Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Protocol Documentation

Table of Contents

Top

proto/config.proto

FileMonConfig

Configuration file for FileMon detector.

FieldTypeLabelDescription
file_openHookConfigsecurity_file_open config.
path_truncateHookConfigsecurity_path_truncate config.
path_unlinkHookConfigsecurity_path_unlink config.
path_symlinkHookConfigsecurity_path_symlink config.
path_chmodHookConfigsecurity_path_chmod config.
path_chownHookConfigsecurity_path_chown config.
sb_mountHookConfigsecurity_sb_mount config.
mmap_fileHookConfigsecurity_mmap_file config.
file_ioctlHookConfigsecurity_file_ioctl config.

GTFOBinsConfig

Configuration file for GTFOBinsDetector.

FieldTypeLabelDescription
enforceboolBlock execution of GTFOBins binaries.
gtfobinsstringrepeatedGTFOBins executables names.

HookConfig

Hook or group of hooks configuration

FieldTypeLabelDescription
enabledboolLoad eBPF programs
sandboxSandboxModeSandbox capabilities.
rulesRulerepeatedFiltering rules

NetMonConfig

Configuration file for NetMon detector.

FieldTypeLabelDescription
ingressHookConfigIngress traffic connections
egressHookConfigEgress traffic connections

ProcMonConfig

Configuration file for ProcMon detector

FieldTypeLabelDescription
setuidHookConfigsetuid hook config.
capsetHookConfigcapset hook config.
prctlHookConfigprctl hook config.
create_user_nsHookConfigcreate_user_ns hook config.
ptrace_access_checkHookConfigptrace_attach hook config.
setgidHookConfigsetgid hook config.
bprm_checkHookConfigbprm_check hook config.
ima_hashbooloptionalCollect IMA hashes for executed binaries.
gc_perioduint64optionalGC period for PROCMON_PROC_MAP default 30 sec.

Rule

Rule definition. Scope and event predicates are used as logical conjunction.

FieldTypeLabelDescription
namestringName of the rule.
scopestringLogical predicate describes scope this rule will be applied, e.g. process, container.
eventstringLogical predicate for describes event rule will be applied

SandboxMode

Sandbox parameters.

FieldTypeLabelDescription
enabledboolEnable sandbox mode.
deny_listboolConsider rules as deny list.

Scalar Value Types

.proto TypeNotesC++JavaPythonGoC#PHPRuby
doubledoubledoublefloatfloat64doublefloatFloat
floatfloatfloatfloatfloat32floatfloatFloat
int32Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.int32intintint32intintegerBignum or Fixnum (as required)
int64Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.int64longint/longint64longinteger/stringBignum
uint32Uses variable-length encoding.uint32intint/longuint32uintintegerBignum or Fixnum (as required)
uint64Uses variable-length encoding.uint64longint/longuint64ulonginteger/stringBignum or Fixnum (as required)
sint32Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.int32intintint32intintegerBignum or Fixnum (as required)
sint64Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.int64longint/longint64longinteger/stringBignum
fixed32Always four bytes. More efficient than uint32 if values are often greater than 2^28.uint32intintuint32uintintegerBignum or Fixnum (as required)
fixed64Always eight bytes. More efficient than uint64 if values are often greater than 2^56.uint64longint/longuint64ulonginteger/stringBignum
sfixed32Always four bytes.int32intintint32intintegerBignum or Fixnum (as required)
sfixed64Always eight bytes.int64longint/longint64longinteger/stringBignum
boolboolbooleanbooleanboolboolbooleanTrueClass/FalseClass
stringA string must always contain UTF-8 encoded or 7-bit ASCII text.stringStringstr/unicodestringstringstringString (UTF-8)
bytesMay contain any arbitrary sequence of bytes.stringByteStringstr[]byteByteStringstringString (ASCII-8BIT)