Kanis
Kanis is an advanced threat detection solution exclusively designed for Linux with performance and simplicity in mind. Runs locally "out-of-the-box" (even on ancient systems) along with a powerful engine, mainly based on heuristic and behavioral analysis, for event and anomaly correlation.
Features
- Real-time binary monitoring.
- Container monitoring.
- Kernel event monitoring.
- ELF Viruses/Trojans detection.
- ELF anti-debugging techniques detection.
- Process injection detection.
- Rootkits detection (In progress).
- Yara integration.
- And much more... :)
How it works
As an event-driven software, Kanis requires real-time interaction with the kernel; this is achieved through ftrace and the use of Kprobes, as well as Tracepoints. That is, it can not only monitor syscalls, but any kernel function too. The rule engine is in charge of processing all this stream of information and make sense out of it.
Additionally, Kanis includes some modules for static heuristic analysis (such as for binaries) which further enhance the product's detection capabilities.
Requirements
- Linux >=3.10 x86_64
- Kernel compiled with CONFIG_FUNCTION_TRACER flag
- Openssl (libssl-dev)
- go >=1.14
Install
git clone https://github.com/0xN3utr0n/Kanis && cd Kanis
make
sudo make install
Usage
Kanis requires root privileges in order to properly work.
-h This help.
-d Show debug messages (very verbose).
-e string
Enable kernel events monitoring.
Supported categories:
a ALL events.
x EXEC events.
m MOUNT events.
s SIGNAL events.
t TASK events.
p PTRACE events.
f FILE events.
n NAMESPACE events.
e.g. -e=x:t:n
-s Redirect all output to stdout.
Once executed, the following log files will be created (within /var/kanis/):
- events.log : Real-time kernel events.
- kanis.log : Errors and Kanis related messages.
- threats.log : Detected threats.
Disclaimer
The project is currently in pre-alpha state, meaning that there might be some instability issues along with low detection rates or even a high number of false-positives.