Added eBPF networking plugins and events. (#3887)

artifacts/definitions/Linux/Events/DNS.yaml

@@ -0,0 +1,52 @@
+name: Linux.Events.DNS
+description: |
+  This artifact uses eBPF to track DNS requests from various processes.
+
+  NOTE: This event is generated from network traffic - it is unable to
+  view DoH traffic.
+
+type: CLIENT_EVENT
+
+precondition: |
+  SELECT OS From info() where OS = 'linux'
+
+parameters:
+  - name: ExcludeDestIP
+    description: Only show events with a different DestIP
+    type: regex
+    default: "Change this to your default DNS Server IP"
+  - name: Records
+    description: Only show events matching these DNS records
+    type: regex
+    default: .
+  - name: ProcessNameFilter
+    description: Filter Events by Process Name
+    type: regex
+    default: .
+  - name: IncludeDNSDetails
+    type: bool
+    description: If set we include more details like HTTP Headers
+  - name: IncludeProcessInfo
+    type: bool
+    description: If set we include more process information.
+
+sources:
+  - query: |
+      SELECT System.Timestamp AS Timestamp,
+             System.ProcessName AS ProcessName,
+             System.ProcessID AS Pid,
+             if(condition=IncludeProcessInfo,
+                then=process_tracker_get(id=System.ProcessID).Data) AS ProcessInfo,
+             EventData.src AS src_ip,
+             EventData.src_port AS src_port,
+             EventData.dst AS dest_ip,
+             EventData.dst_port AS dest_port,
+             EventData.proto_dns.questions.name AS name,
+             EventData.proto_dns.questions.type AS type,
+             EventData.proto_dns.answers.IP AS IP,
+             if(condition=IncludeDNSDetails,
+                then=EventData) AS _DNSData
+      FROM watch_ebpf(events="net_packet_dns")
+      WHERE NOT dest_ip =~ ExcludeDestIP
+        AND if(condition=Records, then=EventData.proto_dns =~ Records, else=TRUE)
+        AND ProcessName =~ ProcessNameFilter

artifacts/definitions/Linux/Events/EBPF.yaml

@@ -13,7 +13,6 @@ parameters:
     type: csv
     default: |
       Event,Desc,Enabled
-      accept4,A process accepted a connection from remote,Y
       bpf_attach,A bpf program is attached,Y
       chdir,Process changes directory,N
       fchownat,File ownership is changed,Y

artifacts/definitions/Linux/Events/HTTPConnections.yaml

@@ -0,0 +1,55 @@
+name: Linux.Events.HTTPConnections
+description: |
+  This artifact uses eBPF to track HTTP and parse connections from
+  various processes.
+
+  NOTE: This event is generated from network traffic - it is unable to
+  view TLS encrypted data.
+
+  If the process tracker is enabled we also show more information
+  about the process.
+
+type: CLIENT_EVENT
+
+precondition: |
+  SELECT OS From info() where OS = 'linux'
+
+parameters:
+  - name: HostFilter
+    description: Filter Events by Host header
+    type: regex
+    default: .
+  - name: URLFilter
+    description: Filter Events by URL
+    type: regex
+    default: .
+  - name: ProcessNameFilter
+    description: Filter Events by Process Name
+    type: regex
+    default: .
+  - name: IncludeHeaders
+    type: bool
+    description: If set we include more details like HTTP Headers
+  - name: IncludeProcessInfo
+    type: bool
+    description: If set we include more process information.
+
+sources:
+  - query: |
+      SELECT System.Timestamp AS Timestamp,
+             System.ProcessName AS ProcessName,
+             System.ProcessID AS Pid,
+             if(condition=IncludeProcessInfo,
+                then=process_tracker_get(id=System.ProcessID).Data) AS ProcessInfo,
+             EventData.metadata.src_ip AS src_ip,
+             EventData.metadata.src_port AS src_port,
+             EventData.metadata.dst_ip AS dest_ip,
+             EventData.metadata.dst_port AS dest_port,
+             EventData.http_request.host AS host,
+             EventData.http_request.uri_path AS uri_path,
+             if(condition=IncludeHeaders,
+                then=EventData.http_request) AS _HTTPRequest
+      FROM watch_ebpf(events="net_packet_http_request")
+      WHERE host =~ HostFilter
+        AND uri_path =~ URLFilter
+        AND ProcessName =~ ProcessNameFilter

artifacts/definitions/Linux/Events/TrackProcesses.yaml

@@ -1,6 +1,6 @@
 name: Linux.Events.TrackProcesses
 description: |
-  This artifact uses ebpfg and pslist to keep track of running
+  This artifact uses ebpf and pslist to keep track of running
   processes using the Velociraptor process tracker.
 
