Skip to content
a BPF-based Linux syscall monitor
Go C
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
agent
common
server
.gitignore
LICENSE
README.md

README.md

bedr

an experimental, BPF-powered Linux EDR. Ships syscall info into a TCP socket for central collection and data crunching.

In order to work on machines with the future, read-only kernel_lockdown mode enabled, kprobes are forbidden for features that hope for wide adoption.

syscall coverage

based on: /arch/x86/entry/syscalls/syscall_64.tbl

syscall status
open ✔️
openat ✔️
execve ✔️
execveat
connect ✔️
sendmsg
bind ✔️

Usage

Requirements

  • For building, Go 1.11+ because of go modules
  • Linux kernel 4.7+ for kernel tracepoint support
  • kernel lockdown mode disabled
  • bcc (Debian) or bcc-devel (Fedora) for JIT filter compliation.

Starting the thing

bedr/agent $ sudo -E go run main.go

If not a real service, Ctrl+C or pkill it.

About the license

This repo is covered under GNU AGPLv3 so it's harder for bad-natured folk to make security vendor money directly off anything inside of this repository.

Feel free to fight ask me about separately licensing it.

You can’t perform that action at this time.