Hades - eBPF based HIDS
May 24, 2026 · View on GitHub
Hades - eBPF based HIDS
English | 中文
Hades is a Host-based Intrusion Detection System based on eBPF and netlink(cn_proc). Now it's still under development. PRs and issues are welcome!
Declaration: This project is based on Tracee and Elkeid. Thanks for these awesome open-source projects.
Overview
This is a demo backend for now, still under dev
Architecture
Agent part is mainly based on Elkeid version 1.7.
Agent Part
Data Analysis
Plugins
Capability
EDriver
Here are 21 hooks over
tracepoints/kprobes/uprobes. The fields are extended just like Elkeid(basically).
For details of these hooks.
eBPF driver hook details
| Hook | Status & Description | ID |
|---|---|---|
| tracepoint/syscalls/sys_enter_execve | ON | 700 |
| tracepoint/syscalls/sys_enter_execveat | ON | 698 |
| tracepoint/syscalls/sys_enter_memfd_create | ON | 614 |
| tracepoint/syscalls/sys_enter_prctl | ON(PR_SET_NAME & PR_SET_MM) | 1020 |
| tracepoint/syscalls/sys_enter_ptrace | ON(PTRACE_PEEKTEXT & PTRACE_POKEDATA) | 1021 |
| kprobe/security_socket_connect | ON | 1022 |
| kprobe/security_socket_bind | ON | 1024 |
| kprobe/commit_creds | ON | 1011 |
| k(ret)probe/udp_recvmsg | ON(53/5353 for dns data) | 1025 |
| kprobe/do_init_module | ON | 1026 |
| kprobe/security_kernel_read_file | ON | 1027 |
| kprobe/security_inode_create | ON | 1028 |
| kprobe/security_sb_mount | ON | 1029 |
| kprobe/call_usermodehelper | ON | 1030 |
| kprobe/security_inode_rename | ON | 1031 |
| kprobe/security_inode_link | ON | 1032 |
| uprobe/trigger_sct_scan | ON | 1200 |
| uprobe/trigger_idt_scan | ON | 1201 |
| kprobe/security_file_permission | ON | 1202 |
| uprobe/trigger_module_scan | ON | 1203 |
| kprobe/security_bpf | ON | 1204 |
Collector
S stands for sync(real-time), P stands for periodicity, C stands for configuration-based
collector event details
| Event | Type | ID |
|---|---|---|
| processes | P | 1001 |
| crontab | P | 2001 |
| sshdconfig | P | 3002 |
| ssh login | S | 3003 |
| user | P | 3004 |
| sshconfig | P | 3005 |
| yum | P | 3006 |
| host detect | C | 3007 |
| apps | P | 3008 |
| kmod | P | 3009 |
| disk | P | 3010 |
| systemd | P | 3011 |
| interface | P | 3012 |
| iptable | P | 3013 |
| bpf_program | P | 3014 |
| jar | P | 3015 |
| dpkg | P | 3016 |
| rpm | P | 3017 |
| container | P | 3018 |
| socket | P | 5001 |
NCP
Netlink CN_PROC
Contact
Input Hades to get the QR code
404Starlink
Hades has joined 404Starlink