Magpie

Support obtaining the path quadruple of one file

11

**Motivation** file system isolation breaking is a common attack surface of container escape, which can be easilier detected with the path-quadruple. **WHT'S path-quadruple :** `fd.name` when a process accesses `/mnt/a/z/d`...

add new syscalls collecting support

3

**Motivation** Some intrusion method: - inserting kernel module for persistence - make a device node on disk utilizing `mknod`, for gaining larger attack surface Examples in container escape: - container...

A series of feature requirements concerned with namespaces

10

**Motivation** Intrusion detection in container-based cloud native environment may need observation on namespaces. In our practise on container escaping detection, we are facing the demands: * detect namespace breaking through...

Supports observation ability on the file content of `(rename and renameat).oldpath`.

10

**Motivation** There are so many attacking tricks overwriting sensitive files for gaining control, like `~/.ssh/authorized_keys`, `/etc/crontab`, `~/.bashrc`, etc. Sometimes, getting the content buffer written to files is helpful for threaten...

Listener型内存马杀不掉： ``` ```

[New Feature] How can my rules match the equality across two fields value ?

11

We are writing a rule to detect some binary file deleting itself, just as some malware do. The rule seems like: ``` - rule: SELF UNLINK desc: SELF UNLINK condition:...

没找到com.example.springshell.utils.Util的实现

1

com.example.springshell.utils.Util这个依赖出现在几个样本中，但似乎这个repo里没它的实现