   The process tracker keeps track of exited processes, and resolves

artifacts/definitions/Windows/NTFS/MFT.yaml

@@ -122,7 +122,7 @@ sources:
             LastModified0x10, LastModified0x30,
             LastRecordChange0x10, LastRecordChange0x30,
             LastAccess0x10,LastAccess0x30,
-            HasADS, SI_Lt_FN, uSecZeros, Copied,
+            HasADS, SI_Lt_FN, USecZeros, Copied,
             FileNames, FileNameTypes
         FROM parse_mft_version(filename=MFTPath,
                        accessor=Accessor, prefix=Drive)
@@ -140,7 +140,7 @@ sources:
             LastModified0x10, LastModified0x30,
             LastRecordChange0x10, LastRecordChange0x30,
             LastAccess0x10,LastAccess0x30,
-            HasADS, SI_Lt_FN, uSecZeros, Copied,
+            HasADS, SI_Lt_FN, USecZeros, Copied,
             FileNames, FileNameTypes
         FROM parse_mft_version(filename=MFTPath,
                        accessor=Accessor, prefix=Drive)
@@ -163,7 +163,7 @@ sources:
             LastModified0x10, LastModified0x30,
             LastRecordChange0x10, LastRecordChange0x30,
             LastAccess0x10,LastAccess0x30,
-            HasADS, SI_Lt_FN, uSecZeros, Copied,
+            HasADS, SI_Lt_FN, USecZeros, Copied,
             FileNames, FileNameTypes
         FROM parse_mft_version(filename=MFTPath,
                        accessor=Accessor, prefix=Drive)
@@ -187,7 +187,7 @@ sources:
             LastModified0x10, LastModified0x30,
             LastRecordChange0x10, LastRecordChange0x30,
             LastAccess0x10,LastAccess0x30,
-            HasADS, SI_Lt_FN, uSecZeros, Copied,
+            HasADS, SI_Lt_FN, USecZeros, Copied,
             FileNames, FileNameTypes
         FROM parse_mft_version(filename=MFTPath,
                        accessor=Accessor, prefix=Drive)

artifacts/testdata/server/testcases/mft.out.yaml

@@ -21,7 +21,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
   "LastAccess0x30": "2022-03-18T04:15:18.5166156Z",
   "HasADS": false,
   "SI_Lt_FN": false,
-  "uSecZeros": false,
+  "USecZeros": false,
   "Copied": true,
   "FileNames": [
    "just_a_file.txt"
@@ -52,7 +52,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
   "LastAccess0x30": "2018-09-24T07:55:29.7664719Z",
   "HasADS": true,
   "SI_Lt_FN": false,
-  "uSecZeros": false,
+  "USecZeros": false,
   "Copied": false,
   "FileNames": [
    "Hello world text document.txt"
@@ -82,7 +82,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
   "LastAccess0x30": "2018-09-24T07:55:29.7664719Z",
   "HasADS": true,
   "SI_Lt_FN": false,
-  "uSecZeros": false,
+  "USecZeros": false,
   "Copied": false,
   "FileNames": [
    "Hello world text document.txt:goodbye.txt"
@@ -113,7 +113,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
   "LastAccess0x30": "2022-03-18T04:22:20.4341459Z",
   "HasADS": false,
   "SI_Lt_FN": false,
-  "uSecZeros": false,
+  "USecZeros": false,
   "Copied": false,
   "FileNames": [
    "another_file.txt"
@@ -143,7 +143,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
   "LastAccess0x30": "2022-03-18T04:15:18.5166156Z",
   "HasADS": false,
   "SI_Lt_FN": false,
-  "uSecZeros": false,
+  "USecZeros": false,
   "Copied": true,
   "FileNames": [
    "just_a_file.txt"
@@ -174,7 +174,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
   "LastAccess0x30": "2022-03-18T04:15:18.5166156Z",
   "HasADS": false,
   "SI_Lt_FN": false,
-  "uSecZeros": false,
+  "USecZeros": false,
   "Copied": true,
   "FileNames": [
    "just_a_file.txt"

artifacts/testdata/server/testcases/ntfs.out.yaml

@@ -24,7 +24,7 @@ LET NTFSInfoFromImage <= parse_ntfs( filename=srcDir+'/artifacts/testdata/files/
   "IsDir": false,
   "HasADS": true,
   "SI_Lt_FN": false,
-  "uSecZeros": false,
+  "USecZeros": false,
   "Copied": false,
   "SIFlags": "2080 (ARCHIVE,COMPRESSED)",
   "Created0x10": "2018-09-24T07:55:29.7664719Z",

artifacts/testdata/server/testcases/remapping.out.yaml

@@ -45,7 +45,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
   "IsDir": false,
   "HasADS": true,
   "SI_Lt_FN": false,
-  "uSecZeros": false,
+  "USecZeros": false,
   "Copied": false,
   "SIFlags": "2080 (ARCHIVE,COMPRESSED)",
   "Created0x10": "2018-09-24T07:55:29.7664719Z",
@@ -78,7 +78,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts
   "IsDir": false,
   "HasADS": true,
   "SI_Lt_FN": false,
-  "uSecZeros": false,
+  "USecZeros": false,
   "Copied": false,
   "SIFlags": "2080 (ARCHIVE,COMPRESSED)",
   "Created0x10": "2018-09-24T07:55:29.7664719Z",

docs/wix/velociraptor_amd64.xml

@@ -3,7 +3,7 @@
 <?define PackageDescription="Velociraptor Service Installer" ?>
 <?define Manufacturer="Velocidex" ?>
 <?define Name="Velociraptor" ?>
-<?define Version="0.72.3" ?>
+<?define Version="0.73.3" ?>
 <?define BinaryName="Velociraptor.exe" ?>
 
