A new open sourced eBPF derived tool for security ops enthusiasts who thrive on log data.
Kernel-based Process Monitoring on Linux Endpoints via eBPF
kflow creates a new type of streaming security data using eBPF to capture a wide array of system and network events, offering visibility into organizations’ pre-encrypted workloads. It can be used in a wide range of applications from malware detection to tracing data movement. Its open-source collaboration fosters innovation and rapid adoption in security data management technologies from the global community.
Scalable Architecture
Easily scale to handle large volumes of dataEnhanced Security
Malicious actors will be unable to remove all traces of a system takeoverReal-Time Data Collection
Capture live endpoint events for immediate analysisPre-encrypted Visibility
kflow creates a new type of streaming security data using eBPF to capture a wide array of system and network eventsBroad Compatibility
Supports VMs, Containers, and KubernetesLightweight and Efficient
Minimal system overhead with high performanceUse Cases
Kflow on its own doesn't detect or take any action; it simply creates a stable stream of kflow messages. These messages can be received, decoded, and analyzed using third-party utilities or comprehensive enterprise threat hunting and detection services. Our modules utilize various kprobes and uprobes for tracing purposes.
Malware Detection
Identify and prevent malicious activitiesRansomware Tracking
Monitor and mitigate ransomware threatsThreat Hunting
Enhance threat detection and investigation capabilitiesChange Management
Verify software versions and manage configuration changesSyslog Forwarding
Forward unstructured syslog data via S3 or Webhook.Technical Details and Information
Why would we do this?
Bottom line: We love security data. At Tarsal we are constantly trying to improve how security data is handled and there’s a missing gap: Freely obtained end point data. The old world of tapping the network doesn’t work and getting to the data before it’s encrypted and placed on the wire is crucial. Think of this as sniffing the kernel of the computer rather than the network interface. We wanted to gift this technology to the security community to foster the next generation threat hunting and detection.
ELK Compatibility
Links:
- Tarsal’s Open Source Repository: https://github.com/tarsal-oss/
- kflowd https://github.com/tarsal-oss/kflowd
- Email: devs@tarsal.co for an invitation to our community Slack channel
Data Endpoint Use Cases:
- Tripwire replacement
- EDR replacement
- Tracking and preventing ransomware
- Deeper and more intelligent threat hunting
- Antiviral system replacement
- Data tracking system: File went from here to there via this network flow
- Change management conformation
- Instant software version confirmation
- Parent and Child Process correlation
- Parent Process to Child File correlation (what process is accessing/creating what file)
- Process to network communication correlation
- File to network communication correlation
Future Decoder Modules
Our modules utilize various kprobes and uprobes for tracing purposes. Currently, kflow employs only eBPF probes at the kernel level (kprobe, kretprobe) but is expected to extend to userspace probes (uprobe, uretprobe) soon.
Kprobes provide dynamic instrumentation in the kernel, allowing trace events at runtime by hitting the beginning of a kernel function and calling a custom event handler to extract function arguments for system monitoring. For instance, a kprobe in the vfs_read
function can monitor file access by extracting inode information.
Kretprobes, hitting at the end of a function, can extract return values, such as monitoring file creation through do_filp_open
.
Uprobes and uretprobes offer similar dynamic instrumentation but in userspace, applicable to functions in application binaries or shared libraries, tracing events system-wide for all processes using the library.
While they may face stability issues due to function changes across software versions, applications such as Nginx (ngx_http_process_request
), Apache (HTTP request processing), MySQL (query__start
), Elastic Search (query areas), Bind and PowerDNS (request/response processing), OpenSSL (SSL_read
), and Node.js (http__server__request
), along with raw sockets (function_acq_pkts
on "eth0"), can benefit from such probes.