bgenev / impulse-xdr Goto Github PK

Fully automated host & network intrusion detection platform. Detects malware from behavioural patterns rather than signatures and enables deeper visibility than legacy tools.

Home Page: https://impulse-xdr.com/

License: Other

PowerShell 0.06% Shell 0.71% Python 96.57% C 0.38% JavaScript 0.07% CSS 0.03% Dockerfile 0.01% HTML 0.01% Batchfile 0.01% C++ 1.37% M4 0.79%

cybersecurity devops security-tools visibility vpc vpc-endpoints vps osquery server-security suricata cloud monitoring security siem xdr

impulse-xdr's Introduction

Welcome to Impulse XDR!

Quickstart | Docs | Web | Releases

🌟 Deep Security Visibility & Protection

Impulse is a fully automated host & network intrusion detection platform with real-time threat detection sensors, storage and visualisation. It detects malware from behavioural patterns rather than signatures and enables deeper visibility than legacy tools. It can be deployed on any device or VM running Linux such as cloud VMs in VPC networks, VPS servers or personal workstations and IoTs.

Impulse is organised around a self-hosted, manager-sensor architecture that provides traditional SIEM capabilities like centralized log storage, indexing and normalization, but also automated log-correlation and real-time threat detection via its open-source EDR/NDR sensors. It can be used as a complete security management solution or as additional layer of security that simply forwards Detections, EDR and NDR logs to your existing security stack.

What makes it better at threat detection?

Instead of looking for specific malware signatures, it tracks indicators of compromise via their on-disk forensic artefacts. Malware comes in all shapes and forms but its output is always the same - connections to C&C centres, modified files, new processes, modified services/background tasks, authentications, etc. Impulse assigns different metrics/weight to each IOC group (implemented with osquery) depending on its level of significance and continuously monitors for new events. It then aggregates bursts of events, indicative of anomalous activity, into detections.

This approach provides a much deeper visibility and allows detections of unknown threats from behavioural activity patterns rather than constantly updated signatures. Users get a full historical chain of events with everything important that has ever happened on the system and a filtered dashboard with high-severity detections.

Components

Host Sensor (EDR)

Tracks every important variable that could be indicator of compromise and filters noise at the edge. Core version detects:

Processes & Background Tasks
Authentications & SSH Activity
Connections & Socket Events
Shell History & Root Commands
Ports & Interfaces
Services & Crons
Files & Permissions
Users & Groups
Deb/RPM/Python Packages
Kernel Modules
Offensive Tools

Network Sensor (NDR)

Network monitoring & intrusion detection with turnkey Suricata solution, optimised for performance and ease-of-use. Completely decoupled from the rest of the setup and can be installed on host or VM with custom CPU/RAM and NIC:

Detects Malicious Traffic & Generates Alerts
Enriches logs with IP threat intelligence
Shows Signature Payloads & Packet Flows
Maps Attacker Geolocation
Create & distribute custom rulesets
Automatically blocks attackers via distributed nftables-based fleet firewall
Extracts Files from Flows
Tracks DNS, HTTP and DHCP requests

Threat Detection Engine

Threat Detection Engine correlates signals and aggregates them into detections.

🚴‍♂️ Main Features

Security Analytics: Ingests telemetry data from its fleet of monitoring sensors and provides security analytics & insights.
Indicators of Compormise: Built-in core indicators of compromise track security events on hosts and alert you in case of anomalous activity. Even if certain events don't generate a detection, they are still added to an "IOCs History" database which provides integrity monitoring for every aspect of your environment - files, processes, connections, ports, users, authentications, installed packages, kernel modules, etc. every variable that could be an indicator of compromise is tracked and analysed.
Network Visibility & IDS: Monitors network flows, detects intrusion attempts and automatically blocks offenders with active response.
File Integrity Monitoring: Tracks changes on the filesystem tree and notifies you about file or permission modifications.
Security Policies: Monitors system configuration settings to ensure compliance with preset core security policies.
Active Response: Automatically blocks suspicious IPs, stops processes, closes ports and quarantines files.
Fleet Firewall: Fleet firewall blocks offenders across the fleet.
Threat Intel: Integrates with high-quality threat intelligence providers to enrich your context data.
Vulnerability Scanning: Discovers installed packages and associated CVEs.
Self-Hosted & Open-Core: Data never leaves you servers.

