README
¶
Tracee-Rules: Runtime Security Detection Engine
Tracee-Rules is a rule engine that helps you detect suspicious behavioral patterns in streams of events. It is primarily made to leverage events collected with Tracee-eBPF into a Runtime Security solution.
There are 3 basic concepts for Tracee-Rules:
- Inputs - Event sources to be processed. Currently only Tracee-eBPF is a supported event source.
- Rules (a.k.a Signatures) - The particular behavioral pattern to detect in the input source. Signatures can be authored in Golang, or Rego (OPA).
- Outputs - How to communicate detections. Print to stdout, post to a webhook, or integrate with external systems.
Getting started
Tracee-Rules doesn't have any requirement, but in order to run with Tracee-eBPF, make sure you follow the minimum requirements for running Tracee.
Getting Tracee-Rules:
Currently you need to build from source. cd tracee-rules && make will build the executable as well as all built-in signatures into the local dist directory.
Running with Tracee-eBPF:
sudo tracee-ebpf -o format:gob | tracee-rules --input-tracee file:stdin --input-tracee format:gob
This will:
- Start
tracee-ebpfwith the default tracing mode (see Tracee-eBPF's help for more info). - Configure Tracee-eBPF to output events into stdout as gob format, and add a terminating event to signal end of stream.
- Start
tracee-ruleswith all built-in rules enabled.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
benchmark
|
|
|
signatures
|
|
|
Package types includes the "API" of the rule-engine and includes public facing types that consumers of the rule engine should work with
|
Package types includes the "API" of the rule-engine and includes public facing types that consumers of the rule engine should work with |
Click to show internal directories.
Click to hide internal directories.