FADE/syscalls_event.bt at main · CyberDataLab/FADE · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/usr/bin/env bpftrace

BEGIN
{
  @start = nsecs;
}

/* ---- Contadores por syscall (whitelist 1-gram) ---- */
tracepoint:syscalls:sys_enter_read        { @c["read"]++; }
tracepoint:syscalls:sys_enter_write       { @c["write"]++; }
tracepoint:syscalls:sys_enter_openat      { @c["openat"]++; }
tracepoint:syscalls:sys_enter_close       { @c["close"]++; }

/* En muchos kernels la “fstat” de userland es newfstatat */
tracepoint:syscalls:sys_enter_newfstatat  { @c["fstat"]++; }
/* Si tu arch expone fstat clásico, añade también:
tracepoint:syscalls:sys_enter_fstat       { @c["fstat"]++; }
*/

tracepoint:syscalls:sys_enter_mmap        { @c["mmap"]++; }
tracepoint:syscalls:sys_enter_mprotect    { @c["mprotect"]++; }
tracepoint:syscalls:sys_enter_munmap      { @c["munmap"]++; }
tracepoint:syscalls:sys_enter_brk         { @c["brk"]++; }
tracepoint:syscalls:sys_enter_rt_sigaction     { @c["rt_sigaction"]++; }
tracepoint:syscalls:sys_enter_rt_sigprocmask  { @c["rt_sigprocmask"]++; }
tracepoint:syscalls:sys_enter_ioctl       { @c["ioctl"]++; }
tracepoint:syscalls:sys_enter_poll        { @c["poll"]++; }
tracepoint:syscalls:sys_enter_select      { @c["select"]++; }
tracepoint:syscalls:sys_enter_futex       { @c["futex"]++; }
tracepoint:syscalls:sys_enter_nanosleep   { @c["nanosleep"]++; }
tracepoint:syscalls:sys_enter_sched_yield { @c["sched_yield"]++; }

/* ---- Ventana de 1 segundo: emitir JSONL y resetear ---- */
interval:s:1
{
  $end = nsecs;

  $read         = @c["read"];
  $write        = @c["write"];
  $openat       = @c["openat"];
  $close        = @c["close"];
  $fstat        = @c["fstat"];
  $mmap         = @c["mmap"];
  $mprotect     = @c["mprotect"];
  $munmap       = @c["munmap"];
  $brk          = @c["brk"];
  $rt_sigaction = @c["rt_sigaction"];
  $rt_sigprocmask = @c["rt_sigprocmask"];
  $ioctl        = @c["ioctl"];
  $poll         = @c["poll"];
  $select       = @c["select"];
  $futex        = @c["futex"];
  $nanosleep    = @c["nanosleep"];
  $sched_yield  = @c["sched_yield"];

  $tot = $read + $write + $openat + $close + $fstat +
         $mmap + $mprotect + $munmap + $brk +
         $rt_sigaction + $rt_sigprocmask + $ioctl +
         $poll + $select + $futex + $nanosleep + $sched_yield;

  /* JSONL: una línea por ventana */
  printf("{\"window_start_ns\":%llu,\"window_end_ns\":%llu,\"read\":%llu,\"write\":%llu,\"openat\":%llu,\"close\":%llu,\"fstat\":%llu,\"mmap\":%llu,\"mprotect\":%llu,\"munmap\":%llu,\"brk\":%llu,\"rt_sigaction\":%llu,\"rt_sigprocmask\":%llu,\"ioctl\":%llu,\"poll\":%llu,\"select\":%llu,\"futex\":%llu,\"nanosleep\":%llu,\"sched_yield\":%llu,\"total_syscalls\":%llu}\n",
       @start, $end, (uint64)$read, (uint64)$write, (uint64)$openat, (uint64)$close, (uint64)$fstat,
       (uint64)$mmap, (uint64)$mprotect, (uint64)$munmap, (uint64)$brk, (uint64)$rt_sigaction,
       (uint64)$rt_sigprocmask, (uint64)$ioctl, (uint64)$poll, (uint64)$select, (uint64)$futex,
       (uint64)$nanosleep, (uint64)$sched_yield, (uint64)$tot);


  clear(@c);
  @start = nsecs;
}

END
{
  clear(@c);
  clear(@start);
}