Skip to content

Linux based vulnerabilities (CVE) exploit detection through runtime security using Falco/Osquery/Yara/Sigma

License

Notifications You must be signed in to change notification settings

Loginsoft-LLC/Linux-Exploit-Detection

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Linux-Exploit-Detection

Linux-based vulnerabilities (CVE) exploit detection through runtime security using Falco/Osquery/Yara/Rego/Sigma

This is an experimental project to evaluate possible ways to detect exploits (CVE) in a Linux environment (HOST/Container/Cloud) using

We were able to detect the majority of the exploits through ebpf or kprobe instrumentation by analyzing the syscalls. Both Falco and Rego approaches worked accurately in Host & Containerized environments. However, there are a few limitations in all of the above approaches, stay tuned - the blog coming out soon.

Detections available for the following CVE in the respective folders

More to come...

All of these detections were tested in a host & containerized environment where reproduced the exploit and captured required events. The rules in the repository can lead to performance overhead, we would suggest testing it before using it in a production environment.