🛠️ Use Cases

Cloud VMs in VPC. Works with any cloud provider including AWS, DigitalOcean, Azure, GCP, Alibaba, etc.
VPS server. Either deploy in standalone mode or deploy the manager on one VPS and then place a sensor on the target VPS.
Cluster of VPS servers. If you have multiple VPS servers spread across various providers, simply choose one of them as the manager and place light/heavy sensors on the rest.
Website host. Install in standalone mode to lockdown your host and reduce load by blocking port scanners.
Monitor personal workstation. The Impulse EDR provides real-time threat-detection & integrity monitoring for personal computers. A hardened Linux Desktop such as Debian with Impulse EDR monitoring is one of the most secure configurations that you can get.
IOT device, Raspberry Pi or similar. Light sensors can be installed on any Linux device that provides ssh access.
Install on local VM and learn cybersecurity/sysadmin. The level of visibility provided by Impulse means that you can use it to learn and play around with Linux environments. Deploy on localhost VM, then modify system settings or try to attack the VM and observe what changes in the “IOT History” dashboard.

📘 How to get started and documentation

Set up deep security visibility and protection for your infrastructure in two steps:

Install the self-hosted security events manager on one of your existing machines (this could be any VM, VPS, laptop or Raspberry Pi with 1-core, 1.5gb RAM). It runs on all major Linux distributions and requires close to zero configuration.
Deploy a light or heavy sensor on each endpoint, depending on the features and level of visibility that you need. That's it. Security telemetry and analytics start flowing to your screen!

Setup & Documentation

How does it compare with other security monitoring tools?

Feature	Other Tools	Impulse XDR
Able to detect known and unknown malware from system behaviour	No	Yes
Visibility level	Tell you only when something really, really bad happens.	Full historical chain of events for every potential indicator of compromise.
Traditional SIEM features with centralized log storage, indexing and storage	Some	Yes
Light, open-source sensors with host and network intrusion detection baked-in	No	Yes
File Integrity Monitoring	Some	Yes
Secure Configuration Management	Basic	Yes
Can work on as little as 1.5 GB RAM, 1-core CPU	No way	Yes
Purpose-built interface for presenting security information in digestible form	No	Yes
Flexible installation on any Linux OS instance with Docker containers and SystemD services	Some	Yes
Create and distribute custom monitoring policies	Some	Yes
Active response with fleet firewall, asset isolation and remote script execution	No	Yes
Easy self-host installation	No	Yes
Future proof, built with best in class components: Postgres, gRPC, Rsyslog, Osquery, Suricata	No	Yes
Pricing	Bill shock	Free version and affordable premium

Demo

Fleet

Detections

Network IDS

Secure Configuration

Live Query

impulse-xdr's People

Contributors

Stargazers

Watchers

Forkers

rafiq0007 jugaadi tundeogunkoya imnetsecurity b4pcor

impulse-xdr's Issues

Sensor appears offline, although it is sending logs

The sensor is installed on a fresh Debian 11.9. It is sending logs as expected but appears offline. It also does not recognize the OS or the correct time.

setup error when Password has a @ symbol in IMPULSE_DB_SERVER_PWD

Ubuntu 22.04 in a LXD container on Proxmox.
Forgot to copy the exact log but it was showing somethign like could not translate host name [email protected] to address
PW Block ended with @22.
Easy fix was:

./uninstall_manager.sh
./install_manager.sh
Cheers.

Impulse-managerd docker error

Hi,

During crawling impulse-managed image logs I found error.
The error occurs when I try to refresh analitics page data via "Refresh" button.

Example of Error Page

Generated log on "Refresh" button press

After few moments of investigation I found out that there is a problem with Suricata Container.
Error log below.

Installation fails on a fresh Debian 12 - pip3

On line 25 of file install_modules/shared/impulse_deps.sh there is the following command for ubuntu, debian and linuxmint:

pip3 install --upgrade pip setuptools

This does not work on Debian 12 with default python 3.11.2

I get the following error:

error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try apt install
    python3-xyz, where xyz is the package you are trying to
    install.

    If you wish to install a non-Debian-packaged Python package,
    create a virtual environment using python3 -m venv path/to/venv.
    Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
    sure you have python3-full installed.

    If you wish to install a non-Debian packaged Python application,
    it may be easiest to use pipx install xyz, which will manage a
    virtual environment for you. Make sure you have pipx installed.

    See /usr/share/doc/python3.11/README.venv for more information.

note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages.
hint: See PEP 668 for the detailed specification.

The best way to correct that is to (in order of preference):

use Python system packages, but it's complicated for your script as you don't control APT sources, already installed packages, weither the pip packages you need are available as system packages ... so better to go the second point, pipx
use pipx instead of pip, as it will manage the creation of the venv
use pip3 but do the venv creation yourself

As I don't know in how many files you're using pip3 (at least in install_modules/manager/impulse_aux.sh and in install_modules/shared/pip_venv.sh), I got away with the command:

mv /usr/lib/python3.11/EXTERNALLY-MANAGED /usr/lib/python3.11/EXTERNALLY-MANAGED.old

However this is obviously not the best way to do it.
Don't do this on a production system relying on python packages!

installation fails on a fresh ubuntu 22.04

I tested the the installer script install_manager.sh on a fresh ubuntu 22.04 server, but the installation fails. at the end I see the message "curl: (52) Empty reply from server" and the credential file is not created. I can open the url https://<MANAGER_IP>:7001/ but not login because I have no credentials.

any idea what is missing?

the os:

lsb_release -a

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.4 LTS
Release:	22.04
Codename:	jammy

my network settings:

> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:8c:c5:ec brd ff:ff:ff:ff:ff:ff
    altname enp2s1
    inet 192.168.1.209/24 metric 100 brd 192.168.1.255 scope global dynamic ens33
       valid_lft 37sec preferred_lft 37sec

the config file:

###############################################
###Impulse XDR Manager configuration file ###
###############################################

##
## THERE SHOULD BE NO EMPTY SPACE BETWEEN KEY AND VALUE
## AND NO QUOTES AROUND VALUES
##

[Env]
# IP of the Impulse Manager instance.
IP_MANAGER=192.168.1.209

## IP of server used for ssh port-forwarding of the local manager instance
# MANAGER_PROXY_IP=

## Only used in proxy setup
# MANAGER_VM_INSTANCE_PUBLIC_IP=

## Desired password for the master Impulse database;
IMPULSE_DB_SERVER_PWD=mysecretpass1

## Specify the network interface that NIDS engine will listen on, e.g. eth0 (ref. docs)
HOST_INTERFACE=ens33

## Setup Type: manager, agent
SETUP_TYPE=manager

## Setup Type: heavy, light
AGENT_TYPE=heavy

## NIDS Caps Enabled
NIDS_ENABLED=true
NIDS_MODE=IDS
IPS_SETUP=auto
IPS_MODE_PORTS=80

AGENT_SECRET_KEY=poiuymni123

the message at the end:

Post-Installation Setup...
HTTP/1.1 200 OK
Server: gunicorn
Date: Wed, 21 Feb 2024 17:57:05 GMT
Connection: close
Content-Type: application/json
Content-Length: 66
Access-Control-Allow-Origin: *

{
  "msg": "Manager registered successfully!",
  "status": 200
}
HTTP/1.1 200 OK
Server: gunicorn
Date: Wed, 21 Feb 2024 17:57:05 GMT
Connection: close
Content-Type: application/json
Content-Length: 45
Access-Control-Allow-Origin: *

{
  "msg": "Db changed!",
  "status": 200
}
curl: (52) Empty reply from server

Unquoted service path in Windows sensors

Windows sensors will install a new service called impulse-agentd.

This service is executing the nssm.exe binary. However, the service does not quote the service path. This may lead to a Windows privilege escalation if an attacker would be able to create a malicious file located at C:\Program.exe. This is usually not possible by a low privileged user account.

Nonetheless, I recommend quoting the service path for security best practices.

Minor UI issue

In the Instance Overview - Asset Posture page (#/fleet/asset/details/asset-*) - column heading reads 'Satus' should be 'Status'

Impulse-XDR Version - v.1.9
Manager OS - Ubuntu 22.04 Proxmox LXC CT

Raise, or completely remove "assets" limit for core users that selfhost.

The whole point of selfhosting is to have the freedom to do whatever you want with the software you host.

By imposing restrictions like license limitations and soft-limits, you defeat the purpose of selfhosting in the first place.

I personally use Wazuh right now, but I really like the design of your app, I'd ideally like to use it with 15-20 hosts on my network, but I don't want to sinkhole on a subscription plan for something that runs mostly* onsite.

This feels more like a freemium experience. Nothing personal, just calling it how I see it.

Thanks,
JW.