This project is an educational endeavor and is not intended to be production ready. If you're interested in this type of tool, check out Pulsar.
A security-focused telemetry agent written in Rust using eBPF.
The goal of vesper is to provide transparency around what a host is doing, who it's talking to, and how it's communicating.
All events emitted by Vesper will contain at least 3 entries:
time: The time the agent processed the event, in ISO 8601 format.type: The type of event. See the types table below.event: The event details.
The event details will have at least one key that matches the event type.
| Type | Description |
|---|---|
DnsQuery |
A Domain Name System (DNS) query. |
DnsResponse |
A Domain Name System (DNS) response. |
TlsClientHello |
The Client Hello portion of a Transport Layer Security (TLS) handshake. |
TlsServerHello |
The Server Hello portion of a Transport Layer Security (TLS) handshake. |
TlsCertificate |
The Server Certificate portion of a Transport Layer Security (TLS) handshake (TLSv1.2 or lower only). |
Vesper can provide information about what DNS queries have been made from the host, who responded, and what that response was:
// DNS query made by the host
{
"time":"2022-09-19T14:41:27.127059667+00:00",
"type":"DnsQuery",
"event":{
"DnsQuery":{
"source": {"ip":"192.168.109.2","port":54329},
"destination":{"ip":"192.168.109.1","port":53},
"id":57975,
"questions":[
{"type":"A","name":"connectivity-check.ubuntu.com"}
]
}
}
}
// Subsequent response received by the host
{
"time":"2022-09-19T14:41:27.175101163+00:00",
"type":"DnsResponse",
"event":{
"DnsResponse":{
"source":{"ip":"192.168.109.1","port":53},
"destination":{"ip":"192.168.109.2","port":54329},
"id":57975,
"status":"NoError",
"authoritative":false,
"recursive":true,
"questions":[
{"type":"A","name":"connectivity-check.ubuntu.com"}
],
"answers":[
{"type":"A","name":"connectivity-check.ubuntu.com","value":"35.224.170.84"},
{"type":"A","name":"connectivity-check.ubuntu.com","value":"35.232.111.17"},
{"type":"A","name":"connectivity-check.ubuntu.com","value":"34.122.121.32"}
]
}
}
}Vesper monitors all TCP traffic to look for packet signatures that match TLS negotiations. It currently provides information for the TLS Client Hello and Server Hello events. If you have a specific compliance need for TLS and cipher usage (e.g., TLS 1.2+ only with FIPS 140-2 ciphers), Vesper can monitor and report on what's actually being used:
// TLS client hello made by the host
{
"time":"2022-09-19T14:41:24.894583531+00:00",
"type":"TlsClientHello",
"event":{
"TlsClientHello":{
"source":{"ip":"192.168.109.2","port":33182},
"destination":{"ip":"35.186.227.140","port":443},
"version":"TLSv1_2",
"ciphers":[
"TLS_AES_128_GCM_SHA256",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA"
],
"extensions":[
{ "ServerNameIndicator": ["foo.bar.com"] },
]
}
}
}
// TLS server hello made by the remote host
{
"time":"2022-09-19T14:41:24.896369601+00:00",
"type":"TlsServerHello",
"event":{
"TlsServerHello":{
"source":{"ip":"35.186.227.140","port":443},
"destination":{"ip":"192.168.109.2","port":33182},
"version":"TLSv1_2",
"cipher":"TLS_AES_128_GCM_SHA256"
}
}
}If the server is negotiation TLS with a version less than 1.3, Vesper will show the certificate information and remaining validity:
{
"time": "2022-10-23T16:41:40.356350846+00:00",
"type": "TlsCertificate",
"event": {
"TlsCertificate": {
"source": { "ip": "20.189.173.12", "port": 443 },
"destination": { "ip": "192.168.109.2", "port": 52560 },
"certificate_chain": [
{
"issuer": {
"country": "US",
"organization": "Microsoft Corporation",
"organizational_unit": "",
"common_name": "Microsoft Azure TLS Issuing CA 06"
},
"common_name": "*.events.data.microsoft.com",
"subject_alternative_names": [
"*.events.data.microsoft.com",
"events.data.microsoft.com",
"*.pipe.aria.microsoft.com",
"pipe.skype.com",
"*.pipe.skype.com",
"*.mobile.events.data.microsoft.com",
"mobile.events.data.microsoft.com",
"*.events.data.msn.com",
"events.data.msn.com",
"*.events.data.msn.cn",
"events.data.msn.cn",
"oca.microsoft.com",
"watson.microsoft.com",
"*.vortex.data.microsoft.com",
"vortex.data.microsoft.com"
],
"validity": {
"not_before": "Sep 8 21:29:54 2022 GMT",
"not_after": "Sep 3 21:29:54 2023 GMT",
"remaining": {
"days": 315,
"seconds": 17294
}
}
},
{
"issuer": {
"country": "US",
"organization": "DigiCert Inc",
"organizational_unit": "www.digicert.com",
"common_name": "DigiCert Global Root G2"
},
"common_name": "Microsoft Azure TLS Issuing CA 06",
"subject_alternative_names": [],
"validity": {
"not_before": "Jul 29 12:30:00 2020 GMT",
"not_after": "Jun 27 23:59:59 2024 GMT",
"remaining": {
"days": 613,
"seconds": 26299
}
}
}
]
}
}
}
- Simplicity: Focus the agent's features on getting and exposing the data. Don't add features that could be done better by another application (e.g., log offload to the cloud).
- Performance: Keep the packet data path as fast as possible.
- Telemetry
- Data flow statistics for TCP and UDP
- Protocol-specific diagnostic information (e.g., TCP retransmits)
- DNS query and response data
- TLS negotiation information
- Configuration
- Ignore traffic from specific sources/destinations (ideally by domain or CIDR)
- Attach to multiple network interfaces
- Pick and choose what data to collect
- Policies for higher-level logging (e.g., TLS version, ciphers)
- Rust (any version)
- LLVM 13, clang 13, pkg-config
- libssl-dev or openssl-dev
If you're on unbutu, you can install the required system libraries via:
apt install build-essential \
libclang-13-dev \
libclang-common-13-dev \
libelf-dev \
libssl-dev \
llvm-13 \
llvm-13-dev \
pkg-config- Clone the repository.
- Run
make installto install the cargo-bpf command line utility
Run make build to build both the probe and the agent binary, or make build-probes / make build-agent separately.
You can run the application with:
INTERFACE=<interface name, e.g., en0> make run