Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Protocol Documentation

Table of Contents

Top

proto/config.proto

CapFilter

Capabilities filter

FieldTypeLabelDescription
effectivestringrepeatedList of effective Capabilities. Special name ANY means if any cap is in effective cap set.
deny_listbooloptionalif true acts like deny list

ConnectionsControl

Connections control

FieldTypeLabelDescription
enabledboolLoad eBPF programs
ipv4_filterIpFilterIpv4 filter connections
ipv6_filterIpFilterIpv6 filter connections

CredFilter

Filter Events using Cred information. Pattern uid_filter || cap_filter.

FieldTypeLabelDescription
uid_filterUidFilterFilter by uids (euid, TODO: uid, fsuid).
cap_filterCapFilterFilter by caps (effective, TODO: permited, inheritable).

FileHookConfig

FileMon hook configuration

FieldTypeLabelDescription
enabledboolLoad eBPF programs
path_filterPathFilteroptionalFilter event by Path

FileMonConfig

Configuration file for FileMon detector.

FieldTypeLabelDescription
file_openFileHookConfigsecurity_file_open config.
path_truncateFileHookConfigsecurity_path_truncate config.
path_unlinkFileHookConfigsecurity_path_unlink config.
path_chmodFileHookConfigsecurity_path_chmod config.
path_chownFileHookConfigsecurity_path_chown config.
sb_mountFileHookConfigsecurity_sb_mount config.
mmap_fileFileHookConfigsecurity_mmap_file config.
file_ioctlFileHookConfigsecurity_file_ioctl config.
process_filterProcessFilterFilter File events by Process information.

GTFOBinsConfig

Configuration file for GTFOBinsDetector.

FieldTypeLabelDescription
enforceboolBlock execution of GTFOBins binaries.
gtfobinsstringrepeatedGTFOBins executables names.

IOUringMonConfig

Configuration file for IOUringMon detector.

FieldTypeLabelDescription
process_filterProcessFilterFilter io_uring events by Process information.

IpFilter

IP filter configuration

FieldTypeLabelDescription
src_ipstringrepeatedSource IP list
dst_ipstringrepeatedDestination IP list
deny_listbooldeny_list

NetMonConfig

Configuration file for NetMon detector.

FieldTypeLabelDescription
process_filterProcessFilterFilter Network events by Process information.
ingressConnectionsControlIngress traffic connections
egressConnectionsControlEgress traffic connections

PathFilter

Path filtering args

FieldTypeLabelDescription
namestringrepeatedList of executables names to filter.
pathstringrepeatedList of full executable paths to filter.
prefixstringrepeatedList of executable path prefixes to filter.

ProcHookConfig

ProcMon hook configuration

FieldTypeLabelDescription
enabledboolLoad eBPF programs
cred_filterCredFilterFilter by Cred

ProcMonConfig

Configuration file for ProcMon detector

FieldTypeLabelDescription
setuidProcHookConfigsetuid hook config.
capsetProcHookConfigcapset hook config.
prctlProcHookConfigprctl hook config.
create_user_nsProcHookConfigcreate_user_ns hook config.
ptrace_access_checkProcHookConfigptrace_attach hook config.
process_filterProcessFilterProcess Filter Configuration.
ima_hashbooloptionalCollect IMA hashes for executed binaries.
gc_perioduint64optionalGC period for PROCMON_PROC_MAP default 30 sec.

ProcessFilter

Filter Events using process information. Filtering is based on pattern: uid AND euid AND auid AND (binary.name OR binary.prefix OR binary.path). All variables in the pattern are optional. if deny_list is true filter acts as a deny list, otherwise it is an allow list.

FieldTypeLabelDescription
uiduint32repeatedList of UID's to filter.
euiduint32repeatedList of EUID's to filter.
auiduint32repeatedList of AUID's (login uid) to filter.
binaryPathFilterBinary filter args
deny_listboolif true acts like deny list

UidFilter

UID filter

FieldTypeLabelDescription
euiduint32repeatedeffective UID

Scalar Value Types

.proto TypeNotesC++JavaPythonGoC#PHPRuby
doubledoubledoublefloatfloat64doublefloatFloat
floatfloatfloatfloatfloat32floatfloatFloat
int32Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.int32intintint32intintegerBignum or Fixnum (as required)
int64Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.int64longint/longint64longinteger/stringBignum
uint32Uses variable-length encoding.uint32intint/longuint32uintintegerBignum or Fixnum (as required)
uint64Uses variable-length encoding.uint64longint/longuint64ulonginteger/stringBignum or Fixnum (as required)
sint32Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.int32intintint32intintegerBignum or Fixnum (as required)
sint64Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.int64longint/longint64longinteger/stringBignum
fixed32Always four bytes. More efficient than uint32 if values are often greater than 2^28.uint32intintuint32uintintegerBignum or Fixnum (as required)
fixed64Always eight bytes. More efficient than uint64 if values are often greater than 2^56.uint64longint/longuint64ulonginteger/stringBignum
sfixed32Always four bytes.int32intintint32intintegerBignum or Fixnum (as required)
sfixed64Always eight bytes.int64longint/longint64longinteger/stringBignum
boolboolbooleanbooleanboolboolbooleanTrueClass/FalseClass
stringA string must always contain UTF-8 encoded or 7-bit ASCII text.stringStringstr/unicodestringstringstringString (UTF-8)
bytesMay contain any arbitrary sequence of bytes.stringByteStringstr[]byteByteStringstringString (ASCII-8BIT)