BPFBlue V2.1 Passive Security Monitoring Tool

Overview

BPFBlue is a powerful passive security monitoring tool built using eBPF (Extended Berkeley Packet Filter) and bpftrace. It allows users to monitor various system calls and network events on a Linux system, enabling security professionals to gain insights into system activities, detect malicious behaviors, and analyze performance.

Features

• Trace execution of programs using execve.
• Monitor network activity, including socket events and traffic.
• Sniff network packets with tcpdump.
• Trace file operations like opening and cloning processes.
• Monitor specific ports for potential malicious activity.
• Easy-to-use menu-driven interface with colorful output.

Table of Contents

• Updates
• Usage
• License

Updates

Version 2.1

• New Features:
  • Added option to monitor specific network ports.
  • Improved user interface with styled menus and logos.
  • Enhanced command structure for better readability and maintainability.
• Bug Fixes:
  • Resolved unexpected EOF errors.
  • Fixed variable scope issues in the command execution section.

requirements

sudo, bpftrace and tcpdump

sudo apt install sudo bpftrace tcpdump

Install & Usage:

Warning ! Program using sudo.

git clone https://github.com/LulzSecToolkit/BPFBlue.git
cd BPFBlue
sudo cp BPFBlue_2.1.sh /usr/bin/bpfblue
sudo chmod +x /usr/bin/bpfblue
bpfblue [probe]

Prerequisites

• Ensure you have bpftrace and tcpdump installed on your Linux system. You may need to run the script with sudo for proper permissions.

Running the Script

1. Make the script executable:

   chmod +x BPFBlue_V2.1.sh

2. Run the script:

   sudo ./BPFBlue_V2.1.sh

3. Follow the prompts to select the desired monitoring option from the menu. Each option corresponds to a specific probe for monitoring system calls or network activity.

Menu Options

Upon running the script, you'll be presented with the following options:

Welcome to BPFBlue Passive Security Monitoring Tool
Please select an option:
1. Execve Trace
2. Network Trace
3. Network Sniffing
4. Open Syscall Trace
5. Clone Syscall Trace
6. Socket Syscall Trace
7. Bind Syscall Trace
8. Listen Syscall Trace
9. Connect Syscall Trace
10. Event Trace
11. Monitor Specific Port
12. Exit

• Select an option by entering the corresponding number.
• If you choose to monitor a specific port, you will be prompted to enter the port number.

Example Output

When executing a probe, the output will display information about the traced events. For instance, monitoring the execve syscall may produce output like this:

Execve syscall traced: Command - bash, Filename - /bin/bash, PID - 1234

License

This program is licensed under the GNU General Public License v3.0. See the LICENSE file for details.

Author

Created by @shadowpgp and [@Lulz1337 ][./0x24] (https://t.me/Lulz1337).

Key Sections:

• Overview: A brief introduction to the tool.
• Features: Highlighting the capabilities of the tool.
• Updates: A changelog showing new features and bug fixes for version 2.1.
• Usage: Detailed instructions on how to run the script and what to expect.
• Menu Options: A description of the choices available in the menu.
• Example Output: Illustrative examples of the output generated by the script.
• License: Information regarding the licensing of the tool.
• Author: Credits to the creators of the tool.

This README.md should serve as a comprehensive guide for users of the BPFBlue V2.1 tool, providing clarity on its usage and updates.