Components¶
In order to obtain a list of available features, including extensions, plugins, and printers, the user can execute the jibril --features command.
Extensions¶
| Extension | Description |
|---|---|
| Example | Used as an example and for tests. |
| Config | Provides context from userland to eBPF programs (log-level, run-mode, etc.). |
| Data | - Data storage and retrieval common logic. - Implements eBPF virtual maps and nested virtual maps. - Implements trie data structure for efficient prefix matching. |
| Jibril | - The heart of the project. - The main extension with multiple plugins implementing various functionalities. |
Plugins¶
Example¶
| Plugin | Description |
|---|---|
| HelloWorld | Simple demo purpose plugin. |
Config¶
Note: There are no plugins in the
configextension.
Data¶
Note: There are no plugins in the
dataextension.
Jibril¶
| Plugin | Description |
|---|---|
| Hold | - Holds the execution until ctrl+c or SIGTERM is received.- Used for detection recipes needing continuous monitoring. - Example: Tests do not need to hold because they are short-lived. |
| Procfs | - Reads /proc files during startup for existing processes context.- Populates eBPF maps with existing data before starting the monitoring. |
| Printers | - Implements different printers (data endpoints). - Simplest printer is stdout, which prints to the standard output. - The datakeeper printer keeps printed events for near-future reference. - The varlog printer logs output to /var/log/{loader,jibril}.log. |
| Net | - Captures network flows and correlates with other resources. - Tracks every socket ever lived in the system and the actions performed on them. |
| NetPolicy | - Enforces network policies based on CIDRs and domain names. - Drops traffic that does not comply with predefined network policies. |
| Detect | - Tracks every task and file ever accessed and the actions performed on them. - Correlates tasks and files with other resources. - Provides the common ground for detection recipes, enabled by their corresponding events. |
| GitHub | - Interacts with GitHub repositories. - Enables functionalities related to GitHub integrations, such as summarizing pull requests and changes. |
Printers¶
Jibril¶
| Printer | Description |
|---|---|
| stdout | Prints events to the standard output. |
| datakeeper | Keeps printed events for near-future reference, allowing for quick access and analysis. |
| varlog | Logs output to /var/log/loader.log and /var/log/jibril.log for persistent storage and review. |
Jibril (GitHub)¶
| Printer | Description |
|---|---|
| listendev | - Sends event data to the Listen.dev backend for dashboard visualization. - Requires a Listen.dev account and an API token for authentication. |
| listendevdebug | Generates a debug file for the Listen.dev printer, useful for troubleshooting and development purposes. |
Events¶
Jibril (Net)¶
| Event | Description |
|---|---|
| flow | Captures and logs network flow data, including source and destination addresses, ports, and protocols. |
Jibril (NetPolicy)¶
| Event | Description |
|---|---|
| dropip | - Informs dropped network flows (dropped by existing policy). - The network flows might have been dropped due to CIDR or domain name restrictions. |
| dropdomain | - Informs dropped domain resolutions (dropped by existing policy). - The domain resolutions might have been dropped due to domain name restrictions. |
Jibril (Detect)¶
- Mechanism: File Access
| Event | Description |
|---|---|
| capabilities_modification | Detects changes to file capabilities. |
| code_modification_through_procfs | Detects code modifications via /proc. |
| core_pattern_access | Monitors access to core pattern configurations. |
| cpu_fingerprint | Identifies unique CPU fingerprints for anomaly detection. |
| credentials_files_access | Tracks access to credential files. |
| filesystem_fingerprint | Detects changes in filesystem signatures. |
| java_debug_lib_load | Monitors loading of Java debug libraries. |
| java_instrument_lib_load | Tracks loading of Java instrumentation libraries. |
| machine_fingerprint | Identifies unique machine fingerprints. |
| os_fingerprint | Detects changes in OS signatures. |
| os_network_fingerprint | Monitors OS network-related fingerprints. |
| os_status_fingerprint | Tracks OS status changes. |
| package_repo_config_modification | Detects modifications in package repository configurations. |
| pam_config_modification | Monitors changes to PAM configurations. |
| sched_debug_access | Detects access to scheduler debug interfaces. |
| shell_config_modification | Tracks changes to shell configurations. |
| ssl_certificate_access | Monitors access to SSL certificates. |
| sudoers_modification | Detects changes to sudoers files. |
| sysrq_access | Tracks access to sysrq functionalities. |
| unprivileged_bpf_config_access | Detects access to unprivileged BPF configurations. |
| global_shlib_modification | Monitors modifications to global shared libraries. |
- Mechanism: Execution
| Event | Description |
|---|---|
| binary_executed_by_loader | Detects binaries executed via the ELF loader. |
| code_on_the_fly | Monitors dynamic code execution. |
| denial_of_service_tools | Detects the use of denial-of-service tools. |
| exec_from_unusual_dir | Tracks executions from non-standard directories. |
| file_attribute_change | Detects changes to file attributes. |
| hidden_elf_exec | Identifies hidden ELF executions. |
| interpreter_shell_spawn | Monitors the spawning of interpreter shells. |
| net_filecopy_tool_exec | Detects the execution of network file copy tools. |
| net_mitm_tool_exec | Identifies man-in-the-middle network tool executions. |
| net_scan_tool_exec | Detects network scanning tool executions. |
| net_sniff_tool_exec | Monitors the use of network sniffing tools. |
| net_suspicious_tool_exec | Detects suspicious network tool executions. |
| net_suspicious_tool_shell | Identifies suspicious tool shells in network contexts. |
| passwd_usage | Tracks the usage of the passwd command. |
| runc_suspicious_exec | Detects suspicious executions related to runc. |
Jibril (GitHub)¶
| Event | Description |
|---|---|
| summary | Provides a comprehensive summary of all GitHub-related events. |
| detections_summary | Summarizes detection events triggered by GitHub integrations. |
| flows_summary | Aggregates and summarizes network flow data related to GitHub activities. |
| change_summary | Provides summaries of code changes across repositories. |
| pull_summary | Summarizes pull request activities for monitoring and review. |
OpenAI and Privacy
These events are generated by OpenAI according to data provided by Jibril (source code changes, tasks, network flows, detected events, etc.). The user should be aware of the privacy implications of sharing this data with OpenAI.