initial commit
louis
is a simple tool using eBPF to automatically detect and respond to malicious behavior on a Linux system.
Usage:
louis [command]
Available Commands:
help Help about any command
hunt hunt for existing malicious activity
mitigate mitigate all known vulnerabilities
monitor actively monitor for malicious action
version print louis version
Flags:
-a, --active counter detected malicious activity (dangerous, may clobber)
-h, --help help for louis
-s, --syslog output to syslog
-v, --verbose enable verbose output
Use "louis [command] --help" for more information about a command.
louis gathers information from the kernel through eBPF (with BCC). These sources are analyzed with information from categorized techniques and vulnerabilities.
+------------+
| |
| CLI Output |
| |
+--------+---+
^
+-------------------------------------|------+
| | |
+--------+ | +---------+ +----------+ +---+---+ |
| | | | | | +---->+ | |
| | | | Sources +--->+ Analysis | | louis | |
| | eBPF | | | | | | | |
| Kernel +---------->+ Sockets | +----------+ +--+----+ |
| | | | Users | ^ ^ |
| | | | Proc... | +-------+ | | |
| | | | | | | | v |
+--------+ | +---------+ | Techs +<-+ +---+----+ |
| | | | Output | |
| +-------+ +--------+ |
| |
+--------------------------------------------+
There is no kernelspace component (other than the eBPF data-gathering code), which means
louis
is more susceptible to resource exhaustion and various types of executable manipulation. However, if that happens, you'll probably know about it.
louis
.
git clone https://github.com/sourque/louis && cd louis && go build
louis
binary from releases.