English | 简体中文
git clone https://github.com/EBWi11/AgentSmith-HIDS.git
yum
orapt
or other package tools installkernel-devel
&&kernel-header
- go to directory:
driver/LKM
and executemake
,you can get 'smith.ko' file - execute
insmod smith.ko
- execute
lsmod | grep smitm
,verify load lkm is success - publish the compiled LKM file(smith.ko) to your test server. Please pay attention that the Kernel version needs to be consistent with the server used for compiling
yum
orapt
or other package tools installgcc
- go to directory:
driver/test
and executegcc -o test shm_user.c
,you can get 'test' - execute
./test
,verify core is work
-
in your test environment for receiving information and create topic manually: like this
./kafka-topics.sh --create --zookeeper localhost:2181 --replication-factor 1 --partitions 1 --topic hids
-
(Optional) deploy a heartbeat server in your test environment,please refer to:smith_console
-
need intall rust environment: https://www.rust-lang.org/tools/install
-
go to directory:
agent/src/conf
and modify the related Kafka information and heartbeat configuration in configuration file of the agent:agent/src/conf/settings.rs
, then runcargo build --release
, onagent/target/release/
can get agent.(maybe needinstall openssl
&&install openssl-devel
) -
Install the agent: deploy the agent to your test environment and execute it directly
Note: Since the Agent obtains the local IP through the command: hostname -i, please ensure that the hostname and hosts are configured correctly during the test to prevent the HIDS Console from getting a wrong one.
- The custom detection module relies on the heartbeat detection module. You need to enable heartbeat detection to support the custom detection module;
- The triggering method of the custom detection module is completed by the heartbeat server sending instructions to the agent, and the detection result is transmitted to the server through Kafka, so it is not real-time;
- The custom detection function is added in the detection_module.rs file, and the start function definition of the Detective impl in this file needs Good mapping relationship (the relationship between the instruction issued by the server and the detection function called);
- After adding the custom detection function, you need to add the issuing instruction logic in heartbeat_server.py. Note that you need to pass ";" interval;
- Implement the logic. The agent sends a heartbeat packet to the heartbeat server. The server returns the detection instruction. The agent executes the detection function indicated by the instruction through the mapping of the instruction and the detection function. The detection result is transmitted to the server through Kafka.
- Before uninstalling the AgentSmith-HIDS, you need to close the user-mode agent process. The default Log path of the agent is located in:
/var/log/smith_hids.log
, and also the default pid file in:/var/run/smith_hids.pid
. By default:cat /var/run/smith_hids.pid |xargs kill -9
then uninstall it byrmmod smith
Define | Description |
---|---|
EXECVE_HOOK | execve() Hook Switch: 1. Enable; Default:1 |
CONNECT_HOOK | connect() Hook Switch: 1. Enable; Default:1 |
BIND_HOOK | Bind Hook Switch: 1. Enable; Default:1 |
DNS_HOOK | DNS Hook Switch: 1. Enable; Default:1 |
PTRACE_HOOK | Porcess Injection Detect Hook Switch: 1. Enable; Default:1 |
CREATE_FILE_HOOK | Create File Detect Hook Switch: 1. Enable; Default:1 |
LOAD_MODULE_HOOK | init_module() Hook Switch: 1. Enable; Default:1 |
EXIT_PROTECT | Protect the agent itself from being rmmod: 1.Enable; Default: 0 |
ROOTKIT_CHECK | Regularly detect rootkit behavior. The default is 15 seconds: 1.Enable; Default: 1 |
UPDATE_CRED_HOOK | Detect abnormal process Cred changes in real time: 1.Enable; Default: 1 |