Skip to content

penguinpowernz/aegis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
cmd/aegis
cmd/aegis
 
 
etc/aegis/scripts
etc/aegis/scripts
 
 
pkg
pkg
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

AEGIS

Aegis is in the 'snitch' space, somewhere between a firewall and mandatory access control. It helps you identify suspicious network traffic. It can enforce policy or just log and notify you via hook scripts.

How do you know if there is a process on your machine that has been compromized and is trying to access a C&C server? Aegis monitors the network traffic at the kernel level for new connections and can take action against the process that opened or received the connection. Maybe you want to be pinged on slack when nginx tries to connect to a MySQL server, or take the paranoid action of killing that process. It works best on servers with static configurations and connections making it easier to spot suspicious activities. It lends itself well to being deployed by ansible.

Work in progress, with debian package coming soon.

Getting Started

  1. Install bpftrace
  2. Copy config.toml.example to /etc/aegis.toml and customize.
  3. Place process-specific configs in /etc/aegis.d and scripts in /etc/aegis/scripts.
  4. Run the monitor with ./aegis -c /etc/aegis.toml.

Configuration File

This is the config file:

[global]

# Directories for process-specific and script drop-ins
include_dirs = ["/etc/aegis.d"]
script_dirs = ["/etc/aegis/scripts"]

# Duration (in seconds) to cache app:ip:port events (how spammy do we want to be)
detent = 86400

# Default actions to take when a process opens a port that it is not configured for (log, block, notify, allow)
default_actions = ["log", "notify"]

# This the default action for a process that we do not have a configuration for 
unconfigured_actions = ["log"]

[whitelist]
# IPs to ignore (e.g., internal network IPs)
ips = ["192.168.0.0/16", "10.0.0.0/8"]

# Ports to ignore (e.g., standard HTTP/HTTPS)
ports = ["80", "443"]

# Programs to ignore (e.g., system-critical processes)
programs = [
#  "systemd"
]

Script hooks

You can create your own scripts in /etc/aegis/scripts and they will be run for any events that match your configuration. Each script receives the following envvars:

Variable Description
AEGIS_PID The PID of the process that triggered the event
AEGIS_EXE The PID of the process that triggered the event
AEGIS_CMDLINE The command line of the process that triggered the event
AEGIS_DST The destination IP of the event
AEGIS_DPT The destination port of the event

Drop in dir

You can add more configurations in /etc/aegis.d for a per process configuration:

# myapp.toml
[[app]]
exe = "telegraf"                         # watch the program based on the basename of the exe
# path = "/usr/bin/telegraf"             # watch the program based on the full path
# cmdline = "/usr/bin/mytelegrafwrapper" # watch the program based on the cmdline

# ignore = true                          # do not watch this process
# remotes = ["bob.com:8086"]             # only allow these ports going out
# locals = ["8086"]                      # only allow these ports going to a localhost
ports = ["8086"]                         # only allow these ports remote or local
# local = true                           # don't allow any local connections
# remote = false                         # don't allow any remote connections
actions = ["log"]
#...
# zz-telegraf.toml this will override default telegraf rule
[[app]]
remotes = [
  "8086",
]

# kill the process if it opens a port other than 8086 to a remote address
actions = ["kill"]

You could configure it for your server in one file, overriding any existing rules for the same process.

# zz-myserver.toml
[[app]]
exe = "telegraf"
#...

[[app]]
exe = "wazuh-agentd"
#...

Use Cases

1. Network Intrusion Detection

Get notified when some process you've never heard of (tries to) open a connection to a crypto mining hub indicating someone got a crypto miner on your system.

2. Compliance Enforcement

Ensure applications like telegraf only use allowed ports (e.g., 8086) and aren't being used to try exfiltrate data. Block or log attempts to access unauthorized ports.

3. Automated Incident Response

Trigger scripts to isolate compromised systems when a process (e.g., sshd) attempts to connect out to strange port, indicating a compromised binary, reducing manual intervention.

FAQ

What is BPFtrace?

BPFtrace is a tool that allows you to trace and monitor events in your Linux kernel. It is a great tool for monitoring network traffic and other system events.

Why shouldn't I just use iptables or nftables??

You should! They are excellent for blocking access, and they can log port access attempts but they cannot tell you which process tried to connect to a random IP address on port 6666.

Why shouldn't I just use AppArmor or SELinux?

You should! They are great for controlling the resources that a process can access, but they cannot control the ports that application is able to connect to.

Why shouldn't I just use OpenSnitch or TinySnitch?

You can, but they seem more directed towards desktop/workstation that expects dynamic connections and a user to approve or deny them. Aegis is more for servers with unchanging configurations and a pretty static connection map. This makes it easier to spot potential IoCs since there is not as much noise.

Why not monitor incoming connections?

It's a lot easier to just block unauthorized incoming connections with a firewall.

About

Identify suspicious network traffic and take actions via hook scripts.

Topics

ioc snitch cybersecurity bpftrace

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages