI_Lt_FN, USecZeros, Copied,
FileNames, FileNameTypes
FROM parse_mft_version(filename=MFTPath,
accessor=Accessor, prefix=Drive)
Expand All @@ -140,7 +140,7 @@ sources:
LastModified0x10, LastModified0x30,
LastRecordChange0x10, LastRecordChange0x30,
LastAccess0x10,LastAccess0x30,
HasADS, SI_Lt_FN, uSecZeros, Copied,
HasADS, SI_Lt_FN, USecZeros, Copied,
FileNames, FileNameTypes
FROM parse_mft_version(filename=MFTPath,
accessor=Accessor, prefix=Drive)
Expand All @@ -163,7 +163,7 @@ sources:
LastModified0x10, LastModified0x30,
LastRecordChange0x10, LastRecordChange0x30,
LastAccess0x10,LastAccess0x30,
HasADS, SI_Lt_FN, uSecZeros, Copied,
HasADS, SI_Lt_FN, USecZeros, Copied,
FileNames, FileNameTypes
FROM parse_mft_version(filename=MFTPath,
accessor=Accessor, prefix=Drive)
Expand All @@ -187,7 +187,7 @@ sources:
LastModified0x10, LastModified0x30,
LastRecordChange0x10, LastRecordChange0x30,
LastAccess0x10,LastAccess0x30,
HasADS, SI_Lt_FN, uSecZeros, Copied,
HasADS, SI_Lt_FN, USecZeros, Copied,
FileNames, FileNameTypes
FROM parse_mft_version(filename=MFTPath,
accessor=Accessor, prefix=Drive)
Expand Down
12 changes: 6 additions & 6 deletions artifacts/testdata/server/testcases/mft.out.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
"LastAccess0x30": "2022-03-18T04:15:18.5166156Z",
"HasADS": false,
"SI_Lt_FN": false,
"uSecZeros": false,
"USecZeros": false,
"Copied": true,
"FileNames": [
"just_a_file.txt"
Expand Down Expand Up @@ -52,7 +52,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
"LastAccess0x30": "2018-09-24T07:55:29.7664719Z",
"HasADS": true,
"SI_Lt_FN": false,
"uSecZeros": false,
"USecZeros": false,
"Copied": false,
"FileNames": [
"Hello world text document.txt"
Expand Down Expand Up @@ -82,7 +82,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
"LastAccess0x30": "2018-09-24T07:55:29.7664719Z",
"HasADS": true,
"SI_Lt_FN": false,
"uSecZeros": false,
"USecZeros": false,
"Copied": false,
"FileNames": [
"Hello world text document.txt:goodbye.txt"
Expand Down Expand Up @@ -113,7 +113,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
"LastAccess0x30": "2022-03-18T04:22:20.4341459Z",
"HasADS": false,
"SI_Lt_FN": false,
"uSecZeros": false,
"USecZeros": false,
"Copied": false,
"FileNames": [
"another_file.txt"
Expand Down Expand Up @@ -143,7 +143,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
"LastAccess0x30": "2022-03-18T04:15:18.5166156Z",
"HasADS": false,
"SI_Lt_FN": false,
"uSecZeros": false,
"USecZeros": false,
"Copied": true,
"FileNames": [
"just_a_file.txt"
Expand Down Expand Up @@ -174,7 +174,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
"LastAccess0x30": "2022-03-18T04:15:18.5166156Z",
"HasADS": false,
"SI_Lt_FN": false,
"uSecZeros": false,
"USecZeros": false,
"Copied": true,
"FileNames": [
"just_a_file.txt"
Expand Down
2 changes: 1 addition & 1 deletion artifacts/testdata/server/testcases/ntfs.out.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ LET NTFSInfoFromImage <= parse_ntfs( filename=srcDir+'/artifacts/testdata/files/
"IsDir": false,
"HasADS": true,
"SI_Lt_FN": false,
"uSecZeros": false,
"USecZeros": false,
"Copied": false,
"SIFlags": "2080 (ARCHIVE,COMPRESSED)",
"Created0x10": "2018-09-24T07:55:29.7664719Z",
Expand Down
4 changes: 2 additions & 2 deletions artifacts/testdata/server/testcases/remapping.out.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
"IsDir": false,
"HasADS": true,
"SI_Lt_FN": false,
"uSecZeros": false,
"USecZeros": false,
"Copied": false,
"SIFlags": "2080 (ARCHIVE,COMPRESSED)",
"Created0x10": "2018-09-24T07:55:29.7664719Z",
Expand Down Expand Up @@ -78,7 +78,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
"IsDir": false,
"HasADS": true,
"SI_Lt_FN": false,
"uSecZeros": false,
"USecZeros": false,
"Copied": false,
"SIFlags": "2080 (ARCHIVE,COMPRESSED)",
"Created0x10": "2018-09-24T07:55:29.7664719Z",
Expand Down
2 changes: 1 addition & 1 deletion docs/wix/velociraptor_amd64.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<?define PackageDescription="Velociraptor Service Installer" ?>
<?define Manufacturer="Velocidex" ?>
<?define Name="Velociraptor" ?>
<?define Version="0.72.3" ?>
<?define Version="0.73.3" ?>
<?define BinaryName="Velociraptor.exe" ?>

