Real-time threat detection for Linux using eBPF and Rust.
rwatch is an eBPF-based threat detection tool written in Rust. It monitors Linux systems for suspicious or malicious behavior with minimal overhead.
- Ultra-low overhead with eBPF
- Written in Rust for safety & performance
- Real-time event-driven architecture
- Easy to extend with custom detection rules
| Capability | Hook | Description |
|---|---|---|
| Process Monitoring | sys_enter_execve tracepoint |
Captures all process executions with PID, UID, command, and filename |
| Chmod Detection | __x64_sys_chmod / fchmodat kprobe |
Detects chmod +x on files outside trusted system paths |
| Network Monitoring | tcp_connect kprobe |
Logs outbound TCP connections with destination IP, port, and process info |
| File Integrity Monitoring | sys_enter_openat tracepoint |
Alerts on access to sensitive files (/etc/shadow, /etc/passwd, SSH keys) |
- Dynamic Rule Engine — Define detection rules in YAML without recompiling
- SIEM-Ready Output — Structured JSON output for integration with Splunk, ELK, Datadog, etc.
- CLI Interface — Configurable via command-line arguments
- Systemd Support — Production-ready service file included
- Rust stable toolchain:
rustup toolchain install stable - Rust nightly toolchain:
rustup toolchain install nightly --component rust-src - bpf-linker:
cargo install bpf-linker(--no-default-featureson macOS)
cargo build --release# Text output (colored terminal)
cargo run --release --config 'target."cfg(all())".runner="sudo -E"'
# With custom rules and JSON output
sudo ./target/release/rwatch --config rules.yaml --output jsonUsage: rwatch [OPTIONS]
Options:
-c, --config <PATH> Path to rules configuration file [default: rules.yaml]
-o, --output <FORMAT> Output format: text, json [default: text]
-h, --help Print help
-V, --version Print version
Send real-time alerts to Slack, Discord, Microsoft Teams, or any HTTP endpoint.
sudo rwatch --webhook "https://hooks.slack.com/services/T.../B.../xxx"Add to rules.yaml:
alerting:
webhook_url: "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
min_severity: warningPayloads are Slack-compatible JSON:
{
"text": "🚨 *[CRITICAL]* Sensitive file access detected\nPID: 1234 | UID: 0 | Comm: cat\nFile: /etc/shadow"
}Detection rules are defined in YAML. Example rules.yaml:
rules:
- rule_type:
type: SuspiciousPathPrefix
value: "/tmp"
description: "Execution from /tmp is suspicious"
severity: warning
- rule_type:
type: SuspiciousCommand
value: "/usr/bin/nmap"
description: "Port scanning tool detected"
severity: criticalsudo cp target/release/rwatch /usr/local/bin/
sudo mkdir -p /etc/rwatch
sudo cp rwatch/rules.yaml /etc/rwatch/
sudo cp rwatch.service /etc/systemd/system/
sudo systemctl enable --now rwatch# Pipe to jq for real-time analysis
sudo rwatch --output json | jq .
# Forward to a log file
sudo rwatch --output json >> /var/log/rwatch.jsonCross compilation works on both Intel and Apple Silicon Macs.
CC=${ARCH}-linux-musl-gcc cargo build --package rwatch --release \
--target=${ARCH}-unknown-linux-musl \
--config=target.${ARCH}-unknown-linux-musl.linker=\"${ARCH}-linux-musl-gcc\"Additional macOS dependencies:
- LLVM:
brew install llvm - musl toolchain:
brew install filosottile/musl-cross/musl-cross - rustup target:
rustup target add ${ARCH}-unknown-linux-musl
- Event correlation and kill-chain detection
- Webhook / Slack alerting
- Log file rotation
- Container-aware detection (cgroup/namespace tracking)
- Event debouncing to reduce log noise
- DNS query monitoring
With the exception of eBPF code, rwatch is distributed under the terms of either the MIT license or the Apache License (version 2.0), at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this crate by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
All eBPF code is distributed under either the terms of the GNU General Public License, Version 2 or the MIT license, at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this project by you, as defined in the GPL-2 license, shall be dual licensed as above, without any additional terms or conditions.