8000 GitHub - sgInnora/sharpeye: SharpEye: Advanced Linux Intrusion Detection and Threat Hunting System
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
8000

sgInnora/sharpeye

BranchesTags

Repository files navigation

SharpEye: Advanced Linux Intrusion Detection System

SharpEye logo

Advanced Linux Intrusion Detection and Threat Hunting System

高级Linux入侵检测与威胁狩猎系统

English | 中文

Overview

SharpEye is a comprehensive Linux intrusion detection and system security monitoring framework designed by innora.ai. It employs advanced analytics, machine learning, and behavior-based detection to identify and alert on suspicious activities, potential compromises, and security threats in real-time.

Key Features

Core Detection Capabilities

  • Advanced ML-Based Resource Analysis: Detect anomalies in CPU, memory, and disk usage patterns using machine learning and time series analysis
  • User Account Security: Identify unauthorized accounts, privilege escalations, and suspicious login patterns
  • Process Analysis: Detect malicious and suspicious processes with behavioral analysis
  • Network Connection Monitoring: Identify unusual network connections and data transfers
  • File System Integrity: Verify system file integrity and detect unauthorized changes with robust checksum validation
  • Log Analysis Engine: Correlate events across multiple log sources to detect sophisticated attack patterns
  • Scheduled Task Inspection: Identify malicious cron jobs and scheduled tasks
  • SSH Security: Monitor SSH configuration and detect unauthorized access attempts
  • Kernel Module Analysis: Detect malicious kernel modules, rootkits, and syscall table hooking
  • Library Inspection: Identify dynamic library hijacking attempts and detect malicious preloaded libraries
  • Privilege Escalation Detection: Find and alert on potential privilege escalation vectors including SUID binaries, capabilities, and dangerous sudo configurations

Enterprise Features (New)

  • Advanced Threat Detection: ML-based anomaly detection with pattern matching for APT, ransomware, and cryptominers
  • Behavior Monitoring: Real-time system behavior analysis with automatic baseline learning
  • Container Security: Docker and Kubernetes security scanning with vulnerability detection
  • Threat Intelligence Integration: MISP, AlienVault OTX, and Mandiant threat feed integration
  • Real-time Alerting: Multi-channel alerts via Email, Slack, Webhook, and Syslog
  • Web Dashboard: Real-time monitoring interface with WebSocket updates and responsive design
  • Attack Chain Analysis: Graph-based correlation to identify multi-stage attacks
  • ML-Based Cryptominer Detection: Identify unauthorized cryptocurrency mining with machine le 8000 arning

Installation

git clone https://github.com/sgInnora/sharpeye.git
cd sharpeye
sudo ./install.sh

Basic Usage

# Run a full system scan
sudo sharpeye --full-scan

# Run a specific module
sudo sharpeye --module network

# Establish baseline for future comparison
sudo sharpeye --establish-baseline

# Compare against baseline
sudo sharpeye --compare-baseline

# Start with web dashboard (new)
sudo sharpeye --full-scan --web

# Run behavior monitoring
sudo sharpeye --module behavior

# Run container security scan
sudo sharpeye --module container_security

Configuration

Configuration files are stored in /etc/sharpeye/ after installation. Edit config.yaml to customize scan parameters and detection thresholds.

Requirements

  • Linux-based operating system (Debian, Ubuntu, CentOS, RHEL, etc.)
  • Python 3.6+
  • Root privileges for comprehensive scanning

Current Status

As of May 2025, here is the current implementation status of SharpEye's core modules:

Module Status Test Coverage
File System Integrity ✅ Complete 95%
Kernel Module Analysis ✅ Complete 94%
Library Inspection ✅ Complete 95%
Privilege Escalation Detection ✅ Complete 94%
Log Analysis Engine ✅ Complete 93%
Cryptominer Detection ✅ Complete 95%
System Resources ✅ Complete 100%
User Accounts ✅ Complete 100%
Processes ✅ Complete 100%
Network ✅ Complete 95%
Scheduled Tasks ✅ Complete 95%
SSH ✅ Complete 100%
Rootkit Detection ✅ Complete 100%

The project is now fully implemented with all 13 modules completed and comprehensively tested. A fully functional CI/CD pipeline with GitHub Actions ensures code quality and test coverage for all modules. For detailed project status information, see Project Status.

🎉 Latest Updates (2025-05-29)

Major Enhancements

  1. Advanced Threat Detection Module (advanced_threat_detector.py)

    • Machine learning-based anomaly detection using Isolation Forest
    • Pattern-based threat detection for APT, ransomware, and cryptominers
    • Attack chain analysis with graph-based correlation
    • Risk scoring and automated recommendations

  2. Behavior Monitoring System (behavior_monitor.py)

    • Real-time process behavior monitoring
    • File system activity tracking with pyinotify
    • Network behavior analysis with beacon detection
    • User activity monitoring and anomaly detection
    • Automatic baseline learning and ML-based detection

  3. Container Security Module (container_security.py)

    • Docker container security scanning
    • Kubernetes pod security analysis
    • Vulnerability scanning with Trivy/Grype integration
    • Runtime anomaly detection for containers
    • Baseline comparison and drift detection

  4. Enterprise Features

    • Threat Intelligence Integration: MISP, AlienVault OTX, and Mandiant support
    • Real-time Alerting: Email, Slack, Webhook, and Syslog channels
    • Web Dashboard: Real-time monitoring with WebSocket updates
    • Enhanced ML Capabilities: Improved anomaly detection across all modules

Technical Improvements

  • Modular architecture with standardized interfaces
  • Comprehensive unit test coverage
  • Performance optimizations for large-scale deployments
  • Enhanced documentation in English and Chinese

For detailed information about the enhancements, see Deep Enhancement Summary.

Test Coverage

Latest Test Results: ✅ 106/106 tests passed | 📊 Coverage: 75%

  • Utils Module Coverage: 75% (2079 statements)
  • New Features Tested: All enterprise modules fully tested
  • Test Suites: 5 comprehensive test files
  • Quality Assurance: Extensive mocking and edge case coverage

For detailed coverage information, see Test Coverage Report.

Documentation

For more detailed information, see:

📋 Core Documentation

🔬 Technical Documentation

🚀 Enhancement Documentation

🔧 DevOps Documentation

Contributing

Contributions are welcome! Please see our Contributing Guide for more details.

About innora.ai

innora.ai specializes in developing advanced security solutions for modern computing environments. Our team combines expertise in malware analysis, threat intelligence, and machine learning to create cutting-edge security tools that help organizations protect their critical infrastructure.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

  • The innora.ai research team
  • All contributors and security researchers who have helped improve this project
  • Open source security tools that have inspired this project

About

SharpEye: Advanced Linux Intrusion Detection and Threat Hunting System

Topics

python linux security machine-learning monitoring cybersecurity intrusion-detection threat-hunting rootkit-detection cryptominer-detection

Resources

Readme

License

MIT license
Activity

Stars

138 stars

Watch 3F88 ers

3 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages
0