 <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi"

docs/wix/velociraptor_x86.xml

@@ -3,7 +3,7 @@
 <?define PackageDescription="Velociraptor Service Installer" ?>
 <?define Manufacturer="Velocidex" ?>
 <?define Name="Velociraptor" ?>
-<?define Version="0.72.3" ?>
+<?define Version="0.73.3" ?>
 <?define BinaryName="Velociraptor.exe" ?>
 
 <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi"
@@ -39,7 +39,7 @@
           <Component Id='Install' Guid='9f3cfed0-b89d-43d4-8fcf-242824e84fd8'>
             <CreateFolder>
               <Permission User="[WIX_ACCOUNT_USERS]" GenericRead="no" Read="no"
-                          ChangePermission="yes"/>
+                          ChangePermission="no"/>
               <Permission User="[WIX_ACCOUNT_ADMINISTRATORS]" GenericAll="yes"
                           ChangePermission="yes"/>
               <Permission User="[WIX_ACCOUNT_LOCALSYSTEM]" GenericAll="yes"
@@ -50,7 +50,7 @@
             <Component Id="Tools" Guid="97dc953a-8a2f-494f-9585-56ae526d0b48">
               <CreateFolder>
                 <Permission User="[WIX_ACCOUNT_USERS]" GenericRead="no" Read="no"
-                            ChangePermission="yes"/>
+                            ChangePermission="no"/>
                 <Permission User="[WIX_ACCOUNT_ADMINISTRATORS]" GenericAll="yes"
                             ChangePermission="yes"/>
                 <Permission User="[WIX_ACCOUNT_LOCALSYSTEM]" GenericAll="yes"

go.mod

@@ -77,7 +77,7 @@ require (
 	golang.org/x/mod v0.21.0
 	golang.org/x/net v0.30.0
 	golang.org/x/sys v0.26.0
-	golang.org/x/text v0.19.0
+	golang.org/x/text v0.20.0
 	golang.org/x/time v0.5.0
 	google.golang.org/api v0.169.0
 	google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 // indirect
@@ -90,12 +90,12 @@ require (
 	howett.net/plist v1.0.0
 	www.velocidex.com/golang/evtx v0.2.1-0.20240730174545-3e4ff3d96433
 	www.velocidex.com/golang/go-ese v0.2.1-0.20240919031214-2aa005106db2
-	www.velocidex.com/golang/go-ntfs v0.2.1-0.20240818145200-04736de821dc
+	www.velocidex.com/golang/go-ntfs v0.2.1-0.20241110090212-80bdce4262fa
 	www.velocidex.com/golang/go-pe v0.1.1-0.20230228112150-ef2eadf34bc3
 	www.velocidex.com/golang/go-prefetch v0.0.0-20240910051453-2385582c1c22
 	www.velocidex.com/golang/oleparse v0.0.0-20230217092320-383a0121aafe
 	www.velocidex.com/golang/regparser v0.0.0-20240404115756-2169ac0e3c09
-	www.velocidex.com/golang/vfilter v0.0.0-20241009150353-76c3a28b1767
+	www.velocidex.com/golang/vfilter v0.0.0-20241110073117-207766c3922f
 )
 
 require (
@@ -115,7 +115,7 @@ require (
 	github.com/Velocidex/grok v0.0.1
 	github.com/Velocidex/ordereddict v0.0.0-20230909174157-2aa49cc5d11d
 	github.com/Velocidex/sigma-go v0.0.0-20241025122940-1b771d3d57a9
-	github.com/Velocidex/tracee_velociraptor v0.0.0-20241108032058-fada576fc41e
+	github.com/Velocidex/tracee_velociraptor v0.0.0-20241110080019-ef8be33cb3b1
 	github.com/VirusTotal/gyp v0.9.0
 	github.com/alecthomas/kingpin/v2 v2.4.0
 	github.com/alitto/pond v1.8.3
@@ -169,7 +169,6 @@ require (
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b // indirect
 	github.com/andybalholm/cascadia v1.3.2 // indirect
-	github.com/aquasecurity/tracee/types v0.0.0-20241031161530-c8032d24da01 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.2 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 // indirect
@@ -202,6 +201,7 @@ require (
 	github.com/golang/gddo v0.0.0-20210115222349-20d68f94ee1f // indirect
 	github.com/golang/glog v1.2.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/gopacket v1.1.19 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.2 // indirect
@@ -210,6 +210,7 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hillu/go-yara/v4 v4.3.2 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
@@ -248,7 +249,7 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect
-	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sync v0.9.0 // indirect
 	golang.org/x/term v0.25.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 // indirect
 	kernel.org/pub/linux/libs/security/libcap/cap v1.2.71 // indirect