Skip to content
/ bervie Public

An eBpf security program that blocks the execution of files that were flagged as malicious by the give YARA detection rules. Named in convention with the other Scottish loch tools

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Assaf-R/bervie

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.gitignore
.gitignore
 
 
Readme.md
Readme.md
 
 
bervie.py
bervie.py
 
 
bervie_bpf.c
bervie_bpf.c
 
 

Repository files navigation

Bervie

An eBpf security program that blocks the execution of files that were flagged as malicious by the give YARA detection rules. Named in convention with the other Scottish loch tools

How does this work?

The python program - bervie.py - loads the bpf c program - bervie_bpf.c - and hooks the execve syscall with a kprobe. The eBpf program checks if the file that is set to be executed checks any YARA detections from the given .yara file and if so blocks the execution. The results are logged to /var/log/loch/bervieX.log

How to run

RUN AS ROOT

$ pip install yara-python

About

An eBpf security program that blocks the execution of files that were flagged as malicious by the give YARA detection rules. Named in convention with the other Scottish loch tools

Topics

python linux security ebpf yara

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages