Sandfly Security

Sandfly Security Documentation

Welcome to the Sandfly Security documentation hub. Sandfly is an agentless compromise and intrusion detection system for Linux.

Sandfly automates security investigation and forensic evidence collection on Linux. Sandfly constantly searches for intruders 24 hours a day on your network without needing to load any agents on your endpoints.

Get Started

Custom Sandfly Operation

How to create custom Sandflies for Linux intrusion detection and incident response.

Custom Sandflies Operation

Custom sandflies are small JSON modules that are passed to the Sandfly agentless forensic engines to investigate remote systems.

Custom sandflies can be quickly created to leverage the file, directory, log, process, user and other incident response analysis that the full Sandfly system has to offer.

Basics of Custom Sandflies

Custom sandflies look like the JSON below. We'll go over what each section means.

{
  "description": "Sample custom sandfly data that searches for a file hash anywhere on the file system.",
  "format": "2.8",
  "max_timeout": 1800,
  "max_cpu_load": 3,
  "max_disk_load": 3,
  "name": "sandfly_file_custom_example",
  "options": {
    "engines": [
      "sandfly_engine_file"
    ],
    "file": {
      "search_paths_recurse": true,
      "search_paths": [
        "/"
      ],
      "search_paths_patterns": [
        ".*"
      ],
      "search_paths_patterns_ignore": [],
      "search_paths_individual": [],
      "hash": {
        "sha1": [
          "sha1_hash_here",
          "another_hash_here",
          "more_hashes_here"
        ]
      }
    },
    "response": {},
    "explanation": "The file '{file.path}' matches the SHA1 hash '{file.hash.sha1}'. It is owned by UID '{file.uid}' and was created on {file.date.created}."
  },
  "tags": [
    "file",
    "attack.id.T1234",
    "attack.tactic.tactic_name",
    "custom_tag_name"
  ],
  "type": "file",
  "version": "2020-10-19T09:04:26"
}

Custom Sandfly Header

The header of the custom Sandfly describes what it is to the system. This is used to organize and display the Sandfly to the UI and database. The default values consist of:

name - Name of the Sandfly using lower case and underscores (_) only in the values.
description - A short description of what the sandfly does which is shown in the UI listing.
version - Version format for the sandfly. Please use the default and don't alter this or the Sandfly will be rejected.
type - This is either file, directory, user, process, incident or recon. Any other value is rejected.
max_timeout - Maximum number of seconds this Sandfly can run before it is stopped by the system. Maximum timeout value allowed is 1800 seconds (30 minutes). The minimum allowed is 1 second.
max_cpu_load - The relative loading this sandfly may cause on the remote host. A value of 1 is lowest, and value of 3 the highest.
max_disk_load - The relative disk loading this sandfly may cause on the remote host. A value of 1 is lowest and value of 3 the highest.
options - The options to pass to the forensic engine. This will be discussed below.

Custom Sandfly Options

The options area of the custom sandfly is where the parameters for searching are passed to the agentless forensic engines. See the next section on how this works.

Updated 8 months ago


Custom Sandfly Operation


How to create custom Sandflies for Linux intrusion detection and incident response.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.