Network monitoring can be a powerful method for gaining insights into your server environment, but it is often a complex and resource-intensive task. The Extended Berkeley Packet Filter (eBPF) technology solves these challenges by providing pre-configured resources, including the bcc-tools package with its pre-built eBPF programs.
In this blog post, I will showcase the eBPF technology modifying the tcptracer utility to connect with Wazuh socket, which tracks the kernel functions responsible for connecting, accepting, and closing TCP connections. This modification offers improved functionality and boasts minimal overhead due to its use of eBPF features.
Pre-requisites:
- BCC and bpfcc tools installed https://github.com/iovisor/bcc/blob/master/INSTALL.md
- Wazuh agent (Linux).
Wazuh agent & eBPF :
#hosted in my gist repo https://gist.github.com/elwali10
curl -so /home/vagrant/WazuheBPFTCPTracer https://gist.githubusercontent.com/elwali10/412c1176a3c24ccb84fba5fefa4e8503/raw/a974e26600503bf0a41842a4493dcdcd169dea09/WazuheBPFTCPTracer.py
#Make it executable
chmod go+x /home/vagrant/WazuheBPFTCPTracer
#Configure the tool as a service
#Create the service file
touch /etc/systemd/system/WazuheBPFTCPTracer.service
#Add below content
[Unit]
Description=WazuheBPFTCPTracer
[Service]
ExecStart=/home/vagrant/WazuheBPFTCPTracer
[Install]
WantedBy=multi-user.target
#Enable and start the service
systemctl daemon-reload
systemctl enable WazuheBPFTCPTracer
systemctl start WazuheBPFTCPTracer
systemctl status WazuheBPFTCPTracerWazuh Manager & Dashboard:
You should add the below decoders/rules and pipeline to get the events to the Wazuh dashboard.
- Decoders:
<decoder name="eBPFTCP">
<prematch>TCP Connection:</prematch>
</decoder>
<decoder name="eBPFTCP1">
<parent>eBPFTCP</parent>
<regex>PID: (\d*) </regex>
<order>PID</order>
</decoder>
<decoder name="eBPFTCP1">
<parent>eBPFTCP</parent>
<regex>ProcessName: (\.*) </regex>
<order>ProcessName</order>
</decoder>
<decoder name="eBPFTCP1">
<parent>eBPFTCP</parent>
<regex>IPVersion: (\d*) </regex>
<order>IPVersion</order>
</decoder>
<decoder name="eBPFTCP1">
<parent>eBPFTCP</parent>
<regex>SourceAddress: (\d+.\d+.\d+.\d+) </regex>
<order>scrip</order>
</decoder>
<decoder name="eBPFTCP1">
<parent>eBPFTCP</parent>
<regex>DestinationAddress: (\d+.\d+.\d+.\d+) </regex>
<order>destip</order>
</decoder>
<decoder name="eBPFTCP1">
<parent>eBPFTCP</parent>
<regex>SourcePort: (\d*) </regex>
<order>SourcePort</order>
</decoder>
<decoder name="eBPFTCP1">
<parent>eBPFTCP</parent>
<regex>DestinationPort: (\d*) </regex>
<order>DestinationPort</order>
</decoder>- Rules:
<group name="eBPFTCP">
<rule id="120000" level="3">
<decoded_as>eBPFTCP</decoded_as>
<description> TCP Connection Established </description>
</rule>
</group>- Pipeline: Must be added to the file
/usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.jsonlocated in the Wazuh manager.
{
"description": "Wazuh alerts pipeline",
"processors": [
{ "json" : { "field" : "message", "add_to_root": true } },
{
"geoip": {
"field": "data.srcip",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.destip",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.win.eventdata.ipAddress",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.aws.sourceIPAddress",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.gcp.jsonPayload.sourceIP",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.office365.ClientIP",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"date": {
"field": "timestamp",
"target_field": "@timestamp",
"formats": ["ISO8601"],
"ignore_failure": false
}
},
{
"date_index_name": {
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "{{fields.index_prefix}}",
"index_name_format": "yyyy.MM.dd",
"ignore_failure": false
}
},
{ "remove": { "field": "message", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "ecs", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "beat", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "input_type", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "tags", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "count", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "@version", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "log", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "offset", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "type", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "host", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "fields", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "event", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "fileset", "ignore_missing": true, "ignore_failure": true } },
{ "remove": { "field": "service", "ignore_missing": true, "ignore_failure": true } }
],
"on_failure" : [{
"drop" : { }
}]
}- Apply the new pipeline and decoders/rules:
Systemctl restart wazuh-manager
filebeat setup --pipelines- Import the dashboards: Pre-made dashboards are located at https://github.com/elwali10/Wazuh-Kibana-dashboards/blob/main/WazuheBPFTCPConnections.ndjson; You need to download and import them into the Wazuh dashboard by navigating to
StackManagement->Import
- Tests and results: Performing any actions that establish TCP connections would be captured; as an example:
wget google.com
systemctl restart wazuh-agent
apt-get update
The enrichment from the pipeline allows getting the country names from the captured TCP connection events with very minimum resource consumption, thanks to the eBPF Capabilities.
