Skip to content

0xN3utr0n/Kanis

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Kanis

Go Report Card

Kanis is an advanced threat detection solution exclusively designed for Linux with performance and simplicity in mind. Runs locally "out-of-the-box" (even on ancient systems) along with a powerful engine, mainly based on heuristic and behavioral analysis, for event and anomaly correlation.

Features

  • Real-time binary monitoring.
  • Container monitoring.
  • Kernel event monitoring.
  • ELF Viruses/Trojans detection.
  • ELF anti-debugging techniques detection.
  • Process injection detection.
  • Rootkits detection (In progress).
  • Yara integration.
  • And much more... :)

How it works

As an event-driven software, Kanis requires real-time interaction with the kernel; this is achieved through ftrace and the use of Kprobes, as well as Tracepoints. That is, it can not only monitor syscalls, but any kernel function too. The rule engine is in charge of processing all this stream of information and make sense out of it.

Additionally, Kanis includes some modules for static heuristic analysis (such as for binaries) which further enhance the product's detection capabilities.

Requirements

- Linux >=3.10 x86_64
- Kernel compiled with CONFIG_FUNCTION_TRACER flag
- Openssl (libssl-dev)
- go >=1.14

Install

git clone https://github.com/0xN3utr0n/Kanis && cd Kanis
make
sudo make install

Usage

Kanis requires root privileges in order to properly work.

  -h	This help.
  -d	Show debug messages (very verbose).
  -e string
    	Enable kernel events monitoring.
    	Supported categories:
    	a ALL events.
    	x EXEC events.
    	m MOUNT events.
    	s SIGNAL events.
    	t TASK events.
    	p PTRACE events.
    	f FILE events.
    	n NAMESPACE events.
    	
    	e.g. -e=x:t:n
    	
  -s	Redirect all output to stdout.

Once executed, the following log files will be created (within /var/kanis/):

  • events.log : Real-time kernel events.
  • kanis.log : Errors and Kanis related messages.
  • threats.log : Detected threats.

Disclaimer

The project is currently in pre-alpha state, meaning that there might be some instability issues along with low detection rates or even a high number of false-positives.