<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi"
Expand Down
6 changes: 3 additions & 3 deletions docs/wix/velociraptor_x86.xml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<?define PackageDescription="Velociraptor Service Installer" ?>
<?define Manufacturer="Velocidex" ?>
<?define Name="Velociraptor" ?>
<?define Version="0.72.3" ?>
<?define Version="0.73.3" ?>
<?define BinaryName="Velociraptor.exe" ?>

<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi"
Expand Down Expand Up @@ -39,7 +39,7 @@
<Component Id='Install' Guid='9f3cfed0-b89d-43d4-8fcf-242824e84fd8'>
<CreateFolder>
<Permission User="[WIX_ACCOUNT_USERS]" GenericRead="no" Read="no"
ChangePermission="yes"/>
ChangePermission="no"/>
<Permission User="[WIX_ACCOUNT_ADMINISTRATORS]" GenericAll="yes"
ChangePermission="yes"/>
<Permission User="[WIX_ACCOUNT_LOCALSYSTEM]" GenericAll="yes"
Expand All @@ -50,7 +50,7 @@
<Component Id="Tools" Guid="97dc953a-8a2f-494f-9585-56ae526d0b48">
<CreateFolder>
<Permission User="[WIX_ACCOUNT_USERS]" GenericRead="no" Read="no"
ChangePermission="yes"/>
ChangePermission="no"/>
<Permission User="[WIX_ACCOUNT_ADMINISTRATORS]" GenericAll="yes"
ChangePermission="yes"/>
<Permission User="[WIX_ACCOUNT_LOCALSYSTEM]" GenericAll="yes"
Expand Down
13 changes: 7 additions & 6 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ require (
golang.org/x/mod v0.21.0
golang.org/x/net v0.30.0
golang.org/x/sys v0.26.0
golang.org/x/text v0.19.0
golang.org/x/text v0.20.0
golang.org/x/time v0.5.0
google.golang.org/api v0.169.0
google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 // indirect
Expand All @@ -90,12 +90,12 @@ require (
howett.net/plist v1.0.0
www.velocidex.com/golang/evtx v0.2.1-0.20240730174545-3e4ff3d96433
www.velocidex.com/golang/go-ese v0.2.1-0.20240919031214-2aa005106db2
www.velocidex.com/golang/go-ntfs v0.2.1-0.20240818145200-04736de821dc
www.velocidex.com/golang/go-ntfs v0.2.1-0.20241110090212-80bdce4262fa
www.velocidex.com/golang/go-pe v0.1.1-0.20230228112150-ef2eadf34bc3
www.velocidex.com/golang/go-prefetch v0.0.0-20240910051453-2385582c1c22
www.velocidex.com/golang/oleparse v0.0.0-20230217092320-383a0121aafe
www.velocidex.com/golang/regparser v0.0.0-20240404115756-2169ac0e3c09
www.velocidex.com/golang/vfilter v0.0.0-20241009150353-76c3a28b1767
www.velocidex.com/golang/vfilter v0.0.0-20241110073117-207766c3922f
)

require (
Expand All @@ -115,7 +115,7 @@ require (
github.com/Velocidex/grok v0.0.1
github.com/Velocidex/ordereddict v0.0.0-20230909174157-2aa49cc5d11d
github.com/Velocidex/sigma-go v0.0.0-20241025122940-1b771d3d57a9
github.com/Velocidex/tracee_velociraptor v0.0.0-20241108032058-fada576fc41e
github.com/Velocidex/tracee_velociraptor v0.0.0-20241110080019-ef8be33cb3b1
github.com/VirusTotal/gyp v0.9.0
github.com/alecthomas/kingpin/v2 v2.4.0
github.com/alitto/pond v1.8.3
Expand Down Expand Up @@ -169,7 +169,6 @@ require (
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b // indirect
github.com/andybalholm/cascadia v1.3.2 // indirect
github.com/aquasecurity/tracee/types v0.0.0-20241031161530-c8032d24da01 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.2 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 // indirect
Expand Down Expand Up @@ -202,6 +201,7 @@ require (
github.com/golang/gddo v0.0.0-20210115222349-20d68f94ee1f // indirect
github.com/golang/glog v1.2.2 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/gopacket v1.1.19 // indirect
github.com/google/s2a-go v0.1.7 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
github.com/googleapis/gax-go/v2 v2.12.2 // indirect
Expand All @@ -210,6 +210,7 @@ require (
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/golang-lru v1.0.2 // indirect
github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
github.com/hillu/go-yara/v4 v4.3.2 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
Expand Down Expand Up @@ -248,7 +249,7 @@ require (
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sync v0.9.0 // indirect
golang.org/x/term v0.25.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 // indirect
kernel.org/pub/linux/libs/security/libcap/cap v1.2.71 // indirect
Expand Down
Loading
Loading