Skip to content
This repository has been archived by the owner on Apr 27, 2023. It is now read-only.

Latest commit

 

History

History
120 lines (94 loc) · 3.54 KB

README.md

File metadata and controls

120 lines (94 loc) · 3.54 KB

threatseer

Threatseer is a lightweight agent-based security telemetry solution for Linux.

Try running threatseer with Docker

Build Status

Features

Agent features

The agent collects security telemetry which is offloaded to a server for behavioral analysis and the rest.

  • event-driven structured data of important system events
    • container lifecycle
    • processes touching sensitive data
    • processes spawned and lifecycle events
    • network events
  • low resource cost: typically less than ~1% of one CPU core, ~30MiB RAM
  • ~5mb statically compiled binary deployable

Server features

The server component uses several behavioral analysis engines for scoring events and has several JSON telemetry output methods available:

Behavioral Analysis Engines

  • Profile - automatic execution behavior profile generated for container image or process lifecycle
  • Static - risky processes, file/directory integrity monitoring (todo), known IOCs (todo)
  • Dynamic - custom queries

Telemetry outputs

  • Elasticsearch
  • Kafka
  • Logstash
  • Redis
  • File
  • Stdout

Example telemetry

container RCE event

successful blind remote code execution (RCE) callback

{
   "@timestamp":"2018-05-26T15:06:14.397Z",
   "src_ip":"127.0.0.1",
   "event":{
      "id":"714966143a853b3bf55ccb2683a3b6bcfcbf731f9318705485609d8ef7711b13",
      "container_name": "/cranky_kowalevski",
      "image_id": "3fd9065eaf02feaf94d68376da52541925650b81698c53c6824d92ff63f98353",
      "image_name": "alpine",
      "process_pid":3789,
      "sensor_id":"49c921bc827b2aa9b5f20b0e65af9c3126c79221bac4f2b2a7edd7db7e3774aa",
      "Event":{
         "Process":{
            "type":2,
            "exec_filename":"/usr/bin/dig",
            "exec_command_line":[
               "dig",
               "+short",
               "ifjeow0234f90iwefo2odj.wat.lol"
            ]
         }
      }
   },
   "indicators":[
      {
         "Engine":"static",
         "RuleName":"",
         "IndicatorType":"risky_process",
         "Description":"dig is a risky process often used for exfil / callback",
         "ExtraInfo":"",
         "Score":70
      },
      {
         "Engine":"dynamic",
         "RuleName":"insider_threat",
         "IndicatorType":"custom",
         "Description":"it's coming from inside the house!",
         "ExtraInfo":"origin was 127.0.0.1",
         "Score":60
      },
      {
         "Engine":"profile",
         "RuleName":"",
         "IndicatorType":"abnormal_behavior",
         "Description":"subject is behaving outside of its profile",
         "ExtraInfo":"",
         "Score":50
      }
   ]
}

Architecture

See docs/ARCHITECTURE.md for more info.

Docs

Docs are sparse at the moment. Threatseer is still under heavy development.

Acknowledgements