Skip to content

airbus-cert/dirtypipe-ebpf_detection

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

dirtypipe-ebpf_detection -- Dirtypipe detection tool

This program was made to detect Dirty Pipe exploitation attempts thanks to eBPF. It also monitors nonvulnerable kernels and docker containers.

🛫 If you want more details on how it works please read the blog post ! 🛬

How does it works?

Default execution:

sudo ./bin/dirtypipe_detection

Debug mode:

Show libbpf logs on execution

sudo ./bin/dirtypipe_detection --debug

Daemon mode:

Run program as daemon and send alerts over syslog

sudo ./bin/dirtypipe_detection --daemon

How to build?

Debian

sudo apt install git make pkg-config libelf-dev clang-11 libc6-dev-i386 bpftool -y
git clone https://github.com/airbus-cert/dirtypipe-ebpf_detection
cd ./dirtypipe-ebpf_detection/src/
make

Ubuntu

sudo apt install git make pkg-config libelf-dev clang-11 libc6-dev-i386 linux-tools-common linux-tools-$(uname -r) -y
git clone https://github.com/airbus-cert/dirtypipe-ebpf_detection
cd ./dirtypipe-ebpf_detection/src/
make

Credits and References

Read the original blog on Dirtypipe from [email protected]

Read an interesting strategy from Datadog team