- Demo Video:
10 responses to “Wazuh & eBPF: Monitor TCP connections effectively”
Hello,
for your website do be displayed in searches your domain needs to be indexed in the Google Search Index.
To add your domain to Google Search Index now, please visit
https://SearchRegister.net
Let Us Take a Few Things Off Your Plate (Plus Black Friday Savings)
Unlike your current host, Best Website goes above and beyond to support your business by including valuable extras as part of our fully managed WordPress hosting service, such as daily maintenance, plugin updates, security monitoring and unlimited technical support.
Sign up now for our industry-leading services and save 20% on 12 months of hosting with our special Black Friday pricing!
https://bestwebsite.link/blackfriday
A remote job opportunity for a Law Firm, the role of a Payment/Deposit Handler. This position involves managing payments and deposits, ensuring accurate processing, and maintaining financial record. This position is only for candidates based in the US.
Job location: USA
Weekly wages: $2,150 per week.
We are looking for a detail-oriented individual with a good background and no criminal record.
If you are interested in joining our team, please send an email to get more details jasonmorris001@aol.com
Regards.
Hello,
for your website do be displayed in searches your domain needs to be indexed in the Google Search Index.
To add your domain to Google Search Index now, please visit
https://SearchRegister.net
My name is James Broderick, and I am an attorney at Broderick & Associates LLP based in Canada. I am reaching out to discuss matters concerning your late relative payable on death sum of Eleven Million Eight Hundred Thousand, Twenty United States Dollars ($11,800,020.00).
Please feel free to contact me at your earliest convenience at the email address provided below for more information regarding their payable on death policy. Trust me it is something worthwhile you would like to hear.
Thank you for your attention to this matter. Contact me through my email to share more information with you about the payable on death. jamesbroderick63@outlook.com
Best regards,
James Broderick
My name is Ahmet. I’m a bank staff in a Turkish bank. I’ve been looking for someone who has the same nationality as you. A citizen of your country died in the recent earthquake in Turkey, he had in our bank fixed deposit of $11.5 million.
My Bank management is yet to know of his death. If my bank executive finds out about his death ,They would use the funds for themselves and get richer and I would like to prevent that from happening only if I get your cooperation, I knew about it because I was his account manager. Last week my bank management held a meeting for the purpose of a bank audit to note the dormant and abandoned deposit accounts. I know this will happen and that’s why I’m looking for a solution to deal with this situation because if my bank discovers his death, they will divert the funds to the board of directors. I don’t want that to happen.
I request your cooperation to introduce you as the kin/heir of the account as you are of the same nationality as him. There is no risk; the transaction is carried out under a legal agreement that protects you from infringement. I suggest we split the funds, 60/40 and 40 for me. I need this fund for my daughter’s surgery so keep this info confidential. email me so i can provide you with more information. ahmetturkiye1974@outlook.com
Hello,
for your website do be displayed in searches your domain needs to be indexed in the Google Search Index.
To add your domain to Google Search Index now, please visit
https://SearchRegister.net
A remote job opportunity for a Law Firm, the role of a Payment/Deposit Handler. This position involves managing payments and deposits, ensuring accurate processing, and maintaining financial record. This position is only for candidates based in the US.
Job location: USA
Weekly wages: $2,150 per week.
We are looking for a detail-oriented individual with a good background and no criminal record.
If you are interested in joining our team, please send an email to get more details jasonmorris001@aol.com
Regards.
We improve MOZ Domain authority 30+ in 15 Days its help to improve google rank, improve your website SEO, and you get traffic from google
DA – 0 to 30 – (Only $29) – Yes, Limited time !!
>> 100% Guarantee
>> Improve Ranking
>> White Hat Process
>> Permanent Work
>> 100% Manual Work
>> 0% Spam score increase
⚡ From our work your website keyword get rank on google and get organic traffic from google through keywords
Contact now: intrug@gmail.com
If you are reading this message, That means my marketing is working. I can make your ad message reach 5 million sites in the same manner for just $50. It’s the most affordable way to market your business or services. Contact me by email virgo.t3@gmail.com or skype me at live:.cid.dbb061d1dcb9127a
P.S: Speical Offer – ONLY for 24 hours – 10 Million Sites for the same money $50